Configuration Guide - VPN

Configuration Guide - VPN
Huawei AR1200 Series Enterprise Routers
V200R001C01
Configuration Guide - VPN
Issue
03
Date
2011-11-27
HUAWEI TECHNOLOGIES CO., LTD.
Copyright © Huawei Technologies Co., Ltd. 2011. All rights reserved.
No part of this document may be reproduced or transmitted in any form or by any means without prior written
consent of Huawei Technologies Co., Ltd.
Trademarks and Permissions
and other Huawei trademarks are trademarks of Huawei Technologies Co., Ltd.
All other trademarks and trade names mentioned in this document are the property of their respective holders.
Notice
The purchased products, services and features are stipulated by the contract made between Huawei and the
customer. All or part of the products, services and features described in this document may not be within the
purchase scope or the usage scope. Unless otherwise specified in the contract, all statements, information,
and recommendations in this document are provided "AS IS" without warranties, guarantees or representations
of any kind, either express or implied.
The information in this document is subject to change without notice. Every effort has been made in the
preparation of this document to ensure accuracy of the contents, but all statements, information, and
recommendations in this document do not constitute the warranty of any kind, express or implied.
Huawei Technologies Co., Ltd.
Address:
Huawei Industrial Base
Bantian, Longgang
Shenzhen 518129
People's Republic of China
Website:
http://www.huawei.com
Email:
[email protected]
Issue 03 (2011-11-27)
Huawei Proprietary and Confidential
Copyright © Huawei Technologies Co., Ltd.
i
Huawei AR1200 Series Enterprise Routers
Configuration Guide - VPN
About This Document
About This Document
Intended Audience
This document provides the basic concepts, configuration procedures, and configuration
examples in different application scenarios of the VPN supported by the AR1200 device.
This document describes how to configure the VPN.
This document is intended for:
l
Data configuration engineers
l
Commissioning engineers
l
Network monitoring engineers
l
System maintenance engineers
Symbol Conventions
The symbols that may be found in this document are defined as follows.
Symbol
Description
DANGER
WARNING
CAUTION
Issue 03 (2011-11-27)
Indicates a hazard with a high level of risk, which if not
avoided, will result in death or serious injury.
Indicates a hazard with a medium or low level of risk, which
if not avoided, could result in minor or moderate injury.
Indicates a potentially hazardous situation, which if not
avoided, could result in equipment damage, data loss,
performance degradation, or unexpected results.
TIP
Indicates a tip that may help you solve a problem or save
time.
NOTE
Provides additional information to emphasize or supplement
important points of the main text.
Huawei Proprietary and Confidential
Copyright © Huawei Technologies Co., Ltd.
ii
Huawei AR1200 Series Enterprise Routers
Configuration Guide - VPN
About This Document
Command Conventions
The command conventions that may be found in this document are defined as follows.
Convention
Description
Boldface
The keywords of a command line are in boldface.
Italic
Command arguments are in italics.
[]
Items (keywords or arguments) in brackets [ ] are optional.
{ x | y | ... }
Optional items are grouped in braces and separated by vertical
bars. One item is selected.
[ x | y | ... ]
Optional items are grouped in brackets and separated by vertical
bars. One item is selected or no item is selected.
{ x | y | ... }*
Optional items are grouped in braces and separated by vertical
bars. A minimum of one item or a maximum of all items can be
selected.
[ x | y | ... ]*
Optional items are grouped in brackets and separated by vertical
bars. Several items or no item can be selected.
&<1-n>
The parameter before the & sign can be repeated 1 to n times.
#
A line starting with the # sign is comments.
Interface Numbering Conventions
Interface numbers used in this manual are examples. In device configuration, use the existing
interface numbers on devices.
Change History
Changes between document issues are cumulative. Therefore, the latest document version
contains all updates made to previous versions.
Changes in Issue 03 (2011-11-27)
Based on issue 02 (2011-10-15), the document is updated as follows:
The following information is modified:
l
1.7.3 Example for Configuring a GRE Tunnel to Transmit VPN Multicast Data
Encrypted with IPSec
Changes in Issue 02 (2011-10-15)
Based on issue 01 (2011-08-15), the document is updated as follows:
Issue 03 (2011-11-27)
Huawei Proprietary and Confidential
Copyright © Huawei Technologies Co., Ltd.
iii
Huawei AR1200 Series Enterprise Routers
Configuration Guide - VPN
About This Document
The following information is modified:
l
3.6.1 Example for Establishing an SA Manually
l
3.6.2 Example for Configuring IKE Negotiation
Changes in Issue 01 (2011-08-15)
Initial commercial release.
Issue 03 (2011-11-27)
Huawei Proprietary and Confidential
Copyright © Huawei Technologies Co., Ltd.
iv
Huawei AR1200 Series Enterprise Routers
Configuration Guide - VPN
Contents
Contents
About This Document.....................................................................................................................ii
1 GRE Configuration.......................................................................................................................1
1.1 Introduction to GRE...........................................................................................................................................2
1.2 GRE Features Supported by the AR1200...........................................................................................................2
1.3 Configuring GRE................................................................................................................................................3
1.3.1 Establishing the Configuration Task.........................................................................................................3
1.3.2 Configuring a Tunnel Interface.................................................................................................................4
1.3.3 Configuring Routes for the Tunnel............................................................................................................5
1.3.4 (Optional) Configuring GRE Security Options.........................................................................................6
1.3.5 Checking the Configuration.......................................................................................................................7
1.4 Configuring a GRE Tunnel Between CE and PE...............................................................................................8
1.4.1 Establishing the Configuration Task.........................................................................................................8
1.4.2 Configuring the GRE Tunnel Interface on CE..........................................................................................9
1.4.3 Configuring the GRE Tunnel Interface on PE.........................................................................................10
1.4.4 Binding the GRE Tunnel with the VPN to Which CE belongs on PE....................................................12
1.4.5 Checking the Configuration.....................................................................................................................12
1.5 Configuring the Keepalive Function................................................................................................................13
1.5.1 Establishing the Configuration Task.......................................................................................................14
1.5.2 Enabling the Keepalive Function............................................................................................................14
1.5.3 Checking the Configuration.....................................................................................................................15
1.6 Maintaining GRE..............................................................................................................................................16
1.6.1 Resetting the Statistics of a Tunnel Interface..........................................................................................16
1.6.2 Monitoring the Running Status of GRE..................................................................................................17
1.6.3 Debugging GRE......................................................................................................................................17
1.7 Configuration Examples...................................................................................................................................17
1.7.1 Example for Configuring a Static Route for GRE...................................................................................18
1.7.2 Example for Configuring a Dynamic Routing Protocol for GRE...........................................................22
1.7.3 Example for Configuring a GRE Tunnel to Transmit VPN Multicast Data Encrypted with IPSec........25
1.7.4 Example for Configuring the CE to Access a VPN Through a GRE Tunnel of the Public Network
..........................................................................................................................................................................32
1.7.5 Example for Configuring the Keepalive Function for GRE....................................................................39
2 BGP MPLS IP VPN Configuration..........................................................................................42
2.1 Introduction to BGP/MPLS IP VPN................................................................................................................44
Issue 03 (2011-11-27)
Huawei Proprietary and Confidential
Copyright © Huawei Technologies Co., Ltd.
v
Huawei AR1200 Series Enterprise Routers
Configuration Guide - VPN
Contents
2.2 BGP/MPLS IP VPN Features Supported by the AR1200................................................................................45
2.3 Configuring a VPN Instance Enabled with the IPv4 Address Family.............................................................46
2.3.1 Establishing the Configuration Task.......................................................................................................46
2.3.2 Creating a VPN Instance.........................................................................................................................47
2.3.3 Configuring Attributes for the VPN Instance IPv4 Address Family.......................................................48
2.3.4 (Optional) Configuring MPLS Label Allocation Based on the VPN Instance IPv4 Address Family
..........................................................................................................................................................................49
2.3.5 Checking the Configuration.....................................................................................................................50
2.4 Configuring Basic BGP/MPLS IP VPN...........................................................................................................51
2.4.1 Establishing the Configuration Task.......................................................................................................51
2.4.2 Configuring a VPN Instance....................................................................................................................53
2.4.3 Binding an Interface with a VPN Instance..............................................................................................53
2.4.4 (Optional) Configuring a Router ID for a BGP VPN Instance IPv4 Address Family.............................54
2.4.5 Configuring MP-IBGP Between PEs......................................................................................................55
2.4.6 Configuring a Routing Protocol Between a PE and a CE.......................................................................56
2.4.7 Checking the Configuration.....................................................................................................................65
2.5 Configuring Hub and Spoke.............................................................................................................................65
2.5.1 Establishing the Configuration Task.......................................................................................................65
2.5.2 Creating a VPN Instance.........................................................................................................................66
2.5.3 Configuring Route Attributes of the VPN Instance.................................................................................68
2.5.4 Binding an Interface with the VPN Instance...........................................................................................70
2.5.5 Configuring MP-IBGP Between Hub-PE and Spoke-PE........................................................................70
2.5.6 Configuring Route Exchange Between PE and CE.................................................................................71
2.5.7 Checking the Configuration.....................................................................................................................73
2.6 Configuring Inter-AS VPN Option A...............................................................................................................73
2.6.1 Establishing the Configuration Task.......................................................................................................73
2.6.2 Establishing Inter-AS VPN Option A.....................................................................................................74
2.6.3 Checking the Configuration.....................................................................................................................75
2.7 Configuring Inter-AS VPN Option B...............................................................................................................76
2.7.1 Establishing the Configuration Task.......................................................................................................76
2.7.2 Configuring MP-IBGP Between PEs and ASBRs in the Same AS........................................................77
2.7.3 Configuring MP-EBGP Between ASBRs in Different ASs....................................................................78
2.7.4 Controlling the Receiving and Sending of VPN Routes by Using Routing Policies..............................79
2.7.5 (Optional) Storing Information About the VPN Instance on the ASBR.................................................80
2.7.6 (Optional) Enabling Next-Hop-based Label Allocation on the ASBR...................................................82
2.7.7 Configuring the Routing Protocol Between CE and PE..........................................................................83
2.7.8 Checking the Configuration.....................................................................................................................83
2.8 Configuring Inter-AS VPN Option C...............................................................................................................84
2.8.1 Establishing the Configuration Task.......................................................................................................84
2.8.2 Enabling the Labeled IPv4 Route Exchange...........................................................................................85
2.8.3 Configuring a Routing Policy to Control Label Distribution..................................................................87
2.8.4 Establishing the MP-EBGP Peer Between PEs.......................................................................................88
2.8.5 Configuring the Route Exchange Between CE and PE...........................................................................90
Issue 03 (2011-11-27)
Huawei Proprietary and Confidential
Copyright © Huawei Technologies Co., Ltd.
vi
Huawei AR1200 Series Enterprise Routers
Configuration Guide - VPN
Contents
2.8.6 Checking the Configuration.....................................................................................................................90
2.9 Configuring Inter-AS VPN Option C (Solution 2)...........................................................................................90
2.9.1 Establishing the Configuration Task.......................................................................................................91
2.9.2 Establishing the EBGP Peer Relationship Between ASBRs...................................................................92
2.9.3 Advertising the Routes of the PE in the Local AS to the Remote PE.....................................................93
2.9.4 Enabling the Capability of Exchanging Labeled IPv4 Routes................................................................94
2.9.5 Establishing an LDP LSP for the Labeled BGP Routes of the Public Network.....................................95
2.9.6 Establishing the MP-EBGP Peer Relationship Between PEs..................................................................96
2.9.7 Configuring the Route Exchange Between a CE and a PE.....................................................................97
2.9.8 Checking the Configuration.....................................................................................................................98
2.10 Configuring HoVPN.....................................................................................................................................100
2.10.1 Establishing the Configuration Task...................................................................................................100
2.10.2 Specifying UPE...................................................................................................................................100
2.10.3 Advertising Default Routes of a VPN Instance...................................................................................101
2.10.4 Checking the Configuration.................................................................................................................102
2.11 Configuring a Multi-VPN-Instance CE........................................................................................................102
2.11.1 Establishing the Configuration Task...................................................................................................102
2.11.2 Configuring the OSPF Multi-Instance on the PE................................................................................103
2.11.3 Configuring the OSPF Multi-Instance on the Multi-Instance CE.......................................................104
2.11.4 Canceling the Loop Detection on the Multi-Instance CE....................................................................105
2.11.5 Checking the Configuration.................................................................................................................105
2.12 Connecting VPN and the Internet.................................................................................................................106
2.12.1 Establishing the Configuration Task...................................................................................................106
2.12.2 Configuring the Static Route on the CE..............................................................................................106
2.12.3 Configuring the Private Network Static Route on the PE...................................................................107
2.12.4 Configuring the Static Route to VPN on the Device of the Public Network......................................107
2.12.5 Checking the Configuration.................................................................................................................108
2.13 Configuring Route Reflection to Optimize the VPN Backbone Layer........................................................109
2.13.1 Establishing the Configuration Task...................................................................................................109
2.13.2 Configuring the Client PEs to Establish MP IBGP Connections with the RR....................................110
2.13.3 Configuring the RR to Establish MP IBGP Connections with the Client PEs....................................110
2.13.4 Configuring Route Reflection for BGP IPv4 VPN routes...................................................................112
2.13.5 Checking the Configuration.................................................................................................................113
2.14 Configuring Route Reflection to Optimize the VPN Access Layer.............................................................113
2.14.1 Establishing the Configuration Task...................................................................................................113
2.14.2 Configuring All Client CEs to Establish IBGP Connections with the RR..........................................114
2.14.3 Configuring the RR to Establish MP IBGP Connections with All Client CEs...................................115
2.14.4 Configuring Route Reflection for the Routes of the BGP VPN Instance...........................................116
2.14.5 Checking the Configuration.................................................................................................................117
2.15 Maintaining BGP/MPLS IP VPN.................................................................................................................118
2.15.1 Viewing the Integrated Route Statistics of All IPv4 VPN Instances..................................................118
2.15.2 Displaying BGP/MPLS IP VPN Information......................................................................................118
Issue 03 (2011-11-27)
Huawei Proprietary and Confidential
Copyright © Huawei Technologies Co., Ltd.
vii
Huawei AR1200 Series Enterprise Routers
Configuration Guide - VPN
Contents
2.15.3 Checking the Network Connectivity and Reachability.......................................................................119
2.15.4 Resetting BGP Statistics of a VPN Instance IPv4 Address Family....................................................120
2.15.5 Resetting BGP Connections................................................................................................................120
2.16 Configuration Examples...............................................................................................................................121
2.16.1 Example for Configuring BGP/MPLS IP VPN...................................................................................121
2.16.2 Example for Configuring the BGP AS Number Substitution..............................................................132
2.16.3 Example for Configuring Hub and Spoke...........................................................................................137
2.16.4 Example for Configuring Inter-AS VPN Option A.............................................................................146
2.16.5 Example for Configuring Inter-AS VPN Option B.............................................................................155
2.16.6 Example for Configuring Inter-AS VPN Option C.............................................................................161
2.16.7 Example for Configuring Inter-AS VPN Option C (Solution 2).........................................................168
2.16.8 Example for Configuring HoVPN.......................................................................................................180
2.16.9 Example for Configuring Multi-VPN-Instance CE.............................................................................187
2.16.10 Example for Connecting VPN and Internet.......................................................................................197
3 IPSec Configuration..................................................................................................................204
3.1 IPSec Overview..............................................................................................................................................205
3.2 IPSec Features Supported by the AR1200.....................................................................................................206
3.3 Establishing an IPSec Tunnel Manually.........................................................................................................207
3.3.1 Establishing the Configuration Task.....................................................................................................207
3.3.2 Defining Protected Data Flows..............................................................................................................208
3.3.3 Configuring an IPSec Proposal..............................................................................................................208
3.3.4 Configuring an IPSec Policy.................................................................................................................209
3.3.5 Applying an IPSec Policy to an Interface..............................................................................................211
3.3.6 Checking the Configuration...................................................................................................................211
3.4 Establishing an IPSec Tunnel Through IKE Negotiation...............................................................................212
3.4.1 Establishing the Configuration Task.....................................................................................................212
3.4.2 Defining Protected Data Flows..............................................................................................................213
3.4.3 Configuring an IKE Proposal................................................................................................................213
3.4.4 Configuring an IKE Peer.......................................................................................................................214
3.4.5 Configuring an IPSec Proposal..............................................................................................................216
3.4.6 Configuring an IPSec Policy.................................................................................................................217
3.4.7 (Optional) Configuring an IPSec Policy Template................................................................................218
3.4.8 (Optional) Setting Optional Parameters................................................................................................219
3.4.9 Applying an IPSec policy to an interface..............................................................................................220
3.4.10 Checking the Configuration.................................................................................................................221
3.5 Maintaining IPSec..........................................................................................................................................221
3.5.1 Displaying the IPSec Configuration......................................................................................................222
3.5.2 Clearing IPSec Information...................................................................................................................222
3.6 Configuration Examples.................................................................................................................................223
3.6.1 Example for Establishing an SA Manually...........................................................................................223
3.6.2 Example for Configuring IKE Negotiation...........................................................................................228
Issue 03 (2011-11-27)
Huawei Proprietary and Confidential
Copyright © Huawei Technologies Co., Ltd.
viii
Huawei AR1200 Series Enterprise Routers
Configuration Guide - VPN
1 GRE Configuration
1
GRE Configuration
About This Chapter
Generic Routing Encapsulation (GRE) encapsulates the packets of certain network layer
protocols so that the encapsulated packets can be transmitted over the IPv4 network.
1.1 Introduction to GRE
The transmission of packets in a GRE tunnel involves two processes: encapsulation and
decapsulation. After receiving a packet of a certain network layer protocol that needs to be
encapsulated and routed, the system adds a GRE header to the packet, and encapsulates the
packet into a packet of another protocol, such as IP.
1.2 GRE Features Supported by the AR1200
GRE features supported by the AR1200 include the following: enlargement of the operation
scope of the network running a hop-limited protocol, and working in conjunction with the IP
Security Protocol (IPSec) to compensate for the IPSec flaw in multicast data protection.
1.3 Configuring GRE
You can configure GRE only after a GRE tunnel is configured.
1.4 Configuring a GRE Tunnel Between CE and PE
Configuring a GRE tunnel between a CE and a PE enables the CE to access the public network
through the GRE tunnel.
1.5 Configuring the Keepalive Function
Before configuring a tunnel policy and a GRE tunnel for the VPN, enable the GRE tunnel
Keepalive function. With this function enabled, the VPN does not select the GRE tunnel that
cannot reach the remote end, and data loss can be avoided.
1.6 Maintaining GRE
This section describes how to reset the statistics of a tunnel interface and monitor the GRE
running status.
1.7 Configuration Examples
Familiarize yourself with the configuration procedures against the networking diagrams. This
section provides networking requirements, configuration notes, and configuration roadmap in
configurations examples.
Issue 03 (2011-11-27)
Huawei Proprietary and Confidential
Copyright © Huawei Technologies Co., Ltd.
1
Huawei AR1200 Series Enterprise Routers
Configuration Guide - VPN
1 GRE Configuration
1.1 Introduction to GRE
The transmission of packets in a GRE tunnel involves two processes: encapsulation and
decapsulation. After receiving a packet of a certain network layer protocol that needs to be
encapsulated and routed, the system adds a GRE header to the packet, and encapsulates the
packet into a packet of another protocol, such as IP.
GRE encapsulates the packets of certain network layer protocols. After encapsulation, these
packets can be transmitted over the network by another network layer protocol, such as IP.
GRE can serve as a Layer 3 tunneling protocol for VPNs. A tunnel is a virtual point-to-point
connection and can be regarded as a virtual interface that supports only point-to-point
connections. This interface provides a path to transmit encapsulated datagrams. GRE
encapsulates and decapsulates datagrams at both ends of the tunnel.
1.2 GRE Features Supported by the AR1200
GRE features supported by the AR1200 include the following: enlargement of the operation
scope of the network running a hop-limited protocol, and working in conjunction with the IP
Security Protocol (IPSec) to compensate for the IPSec flaw in multicast data protection.
Enlarging the Operation Scope of the Network Running a Hop-Limited Protocol
If the hop count between two terminals in Figure 1-1 is more than 15, the two terminals cannot
communicate with each other.
Figure 1-1 Networking diagram of enlarged network operation scope
IP
network
IP
network
IP
network
Tunnel
PC
PC
When the tunnel is used in the network, a few hops are hidden. This enlarges the scope of the
network operation.
Working in Combination with IPSec to Compensate for the IPSec Flaw in Multicast
Data Protection
Based on GRE, multicast data can be encapsulated and transmitted in the GRE tunnel. Based on
IPSec, only the unicast data can realize encrypted protection.
Issue 03 (2011-11-27)
Huawei Proprietary and Confidential
Copyright © Huawei Technologies Co., Ltd.
2
Huawei AR1200 Series Enterprise Routers
Configuration Guide - VPN
1 GRE Configuration
Figure 1-2 Networking diagram of GRE-IPSec tunnel application
Internet
IPSec tunnel
GRE tunnel
Corporate
intranet
Remote
office
network
As shown in Figure 1-2, if the multicast data is transmitted in the IPSec tunnel, establish the
GRE tunnel and encapsulate the multicast data with GRE. Then encrypt the encapsulated
multicast data with IPSec. When these tasks are performed, the encrypted multicast data can be
transmitted in the IPSec tunnel.
1.3 Configuring GRE
You can configure GRE only after a GRE tunnel is configured.
1.3.1 Establishing the Configuration Task
Before configuring a GRE tunnel, familiarize yourself with the applicable environment,
complete the pre-configuration tasks, and obtain the data required for the configuration.
Applicable Environment
To set up a GRE tunnel, create a tunnel interface first, and configure the GRE functions on the
tunnel interface. If the tunnel interface is deleted, all the configurations on the interface are
deleted.
Pre-configuration Tasks
Before configuring an ordinary GRE tunnel, complete the following task:
l
Configuring reachable routes between the source and destination interfaces
Data Preparation
To configure an ordinary GRE tunnel, you need the following data.
Issue 03 (2011-11-27)
No.
Data
1
Number of the tunnel interface
2
Source address and destination address of the tunnel
Huawei Proprietary and Confidential
Copyright © Huawei Technologies Co., Ltd.
3
Huawei AR1200 Series Enterprise Routers
Configuration Guide - VPN
No.
Data
3
IP address of the tunnel interface
4
Key of the tunnel interface
1 GRE Configuration
1.3.2 Configuring a Tunnel Interface
After creating a tunnel interface, specify GRE as the encapsulation type, set the tunnel source
address or source interface, and set the tunnel destination address. In addition, set the tunnel
interface network address so that the tunnel can support dynamic routing protocols.
Context
Perform the following steps on the routers at the two ends of a tunnel.
Procedure
Step 1 Run:
system-view
The system view is displayed.
Step 2 Run:
interface tunnel interface-number
A tunnel interface is created and the tunnel interface view is displayed.
Step 3 Run:
tunnel-protocol
{ gre | none }
The tunnel is encapsulated with GRE.
Step 4 Run:
source { source-ip-address | interface-type interface-number }
The source address or source interface of the tunnel is configured.
NOTE
l The virtual IP address of the VRRP backup group can be configured as the source address of the GRE
tunnel.
l The bridge-if interface can not be configured as the source interface of the GRE tunnel.
The source interface of the tunnel cannot be the interface of the tunnel, but can be specified as
the interface of another tunnel.
Step 5 Run:
destination ip-address
The destination address of the tunnel is configured.
Step 6 (Optional) Run:
mtu mtu
The Maximum Transmission Unit (MTU) of the tunnel interface is modified.
Issue 03 (2011-11-27)
Huawei Proprietary and Confidential
Copyright © Huawei Technologies Co., Ltd.
4
Huawei AR1200 Series Enterprise Routers
Configuration Guide - VPN
1 GRE Configuration
The new MTU takes effect only after you run the shutdown command and the undo
shutdown command on the interface.
Step 7 Choose one of the following commands to configure the IP address of the tunnel interface.
l Run the ip address ip-address { mask | mask-length } [ sub ] command to configure the IP
address of the tunnel interface.
l Run the ip address unnumbered interface interface-type interface-number command to
configure IP unnumbered for the tunnel interface.
To support dynamic routing protocols on a tunnel, configure a network address for the tunnel
interface. The network address of the tunnel interface may not be a public address, but should
be in the same network segment on both ends of the tunnel.
By default, the network address of a tunnel interface is not set.
----End
1.3.3 Configuring Routes for the Tunnel
Routes for a tunnel must be available on both the source and destination devices so that packets
encapsulated with GRE can be forwarded correctly. A route passing through tunnel interfaces
can be a static route or a dynamic route.
Context
Perform the following steps on the devices at two ends of a tunnel.
NOTE
The packets encapsulated with GRE are forwarded correctly only if the routes for the tunnel are available
on both the source and destination routers.
Procedure
Step 1 Run:
system-view
The system view is displayed.
Step 2 Choose one of the following methods to configure routes passing through the tunnel interface.
l Run the ip route-static ip-address { mask | mask-length } tunnel interface-number
[ description text ] command to configure a static route.
The static route must be configured on both ends of the tunnel. In this command, the
destination address is neither the destination address of the tunnel nor the address of the
opposite tunnel interface, but the destination address of the packet that is not encapsulated
with GRE. The outbound interface must be the local tunnel interface.
l Configure dynamic routes using IGP or BGP. Details for the procedure are not provided here.
For the configuration of dynamic routes, see the AR1200 Configuration Guide - IP
Routing.
When configuring a dynamic routing protocol, enable the dynamic routing protocol on both
the tunnel interface and the interface connected to the private network. To ensure correct
routing, do not choose the tunnel interface as the next hop when configuring the route to the
physical or logical interface of the destination tunnel.
Use Router A in Figure 1-3 as an example. The source interface of Tunnel 0/0/1 is GE 1/0/0
on Router A, and its destination interface is GE 2/0/0 on Router C. If a dynamic routing
Issue 03 (2011-11-27)
Huawei Proprietary and Confidential
Copyright © Huawei Technologies Co., Ltd.
5
Huawei AR1200 Series Enterprise Routers
Configuration Guide - VPN
1 GRE Configuration
protocol is used, the protocol must be configured on the tunnel interface and the GE interface
connected to the PC. Moreover, in the routing table of Router A, the egress with the
destination as the network segment where GE 2/0/0 on Router C resides cannot be Tunnel
0/0/1.
In practical configurations, configure a multi-process routing protocol or change the metric
value of the tunnel interface. This prevents the tunnel interface from being selected as the
outbound interface of routes to the destination physical interface of the tunnel.
In practical configurations, tunnel interfaces and physical interfaces connected to the public
network should use different routing protocols or different processes of the same routing
protocol. With one of these procedures in place, you can avoid selecting a tunnel interface
as an outbound interface for packets destined for the destination of the tunnel. In addition, a
physical interface is prevented from forwarding user packets that should be forwarded
through the tunnel.
Figure 1-3 Diagram of configuring the GRE dynamic routing protocol
Backbone
GE1/0/0
RouterA
GE2/0/0
RouterC
Tunnel
GE2/0/0 Tunnel0/0/1
Tunnel0/0/2 GE1/0/0
PC1
PC2
----End
1.3.4 (Optional) Configuring GRE Security Options
To enhance the security of a GRE tunnel, configure end-to-end checksum authentication or key
authentication. This security mechanism can prevent the tunnel interface from incorrectly
identifying and receiving packets from other devices.
Context
Perform the following steps on the routers at two ends of a tunnel.
Procedure
Step 1 Run:
system-view
The system view is displayed.
Step 2 Run:
interface tunnel interface-number
Issue 03 (2011-11-27)
Huawei Proprietary and Confidential
Copyright © Huawei Technologies Co., Ltd.
6
Huawei AR1200 Series Enterprise Routers
Configuration Guide - VPN
1 GRE Configuration
The tunnel interface view is displayed.
Step 3 Run:
gre checksum
End-to-end checksum authentication is configured for the tunnel.
By default, end-to-end checksum authentication is disabled.
Step 4 Run:
gre key key-number
The key is set for the tunnel interface.
If the keys are set for tunnel interfaces on the two ends of the tunnel, ensure that they have the
same key number. Alternatively, you may choose not to set the keys for tunnel interfaces on
both ends of the tunnel.
By default, no key is configured for the tunnel.
NOTE
Step 3 and Step 4 can be performed in random order.
----End
1.3.5 Checking the Configuration
After a GRE tunnel is set up, you can view the running status and routing information about the
tunnel interface.
Context
The configurations of the GRE function are complete.
Procedure
l
Run the display interface tunnel [ interface-number ] command to check tunnel interface
information.
l
Run the display ip routing-table command to check the IPv4 routing table.
l
Run the ping -a source-ip-address host command to check whether the two ends of the
tunnel can successfully ping each other.
----End
Example
Run the display interface tunnel command. If the tunnel interface is Up, the configuration
succeeds. For example:
<Huawei> display interface Tunnel 0/0/1
Tunnel0/0/1 current state : UP
Line protocol current state : UP
Description:HUAWEI, AR Series, Tunnel0/0/1 Interface
Route Port,The Maximum Transmit Unit is 1500
Internet Address is 5.5.5.2/24
Encapsulation is TUNNEL, loopback not set
Tunnel source 150.1.1.1 (Ethernet4/0/0), destination 150.1.1.2
Tunnel protocol/transport GRE/IP, key disabled
keepalive disabled
Checksumming of packets disabled
Issue 03 (2011-11-27)
Huawei Proprietary and Confidential
Copyright © Huawei Technologies Co., Ltd.
7
Huawei AR1200 Series Enterprise Routers
Configuration Guide - VPN
1 GRE Configuration
Current system time: 2008-03-04 19:17:30
300 seconds input rate 0 bits/sec, 0 packets/sec
300 seconds output rate 0 bits/sec, 0 packets/sec
0 seconds input rate 0 bits/sec, 0 packets/sec
0 seconds output rate 0 bits/sec, 0 packets/sec
0 packets input, 0 bytes
0 input error
0 packets output, 0 bytes
0 output error
Input:
Unicast: 0 packets, Multicast: 0 packets
Output:
Unicast: 0 packets, Multicast: 0 packets
Input bandwidth utilization : -Output bandwidth utilization : --
Run the display ip routing-table command. If the route passing through the tunnel interface
exists in the routing table, the configuration succeeds. For example:
[Huawei] display ip routing-table
Route Flags: R - relay, D - download to fib
-----------------------------------------------------------------------------Routing Tables: Public
Destinations : 8
Routes : 8
Destination/Mask
Proto Pre Cost
Flags NextHop
Interface
10.1.1.0/24 Direct 0
0
D 10.1.1.2
GigabitEthernet2/0/0
10.1.1.2/32 Direct 0
0
D 127.0.0.1
InLoopBack0
10.2.1.0/24 Static 60
0
D 40.1.1.1
Tunnel0/0/2
20.1.1.1/32 Direct 0
0
D 127.0.0.1
InLoopBack0
40.1.1.0/24 Direct 0
0
D 40.1.1.1
Tunnel0/0/2
40.1.1.1/32 Direct 0
0
D 127.0.0.1
InLoopBack0
127.0.0.0/8
Direct 0
0
D 127.0.0.1
InLoopBack0
127.0.0.1/32 Direct 0
0
D 127.0.0.1
InLoopBack0
Run the ping -a source-ip-address host command to see that the ping from the local tunnel
interface to the destination tunnel succeeds.
<Huawei> ping -a 40.1.1.1 40.1.1.2
PING 40.1.1.2: 56 data bytes, press CTRL_C to break
Reply from 40.1.1.2: bytes=56 Sequence=1 ttl=255 time=24
Reply from 40.1.1.2: bytes=56 Sequence=2 ttl=255 time=33
Reply from 40.1.1.2: bytes=56 Sequence=3 ttl=255 time=48
Reply from 40.1.1.2: bytes=56 Sequence=4 ttl=255 time=33
Reply from 40.1.1.2: bytes=56 Sequence=5 ttl=255 time=36
--- 40.1.1.2 ping statistics --5 packet(s) transmitted
5 packet(s) received
0.00% packet loss
round-trip min/avg/max = 24/34/48 ms
ms
ms
ms
ms
ms
1.4 Configuring a GRE Tunnel Between CE and PE
Configuring a GRE tunnel between a CE and a PE enables the CE to access the public network
through the GRE tunnel.
1.4.1 Establishing the Configuration Task
Before configuring a GRE tunnel between a CE and a PE, familiarize yourself with the applicable
environment, complete the pre-configuration tasks, and obtain the required data. This can help
you complete the configuration task quickly and accurately.
Issue 03 (2011-11-27)
Huawei Proprietary and Confidential
Copyright © Huawei Technologies Co., Ltd.
8
Huawei AR1200 Series Enterprise Routers
Configuration Guide - VPN
1 GRE Configuration
Applicable Environment
To allow users of the CE that is not directly connected with a PE to access the Multi-Protocol
Label Switching (MPLS) VPN, configure a GRE tunnel, create routes between them, and
configure MPLS VPN on the PE.
A GRE tunnel needs to be created between a CE and a PE in the following two cases:
l
A CE interconnects with a PE through the public network.
l
A CE interconnects with a PE through the VPN of a second carrier.
Pre-configuration Tasks
Before configuring a GRE tunnel between a CE and a PE, complete the following tasks:
l
Assigning IP addresses for interfaces on the CE and PE
l
Configuring the routes between the CE and PE
l
Configuring the VPN provided that it is also passed through by the GRE tunnel between
the CE and PE
Data Preparation
To configure a GRE tunnel between a CE and a PE, you need the following data.
No.
Data
1
Number of the GRE tunnel interface specified on the CE
2
Source address or source interface and destination address of the GRE tunnel interface
specified on the CE
3
Number of the GRE tunnel interface specified on the PE
4
Source address or source interface and destination address of the GRE tunnel interface
specified on the PE
5
Name of the VPN provided that it is also passed through by the GRE tunnel between
the CE and PE
1.4.2 Configuring the GRE Tunnel Interface on CE
After creating a tunnel interface on a CE, specify GRE as the encapsulation type, set the tunnel
source address or source interface, and set the tunnel destination address. The source address of
the tunnel specified on the CE is the destination address of the tunnel specified on the PE. The
destination address of the tunnel specified on the CE is the source address of the tunnel specified
on the PE.
Context
Perform the following steps on the CE.
Issue 03 (2011-11-27)
Huawei Proprietary and Confidential
Copyright © Huawei Technologies Co., Ltd.
9
Huawei AR1200 Series Enterprise Routers
Configuration Guide - VPN
1 GRE Configuration
Procedure
Step 1 Run:
system-view
The system view is displayed.
Step 2 Run:
interface tunnel interface-number
The tunnel interface is created and the tunnel interface view is displayed.
Step 3 Run:
tunnel-protocol gre
The tunnel is encapsulated as a GRE tunnel.
Step 4 Run:
source { source-ip-address | interface-type interface-number }
The source address or source interface of the tunnel interface is configured.
NOTE
l The virtual IP address of the VRRP backup group can be configured as the source address of the GRE
tunnel.
l The bridge-if interface can not be configured as the source interface of the GRE tunnel.
The source interface of the tunnel cannot be the interface of the tunnel, but can be specified as
the interface of another tunnel.
The source address of the tunnel specified on the CE is identical with the destination address of
the tunnel specified on the PE. The destination address of the tunnel specified on the CE is
identical with the source address of the tunnel specified on the PE.
Step 5 Run:
destination ip-address
The destination address of the tunnel interface is configured.
Step 6 (Optional) Run:
mtu mtu
The interface MTU can be modified. The new MTU takes effect only after you run the
shutdown and the undo shutdown commands in succession on the interface.
Step 7 Choose one of the following commands to configure the IP address of the tunnel interface.
l Run the ip address ip-address { mask | mask-length } [ sub ] command to configure the IP
address of the tunnel interface.
l Run the ip address unnumbered interface interface-type interface-number command to
configure IP unnumbered for the tunnel interface.
----End
1.4.3 Configuring the GRE Tunnel Interface on PE
After creating a tunnel interface on a PE, specify GRE as the encapsulation type, set the tunnel
source address or source interface, and set the tunnel destination address. The source address of
the tunnel specified on the PE is the destination address of the tunnel specified on the CE. The
Issue 03 (2011-11-27)
Huawei Proprietary and Confidential
Copyright © Huawei Technologies Co., Ltd.
10
Huawei AR1200 Series Enterprise Routers
Configuration Guide - VPN
1 GRE Configuration
destination address of the tunnel specified on the PE is the source address of the tunnel specified
on the CE.
Context
Perform the following steps on the PE.
Procedure
Step 1 Run:
system-view
The system view is displayed.
Step 2 Run:
interface tunnel interface-number
A tunnel interface is created and the tunnel interface view is displayed.
Step 3 Run:
tunnel-protocol gre
The tunnel is encapsulated as a GRE tunnel.
Step 4 Run:
source { source-ip-address | interface-type interface-number }
The source address or source interface of the tunnel interface is configured.
NOTE
l The virtual IP address of the VRRP backup group can be configured as the source address of the GRE
tunnel.
l The bridge-if interface can not be configured as the source interface of the GRE tunnel.
The source interface of the tunnel cannot be the interface of the tunnel, but can be specified as
the interface of another tunnel.
The source address of the tunnel specified on the PE is identical with the destination address of
the tunnel specified on the CE. The destination address of the tunnel specified on the PE is
identical with the source address of the tunnel specified on the CE.
Step 5 Run:
destination ip-address
The destination address of the tunnel interface is configured.
Step 6 (Optional) Run:
mtu mtu
The interface MTU is modified. The new MTU takes effect only after you run the shutdown
and the undo shutdown commands in succession on the interface.
Step 7 Choose one of the following commands to configure the IP address of the tunnel interface.
l Run the ip address ip-address { mask | mask-length } [ sub ] command to configure the IP
address of the tunnel interface.
Issue 03 (2011-11-27)
Huawei Proprietary and Confidential
Copyright © Huawei Technologies Co., Ltd.
11
Huawei AR1200 Series Enterprise Routers
Configuration Guide - VPN
1 GRE Configuration
l Run the ip address unnumbered interface interface-type interface-number command to
configure IP unnumbered for the tunnel interface.
----End
1.4.4 Binding the GRE Tunnel with the VPN to Which CE belongs
on PE
Bind the tunnel interface on the PE that connects the CE to a VPN instance. Then, the tunnel
interface becomes a VPN interface. The packets sent from the VPN interface are forwarded
based on forwarding information in the VPN instance.
Context
Perform the following steps on the PE.
Procedure
Step 1 Run:
system-view
The system view is displayed.
Step 2 Run:
interface tunnel interface-number
The tunnel interface is created and the tunnel interface view is displayed.
Step 3 Run:
ip binding vpn-instance vpn-instance-name
Bind the GRE tunnel with the VPN instance.
NOTE
The running of the ip binding vpn-instance command on a tunnel interface can delete the Layer 3 attributes,
such as the IP address and routing protocol. If these Layer 3 attributes are still required, configure them
again.
A tunnel interface cannot be bound to any VPN instance that is not enabled with an address family.
Disabling a VPN instance address family deletes the Layer 3 attributes, such as the IP address and routing
protocol of the tunnel interface bound to the VPN instance. Disabling all VPN instance address families
unbinds all the bound tunnel interfaces from the VPN instance.
Step 4 Choose one of the following commands to configure the IP address of the tunnel interface.
l Run the ip address ip-address { mask | mask-length } [ sub ] command to assign an IP address
to the tunnel interface.
l Run the ip address unnumbered interface interface-type interface-number command to
configure IP unnumbered for the tunnel interface.
----End
1.4.5 Checking the Configuration
After a GRE tunnel is set up between a CE and a PE, you can view routes to a specified VPN.
Issue 03 (2011-11-27)
Huawei Proprietary and Confidential
Copyright © Huawei Technologies Co., Ltd.
12
Huawei AR1200 Series Enterprise Routers
Configuration Guide - VPN
1 GRE Configuration
Prerequisite
The GRE tunnel between the CE and the PE is fully configured.
Procedure
l
Run the display interface tunnel [ interface-number ] command to check the working
mode of the tunnel interface.
l
Run the display ip routing-table vpn-instance vpn-instance-name command to check the
VPN routing table on the PE.
l
Run the display ip routing-table command to check the routing table on the CE.
l
Run the ping -a source-ip-address host command to check whether two ends of the tunnel
can successfully ping each other.
----End
Example
Run the display interface tunnel command on two ends of the tunnel. If the tunnel interface is
Up, the configuration is successful. Take the display on the PE as an example:
<Huawei> display interface Tunnel 0/0/1
Tunnel0/0/1 current state : UP
Line protocol current state : UP
Last line protocol up time : 2008-03-03 10:51:44
Description:HUAWEI, AR Series, Tunnel0/0/1 Interface
Route Port,The Maximum Transmit Unit is 1500
Internet Address is 5.5.5.2/24
Encapsulation is TUNNEL, loopback not set
Tunnel source 150.1.1.1 (Ethernet4/0/0), destination 150.1.1.2
Tunnel protocol/transport GRE/IP, key disabled
keepalive disabled
Checksumming of packets disabled
Current system time: 2008-03-04 19:17:30
300 seconds input rate 0 bits/sec, 0 packets/sec
300 seconds output rate 0 bits/sec, 0 packets/sec
0 seconds input rate 0 bits/sec, 0 packets/sec
0 seconds output rate 0 bits/sec, 0 packets/sec
0 packets input, 0 bytes
0 input error
0 packets output, 0 bytes
0 output error
Input:
Unicast: 0 packets, Multicast: 0 packets
Output:
Unicast: 0 packets, Multicast: 0 packets
Input bandwidth utilization : -Output bandwidth utilization : --
1.5 Configuring the Keepalive Function
Before configuring a tunnel policy and a GRE tunnel for the VPN, enable the GRE tunnel
Keepalive function. With this function enabled, the VPN does not select the GRE tunnel that
cannot reach the remote end, and data loss can be avoided.
Issue 03 (2011-11-27)
Huawei Proprietary and Confidential
Copyright © Huawei Technologies Co., Ltd.
13
Huawei AR1200 Series Enterprise Routers
Configuration Guide - VPN
1 GRE Configuration
1.5.1 Establishing the Configuration Task
Before configuring the GRE tunnel Keepalive function, familiarize yourself with the applicable
environment, complete the pre-configuration tasks, and obtain the required data. This can help
you complete the configuration task quickly and accurately.
Application Environment
The Keepalive function can be configured on one end of a GRE tunnel to test the GRE tunnel
status. If the remote end is found unreachable, the tunnel is disconnected on time to avoid data
black hole.
Figure 1-4 GRE tunnel supporting Keepalive
Source
Internet
Destination
GRE tunnel
RouterA
RouterB
Pre-configuration Tasks
Before configuring the Keepalive function, complete the following tasks:
l
Configuring the link layer attributes of the interfaces
l
Assigning IP addresses to the interfaces
l
Establishing the GRE tunnel and keeping the tunnel Up
Data Preparation
To configure the Keepalive function, you need the following data.
No.
Data
1
Interval for sending Keepalive messages
2
Retry times of the unreachable timer
1.5.2 Enabling the Keepalive Function
The GRE tunnel Keepalive function is unidirectional. To implement the Keepalive function on
both ends, enable the Keepalive function on both ends of a GRE tunnel.
Context
Perform the following steps on the router that requires the Keepalive function.
Issue 03 (2011-11-27)
Huawei Proprietary and Confidential
Copyright © Huawei Technologies Co., Ltd.
14
Huawei AR1200 Series Enterprise Routers
Configuration Guide - VPN
1 GRE Configuration
Procedure
Step 1 Run:
system-view
The system view is displayed.
Step 2 Run:
interface tunnel interface-number
The tunnel interface view is displayed.
Step 3 Run:
tunnel-protocol gre
The tunnel is encapsulated with GRE.
Step 4 Run:
keepalive [ period period [ retry-times retry-times ] ]
The Keepalive function is enabled.
The GRE tunnel Keepalive function is unidirectional. Therefore, to realize the Keepalive
function on both ends, enable the Keepalive function on both ends of a GRE tunnel. One end
can be configured with the Keepalive function regardless of whether the remote end is enabled
with the Keepalive function. But it is still recommended to enable the Keepalive function on
both ends of the GRE tunnel.
TIP
Before configuring the tunnel policy and the GRE tunnel for the VPN, enable the GRE tunnel Keepalive
function. With this function enabled, the VPN does not select the GRE tunnel that cannot reach the remote
end, and the data loss can be avoided. The reasons for enabling the Keepalive function are listed below:
l If the Keepalive function is not enabled, the local tunnel interface may always be Up regardless of
whether data reaches the remote end.
l If the Keepalive function is enabled on the local end, the local tunnel interface is set Down when the
remote end is unreachable. As a result, the VPN does not select the unreachable GRE tunnel and the
data is not lost.
----End
1.5.3 Checking the Configuration
After a GRE tunnel is enabled with the Keepalive function, you can view the Keepalive packets
and Keepalive Response packets sent and received by the GRE tunnel interfaces.
Prerequisite
The Keepalive function is enabled on the GRE tunnel.
Procedure
Step 1 Run:
system-view
The system view is displayed.
Step 2 Run:
interface tunnel interface-number
Issue 03 (2011-11-27)
Huawei Proprietary and Confidential
Copyright © Huawei Technologies Co., Ltd.
15
Huawei AR1200 Series Enterprise Routers
Configuration Guide - VPN
1 GRE Configuration
The tunnel interface view is displayed.
Step 3 Run:
display keepalive packets count
Check the Keepalive packets and Keepalive Response packets sent and received by the GRE
tunnel interface.
----End
Example
On the tunnel interface that is enabled with the Keepalive function, run the display keepalive
packets count command to ascertain the number of sent Keepalive packets and received
Keepalive Response packets on both the local end and the remote end. If the Keepalive function
is successfully configured on the local tunnel interface, the number of sent Keepalive packets
or received Keepalive Response packets on the local end is not 0.
[Huawei] interface tunnel 0/0/1
[Huawei-Tunnel0/0/1] tunnel-protocol gre
[Huawei-Tunnel0/0/1] keepalive
[Huawei-Tunnel0/0/1] display keepalive packets count
Send 34 keepalive packets to peers, Receive 34 keepalive response packets from peers
Receive 0 keepalive packets from peers, Send 0 keepalive response packets to peers
1.6 Maintaining GRE
This section describes how to reset the statistics of a tunnel interface and monitor the GRE
running status.
1.6.1 Resetting the Statistics of a Tunnel Interface
When you need to reset the statistics of a tunnel interface, you can run the reset commands to
clear the Keepalive packets and Keepalive Response packets sent and received by a GRE tunnel
interface.
Procedure
l
Run the reset counters interface tunnel [ interface-number ] command in the system view
to reset statistics about the tunnel interface.
l
Reset statistics about Keepalive packets on the tunnel interface.
1.
Run:
system-view
The system view is displayed.
2.
Run:
interface tunnel interface-number
The tunnel interface view is displayed.
3.
Run:
reset keepalive packets count
Reset the statistics on Keepalive packets on the tunnel interface.
Issue 03 (2011-11-27)
Huawei Proprietary and Confidential
Copyright © Huawei Technologies Co., Ltd.
16
Huawei AR1200 Series Enterprise Routers
Configuration Guide - VPN
1 GRE Configuration
NOTE
You can run the reset keepalive packets count command only in the tunnel interface view,
and the interface tunnel protocol must be GRE.
----End
1.6.2 Monitoring the Running Status of GRE
In routine maintenance, you can run the GRE related display commands to view the GRE running
status.
Context
In routine maintenance, you can run the following commands to view the GRE running status.
Procedure
l
Run the display interface tunnel [ interface-number ] command to check the tunnel
interface running status.
l
Run the display ip routing-table vpn-instance vpn-instance-name command to check the
VPN routing table on the PE.
l
Run the display ip routing-table command to check the routing table on the CE.
l
Run the ping [ -a source-ip-address | -vpn-instance vpn-instance-name ] * host command
to check whether the two ends of the tunnel can communicate with each other.
----End
1.6.3 Debugging GRE
When a GRE fault occurs, you can run the L2TP related debugging commands to debug GRE
and locate the fault.
Context
NOTE
The debugging process affects system performance. Therefore, after finishing the debugging process, run
the undo debugging all command immediately to disable the debugging.
When GRE goes abnormal, run the debugging commands in the user view to view debugging
information, locate the fault, and analyze the cause.
Procedure
l
Run the debugging tunnel keepalive command in the user view to debug the Keepalive
function of the GRE tunnel.
----End
1.7 Configuration Examples
Familiarize yourself with the configuration procedures against the networking diagrams. This
section provides networking requirements, configuration notes, and configuration roadmap in
configurations examples.
Issue 03 (2011-11-27)
Huawei Proprietary and Confidential
Copyright © Huawei Technologies Co., Ltd.
17
Huawei AR1200 Series Enterprise Routers
Configuration Guide - VPN
1 GRE Configuration
1.7.1 Example for Configuring a Static Route for GRE
This section provides an example for configuring a static route for GRE. In this networking,
traffic between users is transmitted through a GRE tunnel; a static route is configured between
the device and its connected client.
Networking Requirements
In Figure 1-5, Router A, Router B, and Router C belong to the VPN backbone network and
OSPF runs between them.
GRE is enabled between Router A and Router C to achieve interworking between PC 1 and PC
2.
PC1 takes Router A as its default gateway, and PC2 takes Router C as its default gateway.
Figure 1-5 Networking diagram of configuring a static route for GRE
RouterB
GE1/0/0
20.1.1.2/24
RouterA
GE2/0/0
30.1.1.1/24
GE1/0/0
GE1/0/0
30.1.1.2/24
20.1.1.1/24
Tunnel
GE2/0/0 Tunnel0/0/1
10.1.1.2/24 40.1.1.1/24
PC1
10.1.1.1/24
RouterC
Tunnel0/0/1 GE2/0/0
40.1.1.2/24 10.2.1.2/24
PC2
10.2.1.1/24
Configuration Roadmap
The configuration roadmap is as follows:
1.
Configure a dynamic routing protocol on routers.
2.
Create a tunnel interface on Router A and Router C.
3.
Specify the source address of the tunnel interface as the IP address of the interface that
sends the packet.
4.
Specify the destination address of the tunnel interface as the IP address of the interface that
receives the packet.
5.
Assign network addresses to the tunnel interfaces to enable the tunnel to support the
dynamic routing protocol.
Issue 03 (2011-11-27)
Huawei Proprietary and Confidential
Copyright © Huawei Technologies Co., Ltd.
18
Huawei AR1200 Series Enterprise Routers
Configuration Guide - VPN
1 GRE Configuration
6.
Configure the static route between Router A and its connected PC, and the static route
between Router C and its connected PC to make the traffic between PC1 and PC2
transmitted through the GRE tunnel.
7.
Configure the egress of the static route as the local tunnel interface.
Data Preparation
To complete the configuration, you need the following data:
l
Data for running OSPF
l
Source address and destination address of the GRE tunnel, and IP addresses of tunnel
interfaces
Procedure
Step 1 Assign an IP address to each interface.
Assign an IP address to each interface as shown in Figure 1-5. The specific configuration is not
mentioned here.
Step 2 Configure IGP for the VPN backbone network.
# Configure Router A.
[RouterA] ospf 1
[RouterA-ospf-1] area 0
[RouterA-ospf-1-area-0.0.0.0] network 20.1.1.0 0.0.0.255
[RouterA-ospf-1-area-0.0.0.0] quit
[RouterA-ospf-1] quit
# Configure Router B.
[RouterB] ospf 1
[RouterB-ospf-1] area 0
[RouterB-ospf-1-area-0.0.0.0] network 20.1.1.0 0.0.0.255
[RouterB-ospf-1-area-0.0.0.0] network 30.1.1.0 0.0.0.255
[RouterB-ospf-1-area-0.0.0.0] quit
[RouterB-ospf-1] quit
# Configure Router C.
[RouterC] ospf 1
[RouterC-ospf-1] area 0
[RouterC-ospf-1-area-0.0.0.0] network 30.1.1.0 0.0.0.255
[RouterC-ospf-1-area-0.0.0.0] quit
[RouterC-ospf-1] quit
After the configuration, run the display ip routing-table command on Router A and Router C.
You can find that they both learn the OSPF route to the network segment of the remote interface.
Take Router A as an example.
[RouterA] display ip routing-table
Route Flags: R - relay, D - download to fib
-----------------------------------------------------------------------------Routing Tables: Public
Destinations : 8
Routes : 8
Destination/Mask
Proto Pre Cost
Flags NextHop
Interface
10.1.1.0/24 Direct 0
0
D 10.1.1.2
GigabitEthernet2/0/0
10.1.1.2/32 Direct 0
0
D 127.0.0.1
InLoopBack0
20.1.1.1/32 Direct 0
0
D 127.0.0.1
InLoopBack0
30.1.1.0/24 OSPF
10
2
D 20.1.1.2
GigabitEthernet1/0/0
Issue 03 (2011-11-27)
Huawei Proprietary and Confidential
Copyright © Huawei Technologies Co., Ltd.
19
Huawei AR1200 Series Enterprise Routers
Configuration Guide - VPN
127.0.0.0/8
127.0.0.1/32
1 GRE Configuration
Direct 0
Direct 0
0
0
D
D
127.0.0.1
127.0.0.1
InLoopBack0
InLoopBack0
Step 3 Configure the tunnel interface.
# Configure Router A.
[RouterA] interface tunnel 0/0/1
[RouterA-Tunnel0/0/1] ip address 40.1.1.1 24
[RouterA-Tunnel0/0/1] source 20.1.1.1
[RouterA-Tunnel0/0/1] destination 30.1.1.2
[RouterA-Tunnel0/0/1] quit
# Configure Router C.
[RouterC] interface tunnel 0/0/1
[RouterC-Tunnel0/0/1] ip address 40.1.1.2 24
[RouterC-Tunnel0/0/1] source 30.1.1.2
[RouterC-Tunnel0/0/1] destination 20.1.1.1
[RouterC-Tunnel0/0/1] quit
After the configuration, the status of tunnel interfaces goes Up, and the tunnel interfaces can
ping each other successfully.
Take Router A as an example:
[RouterA] ping -a 40.1.1.1 40.1.1.2
PING 40.1.1.2: 56 data bytes, press CTRL_C to break
Reply from 40.1.1.2: bytes=56 Sequence=1 ttl=255 time=24
Reply from 40.1.1.2: bytes=56 Sequence=2 ttl=255 time=33
Reply from 40.1.1.2: bytes=56 Sequence=3 ttl=255 time=48
Reply from 40.1.1.2: bytes=56 Sequence=4 ttl=255 time=33
Reply from 40.1.1.2: bytes=56 Sequence=5 ttl=255 time=36
--- 40.1.1.2 ping statistics --5 packet(s) transmitted
5 packet(s) received
0.00% packet loss
round-trip min/avg/max = 24/34/48 ms
ms
ms
ms
ms
ms
Step 4 Configure a static route.
# Configure Router A.
[RouterA] ip route-static 10.2.1.0 24 tunnel 0/0/1
# Configure Router C.
[RouterC] ip route-static 10.1.1.0 24 tunnel 0/0/1
After the configuration, run the displayip routing-table command on Router A and Router C.
You can find the static route to the network segment of the remote user end through the tunnel
interface.
Take Router A as an example:
[RouterA] display ip routing-table
Route Flags: R - relay, D - download to fib
-----------------------------------------------------------------------------Routing Tables: Public
Destinations : 11
Routes : 11
Destination/Mask
Proto Pre Cost
Flags NextHop
Interface
10.1.1.0/24 Direct 0
0
D 10.1.1.2
GigabitEthernet2/0/0
10.1.1.2/32 Direct 0
0
D 127.0.0.1
InLoopBack0
10.2.1.0/24 Static 60
0
D 40.1.1.1
Tunnel0/0/1
20.1.1.0/24 Direct 0
0
D 20.1.1.1
GigabitEthernet1/0/0
20.1.1.1/32 Direct 0
0
D 127.0.0.1
InLoopBack0
Issue 03 (2011-11-27)
Huawei Proprietary and Confidential
Copyright © Huawei Technologies Co., Ltd.
20
Huawei AR1200 Series Enterprise Routers
Configuration Guide - VPN
20.1.1.2/32 Direct
GigabitEthernet1/0/0
30.1.1.0/24 OSPF
GigabitEthernet1/0/0
40.1.1.0/24 Direct
40.1.1.1/32 Direct
127.0.0.0/8
Direct
127.0.0.1/32 Direct
1 GRE Configuration
0
0
D
20.1.1.2
10
2
D
20.1.1.2
0
0
0
0
0
0
0
0
D
D
D
D
40.1.1.1
127.0.0.1
127.0.0.1
127.0.0.1
Tunnel0/0/1
InLoopBack0
InLoopBack0
InLoopBack0
PC 1 and PC 2 can ping each other successfully.
----End
Configuration Files
l
Configuration file of Router A
#
sysname RouterA
#
interface GigabitEthernet1/0/0
ip address 20.1.1.1 255.255.255.0
#
interface GigabitEthernet2/0/0
ip address 10.1.1.2 255.255.255.0
#
interface Tunnel0/0/1
ip address 40.1.1.1 255.255.255.0
tunnel-protocol gre
source 20.1.1.1
destination 30.1.1.2
#
ospf 1
area 0.0.0.0
network 20.1.1.0 0.0.0.255
#
ip route-static 10.2.1.0 255.255.255.0 Tunnel0/0/1
#
return
l
Configuration file of Router B
#
sysname RouterB
#
interface GigabitEthernet1/0/0
ip address 20.1.1.2 255.255.255.0
#
interface GigabitEthernet2/0/0
ip address 30.1.1.1 255.255.255.0
#
ospf 1
area 0.0.0.0
network 20.1.1.0 0.0.0.255
network 30.1.1.0 0.0.0.255
#
return
l
Configuration file of Router C
#
sysname RouterC
#
interface GigabitEthernet1/0/0
ip address 30.1.1.2 255.255.255.0
#
interface GigabitEthernet2/0/0
ip address 10.2.1.2 255.255.255.0
#
interface Tunnel0/0/1
ip address 40.1.1.2 255.255.255.0
Issue 03 (2011-11-27)
Huawei Proprietary and Confidential
Copyright © Huawei Technologies Co., Ltd.
21
Huawei AR1200 Series Enterprise Routers
Configuration Guide - VPN
1 GRE Configuration
tunnel-protocol gre
source 30.1.1.2
destination 20.1.1.1
#
ospf 1
area 0.0.0.0
network 30.1.1.0 0.0.0.255
#
ip route-static 10.1.1.0 255.255.255.0 Tunnel0/0/1
#
return
1.7.2 Example for Configuring a Dynamic Routing Protocol for GRE
This section provides an example for configuring a dynamic route for GRE. In this networking,
traffic between users is transmitted through a GRE tunnel; a dynamic route is configured between
the device and its connected user.
Networking Requirements
In Figure 1-6, Router A, Router B, and Router C belong to the VPN backbone network and
OSPF runs between them.
GRE is enabled between Router A and Router C for the interworking between PC1 and PC2.
PC1 takes Router A as its default gateway, and PC2 takes Router C as its default gateway.
OSPF is enabled on the tunnel interface. OSPF process 1 is used for the VPN backbone network
and OSPF process 2 is used for user access.
Figure 1-6 Networking diagram of configuring a dynamic routing protocol for GRE
RouterB
GE1/0/0
GE2/0/0
20.1.1.2/24
30.1.1.1/24
OSPF 1
RouterA
Issue 03 (2011-11-27)
RouterC
Tunnel
GE2/0/0
10.1.1.2/24
10.1.1.1/24
GE1/0/0
30.1.1.2/24
GE1/0/0
20.1.1.1/24
Tunnel0/0/1 OSPF 2
40.1.1.1/24
Tunnel0/0/1
40.1.1.2/24
GE2/0/0
10.2.1.2/24
10.2.1.1/24
PC1
Huawei Proprietary and Confidential
Copyright © Huawei Technologies Co., Ltd.
PC2
22
Huawei AR1200 Series Enterprise Routers
Configuration Guide - VPN
1 GRE Configuration
Configuration Roadmap
The configuration roadmap is as follows:
1.
Configure IGP on each router in the backbone network to realize the interworking between
these devices. Here OSPF process 1 is used.
2.
Create the GRE tunnel between routers that are connected to PCs.Then routers can
communicate through the GRE runnel.
3.
Configure the dynamic routing protocol on the network segments through which PCs access
the backbone network. Here OSPF process 2 is used.
Data Preparation
To complete the configuration, you need the following data:
l
Source address and destination address of the GRE tunnel
l
IP addresses of the interfaces on both ends of the GRE tunnel
Procedure
Step 1 Assign an IP address to each interface.
Assign an IP address to each interface as shown in Figure 1-6. The specific configuration is not
mentioned here.
Step 2 Configure IGP for the VPN backbone network.
The specific configuration procedures are the same as those in 1.7.1 Example for Configuring
a Static Route for GRE and are not mentioned here.
Step 3 Configuring the tunnel interfaces
The specific configuration procedures are the same as those in 1.7.1 Example for Configuring
a Static Route for GRE and are not mentioned here.
Step 4 Configure OSPF on the tunnel interfaces.
# Configure Router A.
[RouterA] ospf 2
[RouterA-ospf-2] area 0
[RouterA-ospf-2-area-0.0.0.0] network 40.1.1.0 0.0.0.255
[RouterA-ospf-2-area-0.0.0.0] network 10.1.1.0 0.0.0.255
[RouterA-ospf-2-area-0.0.0.0] quit
[RouterA-ospf-2] quit
# Configure Router C.
[RouterC] ospf 2
[RouterC-ospf-2] area 0
[RouterC-ospf-2-area-0.0.0.0] network 40.1.1.0 0.0.0.255
[RouterC-ospf-2-area-0.0.0.0] network 10.2.1.0 0.0.0.255
[RouterC-ospf-2-area-0.0.0.0] quit
[RouterC-ospf-2] quit
Step 5 Verify the configuration.
After the configuration, run the display ip routing-table command on Router A and Router C.
You can find the OSPF route to the network segment of the remote user end through the tunnel
interface. Moreover, the next hop to the destination physical address (30.1.1.0/24) of the tunnel
is not the tunnel interface.
Issue 03 (2011-11-27)
Huawei Proprietary and Confidential
Copyright © Huawei Technologies Co., Ltd.
23
Huawei AR1200 Series Enterprise Routers
Configuration Guide - VPN
1 GRE Configuration
Take Router A as an example:
[RouterA] display ip routing-table
Route Flags: R - relay, D - download to fib
-----------------------------------------------------------------------------Routing Tables: Public
Destinations : 11
Routes : 11
Destination/Mask
Proto Pre Cost
Flags NextHop
Interface
10.1.1.0/24 Direct 0
0
D 10.1.1.2
GigabitEthernet2/0/0
10.1.1.2/32 Direct 0
0
D 127.0.0.1
InLoopBack0
10.2.1.0/24 OSPF
10
2
D 40.1.1.2
Tunnel0/0/1
20.1.1.0/24 Direct 0
0
D 20.1.1.1
GigabitEthernet1/0/0
20.1.1.1/32 Direct 0
0
D 127.0.0.1
InLoopBack0
30.1.1.0/24 OSPF
10
2
D 20.1.1.2
GigabitEthernet1/0/0
40.1.1.0/24 Direct 0
0
D 40.1.1.1
Tunnel0/0/1
40.1.1.1/32 Direct 0
0
D 127.0.0.1
InLoopBack0
127.0.0.0/8
Direct 0
0
D 127.0.0.1
InLoopBack0
127.0.0.1/32 Direct 0
0
D 127.0.0.1
InLoopBack0
PC 1 and PC 2 can ping each other successfully.
----End
Configuration Files
l
Configuration file of Router A
#
sysname RouterA
#
interface GigabitEthernet1/0/0
ip address 20.1.1.1 255.255.255.0
#
interface GigabitEthernet2/0/0
ip address 10.1.1.2 255.255.255.0
#
interface Tunnel0/0/1
ip address 40.1.1.1 255.255.255.0
tunnel-protocol gre
source 20.1.1.1
destination 30.1.1.2
#
ospf 1
area 0.0.0.0
network 20.1.1.0 0.0.0.255
#
ospf 2
area 0.0.0.0
network 40.1.1.0 0.0.0.255
network 10.1.1.0 0.0.0.255
#
return
l
Configuration file of Router B
#
sysname RouterB
#
interface GigabitEthernet1/0/0
ip address 20.1.1.2 255.255.255.0
#
interface GigabitEthernet2/0/0
ip address 30.1.1.1 255.255.255.0
#
ospf 1
area 0.0.0.0
network 20.1.1.0 0.0.0.255
Issue 03 (2011-11-27)
Huawei Proprietary and Confidential
Copyright © Huawei Technologies Co., Ltd.
24
Huawei AR1200 Series Enterprise Routers
Configuration Guide - VPN
1 GRE Configuration
network 30.1.1.0 0.0.0.255
#
return
l
Configuration file of Router C
#
sysname RouterC
#
interface GigabitEthernet1/0/0
ip address 30.1.1.2 255.255.255.0
#
interface GigabitEthernet2/0/0
ip address 10.2.1.2 255.255.255.0
#
interface Tunnel0/0/1
ip address 40.1.1.2 255.255.255.0
tunnel-protocol gre
source 30.1.1.2
destination 20.1.1.1
#
ospf 1
area 0.0.0.0
network 30.1.1.0 0.0.0.255
#
ospf 2
area 0.0.0.0
network 40.1.1.0 0.0.0.255
network 10.2.1.0 0.0.0.255
#
return
1.7.3 Example for Configuring a GRE Tunnel to Transmit VPN
Multicast Data Encrypted with IPSec
This section provides an example for configuring a GRE tunnel to transmit multicast packets
encrypted with IPSec. In this networking, a GRE tunnel is set up between devices; multicast
packets are encapsulated with GRE and then IPSec.
Networking Requirements
In Figure 1-7, Router A and Router C are required to transmit multicast packets, and the multicast
packets must be encrypted through IPSec. Before being encrypted through IPSec, multicast
packets must be encapsulated with GRE because IPSec cannot directly encrypt multicast packets.
Issue 03 (2011-11-27)
Huawei Proprietary and Confidential
Copyright © Huawei Technologies Co., Ltd.
25
Huawei AR1200 Series Enterprise Routers
Configuration Guide - VPN
1 GRE Configuration
Figure 1-7 Networking diagram of transmitting IPSec-encrypted multicast packets through a
GRE tunnel
RouterB
GE1/0/0
20.1.1.2/24
RouterA
GE2/0/0
30.1.1.1/24
GE1/0/0
GE1/0/0
30.1.1.2/24
20.1.1.1/24
GRE with IPSec
RouterC
GE2/0/0 Tunnel0/0/1
10.1.1.2/24 40.1.1.1/24
Tunnel0/0/1 GE2/0/0
40.1.1.2/24 10.2.1.2/24
10.1.1.1/24
10.2.1.1/24
Configuration Roadmap
The configuration roadmap is as follows:
1.
Configure OSPF on the backbone network devices, namely, Router A, Router B, and
Router C, to realize the interworking between these devices.
2.
Create a GRE tunnel between Router A and Router C to encapsulate multicast packets.
3.
Create an IPSec tunnel between Router A and Router C to encrypt the GRE encapsulated
multicast packets.
Data Preparation
To complete the configuration, you need the following data:
l
Data for configuring the routing protocol for the backbone network
l
Source address and destination address of the GRE tunnel
l
IP addresses of the interfaces on both ends of the GRE tunnel
l
Parameters for configuring IKE such as pre-shared-key and remote-name
l
Data for configuring IPSec such as IPSec proposal name and ACL
Procedure
Step 1 Configure the routing protocol.
Configure a routing protocol on Router A, Router B, and Router C to implement the interworking
between these devices. OSPF is configured in this example. The configuration details are not
mentioned here.
After the configuration,
Issue 03 (2011-11-27)
Huawei Proprietary and Confidential
Copyright © Huawei Technologies Co., Ltd.
26
Huawei AR1200 Series Enterprise Routers
Configuration Guide - VPN
1 GRE Configuration
l Router A and Router C are routable.
l Router A can successfully ping GE1/0/0 of Router C.
l Router C can successfully ping GE1/0/0 of Router A.
Step 2 Configure the interfaces of the GRE tunnel.
# Configure Router A.
[RouterA] interface tunnel0/0/1
[RouterA-Tunnel0/0/1] ip address 40.1.1.1 255.255.255.0
[RouterA-Tunnel0/0/1] tunnel-protocol gre
[RouterA-Tunnel0/0/1] source 20.1.1.1
[RouterA-Tunnel0/0/1] destination 30.1.1.2
[RouterA-Tunnel0/0/1] quit
# Configure Router C.
[RouterC] interface tunnel0/0/1
[RouterC-Tunnel0/0/1] ip address 40.1.1.2 255.255.255.0
[RouterC-Tunnel0/0/1] tunnel-protocol gre
[RouterC-Tunnel0/0/1] source 30.1.1.2
[RouterC-Tunnel0/0/1] destination 20.1.1.1
[RouterC-Tunnel0/0/1] quit
After the configuration,
l The GRE tunnel between Router A and Router C is set up.
l The status of the tunnel interfaces is Up.
Step 3 Enable multicast.
# Enable the multicast routing protocol globally. Enable PIM DM on the tunnel interfaces, and
enable PIM DM and IGMP on the interfaces connected to the PCs.
# Configure Router A.
[RouterA] multicast routing-enable
[RouterA] interface gigabitethernet 2/0/0
[RouterA-GigabitEthernet2/0/0] pim dm
[RouterA-GigabitEthernet2/0/0] igmp enable
[RouterA-GigabitEthernet2/0/0] quit
[RouterA] interface tunnel0/0/1
[RouterA-Tunnel0/0/1] pim dm
[RouterA-Tunnel0/0/1] quit
# Configure Router C.
[RouterC] multicast routing-enable
[RouterC] interface gigabitethernet 2/0/0
[RouterC-GigabitEthernet2/0/0] pim dm
[RouterC-GigabitEthernet2/0/0] igmp enable
[RouterC-GigabitEthernet2/0/0] quit
[RouterC] interface tunnel0/0/1
[RouterC-Tunnel0/0/1] pim dm
[RouterC-Tunnel0/0/1] quit
# After multicast is enabled, the multicast data between Router A and Router C is transmitted
through the GRE tunnel.
Step 4 Configure aggressive IKE negotiation between Router A and Router C.
NOTE
To encapsulate multicast packets with GRE and then encrypt the multicast packets with IPSec, the remote
address in IKE peer mode must be the destination address of the local tunnel.
# Configure Router A.
Issue 03 (2011-11-27)
Huawei Proprietary and Confidential
Copyright © Huawei Technologies Co., Ltd.
27
Huawei AR1200 Series Enterprise Routers
Configuration Guide - VPN
1 GRE Configuration
[RouterA] ike local-name rta
[RouterA] ike peer RouterC v1
[RouterA-ike-peer-routerc] exchange-mode aggressive
[RouterA-ike-peer-routerc] local-id-type name
[RouterA-ike-peer-routerc] pre-shared-key 12345
[RouterA-ike-peer-routerc] remote-name rtc
[RouterA-ike-peer-routerc] remote-address 30.1.1.2
[RouterA-ike-peer-routerc] quit
# Configure Router C.
[RouterC] ike local-name rtc
[RouterC] ike peer RouterA v1
[RouterC-ike-peer-routera] exchange-mode aggressive
[RouterC-ike-peer-routera] local-id-type name
[RouterC-ike-peer-routera] pre-shared-key 12345
[RouterC-ike-peer-routera] remote-name rta
[RouterC-ike-peer-routera] remote-address 20.1.1.1
[RouterC-ike-peer-routera] quit
Step 5 Configure IPSec.
NOTE
Encapsulate multicast packets with GRE and then encrypt these packets with IPSec. Note that the source
and destination addresses for the local end of the tunnel must match the ACL of the IPSec policy, and the
IPSec policy must be applied to the physical interface transmitting data.
# Configure IPSec on Router A and Router C. The default parameters of the IPSec proposal is
used in this example.
# Configure Router A.
[RouterA] acl number 3000
[RouterA-acl-adv-3000] rule permit gre source 20.1.1.1 0 destination 30.1.1.2 0
[RouterA-acl-adv-3000] quit
[RouterA] ipsec proposal p1
[RouterA-ipsec-proposal-p1] quit
[RouterA] ipsec policy policy1 1 isakmp
[RouterA-ipsec-policy-isakmp-policy1-1] security acl 3000
[RouterA-ipsec-policy-isakmp-policy1-1] ike-peer RouterC
[RouterA-ipsec-policy-isakmp-policy1-1] proposal p1
[RouterA-ipsec-policy-isakmp-policy1-1] quit
[RouterA] interface gigabitethernet 1/0/0
[RouterA-GigabitEthernet1/0/0] ipsec policy policy1
[RouterA-GigabitEthernet1/0/0] quit
# Configure Router C.
[RouterC] acl number 3000
[RouterC-acl-adv-3000] rule permit gre source 30.1.1.2 0 destination 20.1.1.1 0
[RouterC-acl-adv-3000] quit
[RouterC] ipsec proposal p1
[RouterC-ipsec-proposal-p1] quit
[RouterC] ipsec policy policy1 1 isakmp
[RouterC-ipsec-policy-isakmp-policy1-1] security acl 3000
[RouterC-ipsec-policy-isakmp-policy1-1] ike-peer RouterA
[RouterC-ipsec-policy-isakmp-policy1-1] proposal p1
[RouterC-ipsec-policy-isakmp-policy1-1] quit
[RouterC] interface gigabitethernet 1/0/0
[RouterC-GigabitEthernet1/0/0] ipsec policy policy1
[RouterC-GigabitEthernet1/0/0] quit
# After the configuration, the multicast data between Router A and Router C can be transmitted
through the GRE tunnel encrypted with IPSec.
Step 6 On the source device and the destination device of the tunnel, configure the tunnel to forward
routes.
Issue 03 (2011-11-27)
Huawei Proprietary and Confidential
Copyright © Huawei Technologies Co., Ltd.
28
Huawei AR1200 Series Enterprise Routers
Configuration Guide - VPN
1 GRE Configuration
# Configure Router A.
[RouterA] ip route-static 10.2.1.0 255.255.255.0 tunnel 0/0/1
# Configure Router C.
[RouterC] ip route-static 10.1.1.0 255.255.255.0 tunnel 0/0/1
Step 7 Verify the configuration.
# After PC1 and PC2 successfully ping each other, you can view that IKE negotiation is
configured and IPSec encryption takes effect.
[RouterA] display ike sa
Conn-ID Peer
VPN
Flag(s)
Phase
--------------------------------------------------------------16
30.1.1.2
0
RD
1
17
30.1.1.2
0
RD
2
Flag Description:
RD--READY
ST--STAYALIVE
RL--REPLACED
FD--FADING
TO--TIMEOUT
HRT--HEARTBEAT
LKG--LAST KNOWN GOOD SEQ NO.
BCK--BACKED UP
[RouterA] display ips sa
===============================
Interface: GigabitEthernet1/0/0
path MTU: 1500
===============================
----------------------------IPsec policy name: "policy1"
sequence number: 1
mode: isakmp
----------------------------connection id: 17
encapsulation mode: tunnel
tunnel local : 20.1.1.1
tunnel remote: 30.1.1.2
[inbound ESP SAs]
spi: 2970386335 (0xb10c7f9f)
proposal: ESP-ENCRYPT-DES ESP-AUTH-MD5
sa remaining key duration (bytes/sec): 1887434624/3081
max received sequence-number: 32
udp encapsulation used for nat traversal: N
[outbound ESP SAs]
spi: 1720763150 (0x6690c30e)
proposal: ESP-ENCRYPT-DES ESP-AUTH-MD5
sa remaining key duration (bytes/sec): 1887434112/3081
max sent sequence-number: 33
udp encapsulation used for nat traversal: N
[RouterC] display ike sa
Conn-ID Peer
VPN
Flag(s)
Phase
--------------------------------------------------------- ---20
20.1.1.2
0
RD|ST
1
21
20.1.1.2
0
RD|ST
2
Flag Description:
RD--READY
ST--STAYALIVE
RL--REPLACED
FD--FADING
TO--TIMEOUT
HRT--HEARTBEAT
LKG--LAST KNOWN GOOD SEQ NO.
BCK--BACKED UP
[RouterC] display ips sa
===============================
Interface: GigabitEthernet1/0/0
path MTU: 1500
===============================
----------------------------IPsec policy name: "policy1"
sequence number: 1
mode: isakmp
----------------------------connection id: 21
encapsulation mode: tunnel
tunnel local : 30.1.1.2
tunnel remote: 20.1.1.1
Issue 03 (2011-11-27)
Huawei Proprietary and Confidential
Copyright © Huawei Technologies Co., Ltd.
29
Huawei AR1200 Series Enterprise Routers
Configuration Guide - VPN
1 GRE Configuration
[inbound ESP SAs]
spi: 1720763150 (0x6690c30e)
proposal: ESP-ENCRYPT-DES ESP-AUTH-MD5
sa remaining key duration (bytes/sec): 1887434624/3041
max received sequence-number: 32
udp encapsulation used for nat traversal: N
[outbound ESP SAs]
spi: 2970386335 (0xb10c7f9f)
proposal: ESP-ENCRYPT-DES ESP-AUTH-MD5
sa remaining key duration (bytes/sec): 1887434112/3041
max sent sequence-number: 33
udp encapsulation used for nat traversal: N
----End
Configuration Files
l
Configuration file of Router A
#
sysname RouterA
#
ike local-name rta
#
multicast routing-enable
#
acl number 3000
rule 5 permit gre source 20.1.1.1 0.0.0.0 destination 30.1.1.2 0.0.0.0
#
ike peer routerc v1
exchange-mode aggressive
pre-shared-key 12345
local-id-type name
remote-name rtc
remote-address 30.1.1.2
#
ipsec proposal p1
#
ipsec policy policy1 1 isakmp
security acl 3000
ike-peer Routerc
proposal p1
#
interface GigabitEthernet1/0/0
ip address 20.1.1.1 255.255.255.0
ipsec policy policy1
#
interface GigabitEthernet2/0/0
ip address 10.1.1.2 255.255.255.0
pim dm
igmp enable
#
interface Tunnel0/0/1
ip address 40.1.1.1 255.255.255.0
tunnel-protocol gre
source 20.1.1.1
destination 30.1.1.2
pim dm
#
ospf 1
area 0.0.0.0
network 20.1.1.1 0.0.0.0
#
ip route-static 10.2.1.0 255.255.255.0 Tunnel0/0/1
#
return
l
Configuration file of Router B
#
Issue 03 (2011-11-27)
Huawei Proprietary and Confidential
Copyright © Huawei Technologies Co., Ltd.
30
Huawei AR1200 Series Enterprise Routers
Configuration Guide - VPN
1 GRE Configuration
sysname RouterB
#
interface GigabitEthernet1/0/0
ip address 20.1.1.2 255.255.255.0
#
interface GigabitEthernet2/0/0
ip address 30.1.1.1 255.255.255.0
#
ospf 1
area 0.0.0.0
network 20.1.1.0 0.0.0.255
network 30.1.1.0 0.0.0.255
#
return
l
Configuration file of Router C
#
sysname RouterC
#
ike local-name rtc
#
multicast routing-enable
#
acl number 3000
rule 5 permit gre source 30.1.1.2 0.0.0.0 destination 20.1.1.1 0.0.0.0
#
ike peer routera v1
exchange-mode aggressive
pre-shared-key 12345
local-id-type name
remote-name rta
remote-address 20.1.1.1
#
ipsec proposal p1
#
ipsec policy policy1 1 isakmp
security acl 3000
ike-peer Routera
proposal p1
#
interface GigabitEthernet1/0/0
ip address 30.1.1.2 255.255.255.0
ipsec policy policy1
#
interface GigabitEthernet2/0/0
ip address 10.2.1.2 255.255.255.0
pim dm
igmp enable
#
interface Tunnel0/0/1
ip address 40.1.1.2 255.255.255.0
tunnel-protocol gre
source 30.1.1.2
destination 20.1.1.1
pim dm
#
ospf 1
area 0.0.0.0
network 30.1.1.2 0.0.0.0
#
ip route-static 10.1.1.0 255.255.255.0 Tunnel0/0/1
#
return
Issue 03 (2011-11-27)
Huawei Proprietary and Confidential
Copyright © Huawei Technologies Co., Ltd.
31
Huawei AR1200 Series Enterprise Routers
Configuration Guide - VPN
1 GRE Configuration
1.7.4 Example for Configuring the CE to Access a VPN Through a
GRE Tunnel of the Public Network
This section provides an example for configuring a CE to access a VPN through a GRE tunnel
on the public network. In this networking, the PE is indirectly connected to the CE; thus, no
physical interface can be bound to the VPN instance on the PE. Then, a GRE tunnel over the
public network is required between the CE and PE and the GRE tunnel is required to be bound
to the VPN instance on the PE. This allows the CE to access the VPN through the GRE tunnel.
Networking Requirements
As shown in Figure 1-8,
l
routerPE1 and PE2 are located in the MPLS backbone network.
l
CE1 is connected to PE1 through R1.
l
CE2 is connected to PE2 directly.
l
CE1 and CE2 belong to the same VPN.
CE1 and CE2 are required to interwork with each other.
Figure 1-8 Networking diagram in which CEs access a VPN through the GRE tunnel of the
public network
Loopback1
MPLS
R1
GE1/0/0
GE2/0/0
GE1/0/0
GE2/0/0
T
CE1
Loopback1
el
unn
GE2/0/0
GE1/0/0
PE1
Tunnel0/0/1
PE2
GE2/0/0
CE2
GE1/0/0
GE2/0/0
Tunnel0/0/1
GE1/0/0
PC2
PC1
Router
Interface
IP address
CE1
GE1/0/0
21.1.1.2/24
CE1
GE2/0/0
30.1.1.1/24
CE1
Tunnel0/0/1
2.2.2.1/24
R1
GE1/0/0
30.1.1.2/24
R1
GE2/0/0
50.1.1.1/24
PE1
Loopback1
1.1.1.9/32
PE1
GE1/0/0
50.1.1.2/24
PE1
GE2/0/0
110.1.1.1/24
PE1
Tunnel0/0/1
2.2.2.2/24
PE2
Loopback1
3.3.3.9/32
Issue 03 (2011-11-27)
Huawei Proprietary and Confidential
Copyright © Huawei Technologies Co., Ltd.
32
Huawei AR1200 Series Enterprise Routers
Configuration Guide - VPN
1 GRE Configuration
PE2
GE1/0/0
110.1.1.2/24
PE2
GE2/0/0
11.1.1.2/24
CE2
GE1/0/0
11.1.1.1/24
CE2
GE2/0/0
41.1.1.2/24
Configuration Roadmap
PE1 and CE1 are indirectly connected. So the VPN instance on PE1 cannot be bound to the
physical interface on PE1. In such a situation, a GRE tunnel is required between CE1 and PE1.
vpn1 on PE1 can then be bound to the GRE tunnel, and CE1 can access the VPN through the
GRE tunnel.
The configuration roadmap is as follows:
1.
Configure OSPF10 on PE1 and PE2 to implement the interworking between the two
devices, and then enable MPLS.
2.
Configure OSPF20 on CE1, R1, and PE1 to implement the interworking between the three
devices.
3.
Establish a GRE tunnel between CE1 and PE1.
4.
Create VPN instances on PE1 and PE2. Then bind the VPN instance on PE1 to the GRE
tunnel interface, and bind the VPN instance on PE2 to the connected physical interface of
CE2.
5.
Configure IS-IS routes between CE1 and PE1, and between CE2 and PE2 to implement
the interworking between the CEs and PEs.
6.
Configure BGP on PEs to implement the interworking between CE1 and CE2.
Data Preparation
To complete the configuration, you need the following data:
l
IP addresses of the interfaces, process ID of the routing protocol, and AS number
l
Source address and destination address of the GRE tunnel
l
VPN instance names, RDs, and VPN targets on PEs
Procedure
Step 1 Configure the IP address for each interface and the routing protocol for the MPLS backbone
network.
Configure OSPF10 on PE1 and PE2, and then configure MPLS and LDP. The detailed
configurations are not mentioned here.
Step 2 Configure a routing protocol between CE1, R1, and PE1.
Configure OSPF20 on CE1, R1, and PE1. The detailed configurations are not mentioned here.
Step 3 Establish a GRE tunnel between CE1 and PE1.
# Configure CE1.
[CE1] interface tunnel0/0/1
[CE1-Tunnel0/0/1] ip address 2.2.2.1 255.255.255.0
Issue 03 (2011-11-27)
Huawei Proprietary and Confidential
Copyright © Huawei Technologies Co., Ltd.
33
Huawei AR1200 Series Enterprise Routers
Configuration Guide - VPN
1 GRE Configuration
[CE1-Tunnel0/0/1] tunnel-protocol gre
[CE1-Tunnel0/0/1] source 30.1.1.1
[CE1-Tunnel0/0/1] destination 50.1.1.2
# Configure PE1.
[PE1] interface tunnel0/0/1
[PE1-Tunnel0/0/1] ip address 2.2.2.2 255.255.255.0
[PE1-Tunnel0/0/1] tunnel-protocol gre
[PE1-Tunnel0/0/1] source 50.1.1.2
[PE1-Tunnel0/0/1] destination 30.1.1.1
# After the configuration, a GRE tunnel is established between CE1 and PE1.
Step 4 Create a VPN instance named vpn1 on PE1 and bind the VPN instance to the GRE tunnel.
[PE1]ip vpn-instance vpn1
[PE1-vpn-instance-vpn1] route-distinguisher 100:1
[PE1-vpn-instance-vpn1-af-ipv4] vpn-target 111:1 export-extcommunity
[PE1-vpn-instance-vpn1-af-ipv4] vpn-target 111:1 import-extcommunity
[PE1-vpn-instance-vpn1-af-ipv4] quit
[PE1-vpn-instance-vpn1] quit
[PE1] interface tunnel0/0/1
[PE1-Tunnel0/0/1] ip binding vpn-instance vpn1
[PE1-Tunnel0/0/1] ip address 2.2.2.2 255.255.255.0
Step 5 Create a VPN instance named vpn1 on PE2 and bind the VPN instance to the GE interface.
[PE2]ip vpn-instance vpn1
[PE2-vpn-instance-vpn1] route-distinguisher 200:1
[PE2-vpn-instance-vpn1-af-ipv4] vpn-target 111:1 export-extcommunity
[PE2-vpn-instance-vpn1-af-ipv4] vpn-target 111:1 import-extcommunity
[PE2-vpn-instance-vpn1-af-ipv4] quit
[PE2-vpn-instance-vpn1] quit
[PE2] interface gigabitethernet2/0/0
[PE2- GigabitEthernet2/0/0] ip binding vpn-instance vpn1
[PE2- GigabitEthernet2/0/0] ip address 11.1.1.2 255.255.255.0
Step 6 Configure the IS-IS route between CE1 and PE1.
# Configure CE1.
[CE1] isis 50
[CE1-isis-50] network-entity 50.0000.0000.0001.00
[CE1-isis-50] quit
[CE1] interface gigabitethernet1/0/0
[CE1-GigabitEthernet1/0/0] isis enable 50
[CE1-GigabitEthernet1/0/0] quit
[CE1] interface tunnel0/0/1
[CE1-Tunnel0/0/1] isis enable 50
[CE1-Tunnel0/0/1] quit
# Configure PE1.
[PE1] isis 50 vpn-instance vpn1
[PE1-isis-50] network-entity 50.0000.0000.0002.00
[PE1-isis-50] quit
[PE1] interface tunnel0/0/1
[PE1-Tunnel0/0/1] isis enable 50
[PE1-Tunnel0/0/1] quit
Step 7 Configure the IS-IS route between CE2 and PE2.
# Configure CE2.
[CE2] isis 50
[CE2-isis-50] network-entity 50.0000.0000.0004.00
[CE2-isis-50] quit
[CE2] interface gigabitethernet1/0/0
[CE2-GigabitEthernet1/0/0] isis enable 50
[CE2-GigabitEthernet1/0/0] quit
Issue 03 (2011-11-27)
Huawei Proprietary and Confidential
Copyright © Huawei Technologies Co., Ltd.
34
Huawei AR1200 Series Enterprise Routers
Configuration Guide - VPN
1 GRE Configuration
[CE2] interface gigabitethernet2/0/0
[CE2-GigabitEthernet2/0/0] isis enable 50
[CE2-GigabitEthernet2/0/0] quit
# Configure PE2.
[PE2] isis 50 vpn-instance vpn1
[PE2-isis-50] network-entity 50.0000.0000.0003.00
[PE2-isis-50] quit
[PE2] interface gigabitethernet2/0/0
[PE2-GigabitEthernet2/0/0] isis enable 50
[PE2-GigabitEthernet2/0/0] quit
Step 8 Set up the MP-BGP peer relationship between PE1 and PE2.
# On PE1, specify PE2 as an IBGP peer, set up the IBGP connection by using the loopback
interface, and enable the capability of exchanging VPN IPv4 routing information between PE1
and PE2.
[PE1] bgp 100
[PE1-bgp] peer 3.3.3.9 as-number 100
[PE1-bgp] peer 3.3.3.9 connect-interface loopback 1
[PE1-bgp] ipv4-family vpnv4
[PE1-bgp-af-vpnv4] peer 3.3.3.9 enable
[PE1-bgp-af-vpnv4] quit
# Enter the view of the BGP VPN instance vpn1 and import the direct routes and IS-IS routes.
[PE1-bgp] ipv4-family vpn-instance vpn1
[PE1-bgp-vpn1] import-route direct
[PE1-bgp-vpn1] import-route isis 50
# On PE2, specify PE1 as an IBGP peer, set up the IBGP connection by using the loopback
interface, and enable the capability of exchanging VPN IPv4 routing information between PE2
and PE1.
[PE2] bgp 100
[PE2-bgp] peer 1.1.1.9 as-number 100
[PE2-bgp] peer 1.1.1.9 connect-interface loopback 1
[PE2-bgp] ipv4-family vpnv4
[PE2-bgp-af-vpnv4] peer 1.1.1.9 enable
[PE2-bgp-af-vpnv4] quit
# Enter the view of the BGP VPN instance vpn1 and import the direct routes and IS-IS routes.
[PE2-bgp] ipv4-family vpn-instance vpn1
[PE2-bgp-vpn1] import-route direct
[PE2-bgp-vpn1] import-route isis 50
Step 9 Import BGP routes into IS-IS.
# Configure PE1.
[PE1] isis 50
[PE1-isis-50] import-route bgp
# Configure PE2.
[PE2] isis 50
[PE2-isis-50] import-route bgp
Step 10 Verify the configuration.
# After the configuration, CE1 and CE2 can successfully ping each other.
<CE1> ping 41.1.1.2
PING 41.1.1.2: 56 data bytes, press CTRL_C to break
Reply from 41.1.1.2: bytes=56 Sequence=1 ttl=253 time=190 ms
Issue 03 (2011-11-27)
Huawei Proprietary and Confidential
Copyright © Huawei Technologies Co., Ltd.
35
Huawei AR1200 Series Enterprise Routers
Configuration Guide - VPN
1 GRE Configuration
Reply from 41.1.1.2: bytes=56 Sequence=2 ttl=253 time=110 ms
Reply from 41.1.1.2: bytes=56 Sequence=3 ttl=253 time=110 ms
Reply from 41.1.1.2: bytes=56 Sequence=4 ttl=253 time=110 ms
Reply from 41.1.1.2: bytes=56 Sequence=5 ttl=253 time=100 ms
--- 41.1.1.2 ping statistics --5 packet(s) transmitted
5 packet(s) received
0.00% packet loss
round-trip min/avg/max = 100/124/190 ms
<CE2> ping 21.1.1.2
PING 21.1.1.2: 56 data bytes, press CTRL_C to break
Reply from 21.1.1.2: bytes=56 Sequence=1 ttl=253 time=120 ms
Reply from 21.1.1.2: bytes=56 Sequence=2 ttl=253 time=110 ms
Reply from 21.1.1.2: bytes=56 Sequence=3 ttl=253 time=120 ms
Reply from 21.1.1.2: bytes=56 Sequence=4 ttl=253 time=90 ms
Reply from 21.1.1.2: bytes=56 Sequence=5 ttl=253 time=60 ms
--- 21.1.1.2 ping statistics --5 packet(s) transmitted
5 packet(s) received
0.00% packet loss
round-trip min/avg/max = 60/100/120 ms
----End
Configuration Files
l
Configuration file of CE1
#
sysname CE1
#
isis 50
network-entity 50.0000.0000.0001.00
#
interface GigabitEthernet2/0/0
ip address 30.1.1.1 255.255.255.0
#
interface GigabitEthernet1/0/0
ip address 21.1.1.2 255.255.255.0
isis enable 50
#
interface Tunnel0/0/1
ip address 2.2.2.1 255.255.255.0
tunnel-protocol gre
source 30.1.1.1
destination 50.1.1.2
isis enable 50
#
ospf 20
area 0.0.0.0
network 30.1.1.0 0.0.0.255
#
return
l
Configuration file of R1
#
sysname R1
#
interface GigabitEthernet1/0/0
ip address 30.1.1.2 255.255.255.0
#
interface GigabitEthernet2/0/0
ip address 50.1.1.1 255.255.255.0
#
ospf 20
area 0.0.0.0
network 30.1.1.0 0.0.0.255
network 50.1.1.0 0.0.0.255
#
Issue 03 (2011-11-27)
Huawei Proprietary and Confidential
Copyright © Huawei Technologies Co., Ltd.
36
Huawei AR1200 Series Enterprise Routers
Configuration Guide - VPN
1 GRE Configuration
return
l
Configuration file of PE1
#
sysname PE1
#
ip vpn-instance vpn1
route-distinguisher 100:1
vpn-target 111:1 export-extcommunity
vpn-target 111:1 import-extcommunity
#
mpls lsr-id 1.1.1.9
mpls
lsp-trigger all
#
mpls ldp
#
isis 50 vpn-instance vpn1
network-entity 50.0000.0000.0002.00
import-route bgp
#
interface GigabitEthernet1/0/0
ip address 50.1.1.2 255.255.255.0
#
interface GigabitEthernet2/0/0
ip address 110.1.1.1 255.255.255.0
mpls
mpls ldp
#
interface LoopBack1
ip address 1.1.1.9 255.255.255.255
#
interface Tunnel0/0/1
ip binding vpn-instance vpn1
ip address 2.2.2.2 255.255.255.0
tunnel-protocol gre
source 50.1.1.2
destination 30.1.1.1
isis enable 50
#
bgp 100
peer 3.3.3.9 as-number 100
peer 3.3.3.9 connect-interface LoopBack1
#
ipv4-family unicast
undo synchronization
peer 3.3.3.9 enable
#
ipv4-family vpnv4
policy vpn-target
peer 3.3.3.9 enable
#
ipv4-family vpn-instance vpn1
import-route direct
import-route isis 50
#
ospf 10
area 0.0.0.0
network 1.1.1.9 0.0.0.0
network 110.1.1.0 0.0.0.255
#
ospf 20
area 0.0.0.0
network 50.1.1.0 0.0.0.255
#
return
l
Configuration file of PE2
#
sysname PE2
Issue 03 (2011-11-27)
Huawei Proprietary and Confidential
Copyright © Huawei Technologies Co., Ltd.
37
Huawei AR1200 Series Enterprise Routers
Configuration Guide - VPN
1 GRE Configuration
#
ip vpn-instance vpn1
route-distinguisher 200:1
vpn-target 111:1 export-extcommunity
vpn-target 111:1 import-extcommunity
#
mpls lsr-id 3.3.3.9
mpls
lsp-trigger all
#
mpls ldp
#
isis 50 vpn-instance vpn1
network-entity 50.0000.0000.0003.00
import-route bgp
#
interface GigabitEthernet1/0/0
ip address 110.1.1.2 255.255.255.0
mpls
mpls ldp
#
interface GigabitEthernet2/0/0
ip binding vpn-instance vpn1
ip address 11.1.1.2 255.255.255.0
isis enable 50
#
interface LoopBack1
ip address 3.3.3.9 255.255.255.255
#
bgp 100
peer 1.1.1.9 as-number 100
peer 1.1.1.9 connect-interface LoopBack1
#
ipv4-family unicast
undo synchronization
peer 1.1.1.9 enable
#
ipv4-family vpnv4
policy vpn-target
peer 1.1.1.9 enable
#
ipv4-family vpn-instance vpn1
import-route direct
import-route isis 50
#
ospf 10
area 0.0.0.0
network 3.3.3.9 0.0.0.0
network 110.1.1.0 0.0.0.255
#
return
l
Configuration file of CE2
#
sysname CE2
#
isis 50
network-entity 50.0000.0000.0004.00
#
interface GigabitEthernet1/0/0
ip address 11.1.1.1 255.255.255.0
isis enable 50
#
interface GigabitEthernet2/0/0
ip address 41.1.1.2 255.255.255.0
isis enable 50
#
return
Issue 03 (2011-11-27)
Huawei Proprietary and Confidential
Copyright © Huawei Technologies Co., Ltd.
38
Huawei AR1200 Series Enterprise Routers
Configuration Guide - VPN
1 GRE Configuration
1.7.5 Example for Configuring the Keepalive Function for GRE
This section provides an example for configuring the Keepalive function of the GRE tunnel. In
this manner, the VPN does not select the GRE tunnel that cannot reach the remote end, and data
loss can be avoided.
Networking Requirements
As shown in Figure 1-9, Router A and Router B are configured with the GRE protocol. The two
ends of the GRE tunnel need be configured with the Keepalive function.
Figure 1-9 Networking diagram of configuring the Keepalive function on two ends of a GRE
tunnel
GE1/0/0
20.1.1.1/24
RouterA
Internet
GE1/0/0
30.1.1.2/24
GRE Tunnel
Tunnel0/0/1
40.1.1.1/24
Tunnel0/0/1
40.1.1.2/24
RouterB
Configuration Roadmap
To enable the Keepalive function on one end of the GRE tunnel, run the keepalive command in
the tunnel interface view on the end.
TIP
If the Keepalive function is enabled on the source end, the forwarding function is obligatory, and the
Keepalive function is optional for the destination end.
Data Preparation
To complete the configuration, you need the following data:
l
Data for configuring the routing protocol for the backbone network
l
Source address and destination address of the GRE tunnel
l
Interval for sending Keepalive messages
l
Parameters of unreachable timer
Procedure
Step 1 Configure Router A and Router B to implement the interworking between the two devices.
The detailed procedures are not mentioned here.
Step 2 Configure a tunnel on Router A and enable the Keepalive function.
<RouterA> system-view
[RouterA] interface tunnel 0/0/1
[RouterA-Tunnel0/0/1] ip address 40.1.1.1 255.255.255.0
[RouterA-Tunnel0/0/1] source 20.1.1.1
[RouterA-Tunnel0/0/1] destination 30.1.1.2
Issue 03 (2011-11-27)
Huawei Proprietary and Confidential
Copyright © Huawei Technologies Co., Ltd.
39
Huawei AR1200 Series Enterprise Routers
Configuration Guide - VPN
1 GRE Configuration
[RouterA-Tunnel0/0/1] keepalive period 20 retry-times 3
[RouterA-Tunnel0/0/1] quit
Step 3 Configure a tunnel on Router B and enable the Keepalive function.
<RouterB> system-view
[RouterB] interface tunnel 0/0/1
[RouterB-Tunnel0/0/1] ip address 40.1.1.2 255.255.255.0
[RouterB-Tunnel0/0/1] source 30.1.1.2
[RouterB-Tunnel0/0/1] destination 20.1.1.1
[RouterB-Tunnel0/0/1] keepalive period 20 retry-times 3
[RouterB-Tunnel0/0/1] quit
Step 4 Verify the configuration.
# The tunnel interface on Router A can successfully ping the tunnel interface on Router B.
<RouterA> ping -a 40.1.1.1 40.1.1.2
PING 40.1.1.2: 56 data bytes, press CTRL_C to break
Reply from 40.1.1.2: bytes=56 Sequence=1 ttl=255 time=9
Reply from 40.1.1.2: bytes=56 Sequence=2 ttl=255 time=7
Reply from 40.1.1.2: bytes=56 Sequence=3 ttl=255 time=7
Reply from 40.1.1.2: bytes=56 Sequence=4 ttl=255 time=7
Reply from 40.1.1.2: bytes=56 Sequence=5 ttl=255 time=7
--- 40.1.1.2 ping statistics --5 packet(s) transmitted
5 packet(s) received
0.00% packet loss
round-trip min/avg/max = 7/7/9 ms
ms
ms
ms
ms
ms
# Enable the debugging of the Keepalive messages on Router A and view information about the
Keepalive messages.
<RouterA> terminal monitor
<RouterA> terminal debugging
<RouterA> debugging tunnel keepalive
May 18 2011 11:36:11.590.1+00:00 AR1220 TUNNEL/7/debug:GRE_KEEP:Judge keepalive
finished. Received keepalive detecting packet from peer router.
<RouterA>
May 18 2011 11:36:11.590.2+00:00 AR1220 TUNNEL/7/debug:GRE_KEEP_NSR: Mainboard u
lKeepaliveReceiveOpposite++ then send mbuf to slave when RECEIVE keepalive packe
t.
<RouterA>
May 18 2011 11:36:11.590.3+00:00 AR1220 TUNNEL/7/debug:GRE_FWD: Receive peer kee
palive on mainboard successfully. Put into decapsulation.
<RouterA>
May 18 2011 11:36:15.120.1+00:00 AR1220 TUNNEL/7/debug:GRE_KEEP:Judge keepalive
finished. Received keepalive response packet from peer router.
<RouterA>
May 18 2011 11:36:15.120.2+00:00 AR1220 TUNNEL/7/debug:GRE_FWD: Receive the resp
onse keepalive packet on mainboard successfully, keepalive finished.
<RouterA>
May 18 2011 11:36:15.120.3+00:00 AR1220 TUNNEL/7/debug:GRE_KEEP_NSR: Mainboard s
end mbuf to slaveboard when RECEIVE response packet.
----End
Configuration Files
l
Configuration file of Router A
#
sysname RouterA
#
interface GigabitEthernet1/0/0
ip address 20.1.1.1 255.255.255.0
#
interface Tunnel0/0/1
ip address 40.1.1.1 255.255.255.0
tunnel-protocol gre
Issue 03 (2011-11-27)
Huawei Proprietary and Confidential
Copyright © Huawei Technologies Co., Ltd.
40
Huawei AR1200 Series Enterprise Routers
Configuration Guide - VPN
1 GRE Configuration
source 20.1.1.1
destination 30.1.1.2
keepalive period 20
#
return
l
Configuration file of Router B
#
sysname RouterB
#
interface GigabitEthernet1/0/0
ip address 30.1.1.2 255.255.255.0
#
interface Tunnel0/0/1
ip address 40.1.1.2 255.255.255.0
tunnel-protocol gre
source 30.1.1.2
destination 20.1.1.1
keepalive period 20
#
return
Issue 03 (2011-11-27)
Huawei Proprietary and Confidential
Copyright © Huawei Technologies Co., Ltd.
41
Huawei AR1200 Series Enterprise Routers
Configuration Guide - VPN
2
2 BGP MPLS IP VPN Configuration
BGP MPLS IP VPN Configuration
About This Chapter
This chapter describes the BGP/MPLS IP VPN configuration, including the introduction to the
BGP/MPLS IP VPN, common networking of the BGP/MPLS IP VPN, and configurations to
ensure the reliability of the BGP/MPLS IP VPN.
2.1 Introduction to BGP/MPLS IP VPN
This section describes the concepts and roles of the PE, P, and CE.
2.2 BGP/MPLS IP VPN Features Supported by the AR1200
The AR1200 supports basic and typical networking of the BGP/MPLS IP VPN, and such features
as reliability and QoS of the BGP/MPLS IP VPN.
2.3 Configuring a VPN Instance Enabled with the IPv4 Address Family
A VPN instance isolates VPN routes from public network routes. Configuring a VPN instance
enabled with the IPv4 address family allows a PE to advertise IPv4 routes and forward data.
2.4 Configuring Basic BGP/MPLS IP VPN
The basic BGP/MPLS IP VPN refers to a VPN that is established on one SP's MPLS backbone
network that does not span multiple ASs. The role of each PE, P, or CE of the basic BGP/MPLS
IP VPN is unique. For example, a router cannot function as both a PE and a CE.
2.5 Configuring Hub and Spoke
In the Hub and Spoke networking, an access control device is specified in the VPN, and users
communicate with each other through the access control device.
2.6 Configuring Inter-AS VPN Option A
In inter-AS VPN OptionA, an ASBR takes the peer ASBR as its CE and advertises VPNv4 routes
to the peer ASBR through EBGP.
2.7 Configuring Inter-AS VPN Option B
In inter-AS VPN Option B through MP-EBGP, two ASBRs receive VPNv4 routes from PEs in
their respective ASs and exchange the VPNv4 routes with each other.
2.8 Configuring Inter-AS VPN Option C
EBGP connections in multi-hop mode are established between PEs of different ASs to exchange
VPNv4 routes.
2.9 Configuring Inter-AS VPN Option C (Solution 2)
Issue 03 (2011-11-27)
Huawei Proprietary and Confidential
Copyright © Huawei Technologies Co., Ltd.
42
Huawei AR1200 Series Enterprise Routers
Configuration Guide - VPN
2 BGP MPLS IP VPN Configuration
After LDP LSPs are established for the labeled BGP routes of the public network, EBGP
connections in multi-hop mode are established between PEs of different ASs to exchange VPNv4
routes.
2.10 Configuring HoVPN
HoVPN indicates a hierarchical VPN in which multiple PEs play different roles and form a
hierarchical structure. With this structure, these PEs function as one PE, and the performance
requirements for the PEs are lowered.
2.11 Configuring a Multi-VPN-Instance CE
By using OSPF multi-instance on CEs, you can implement service isolation on the LAN.
2.12 Connecting VPN and the Internet
Generally, users within a VPN can communicate only with each other, but cannot communicate
with Internet users because VPN users cannot access the Internet. If each VPN site needs to
access the Internet, configure the interconnection between the VPN and the Internet.
2.13 Configuring Route Reflection to Optimize the VPN Backbone Layer
Using an RR can reduce the number of MP IBGP connections between PEs. This not only reduces
the burden of PEs, but also facilitates network maintenance and management.
2.14 Configuring Route Reflection to Optimize the VPN Access Layer
If a PE and the connected CEs are in the same AS, you can deploy a BGP route RR to reduce
the number of IBGP connections between CEs and facilitate maintenance and management.
2.15 Maintaining BGP/MPLS IP VPN
This section describes how to maintain the BGP/MPLS IP VPN, which involves L3VPN traffic
checking, network connectivity monitoring, BGP connection resetting.
2.16 Configuration Examples
This section provides several configuration examples of VPN networking. In each configuration
example, the networking requirements, configuration roadmap, configuration notes,
configuration procedures, and configuration files are described.
Issue 03 (2011-11-27)
Huawei Proprietary and Confidential
Copyright © Huawei Technologies Co., Ltd.
43
Huawei AR1200 Series Enterprise Routers
Configuration Guide - VPN
2 BGP MPLS IP VPN Configuration
2.1 Introduction to BGP/MPLS IP VPN
This section describes the concepts and roles of the PE, P, and CE.
BGP/MPLS IP VPN is a PE-based L3VPN technology used in the Provider Provisioned VPN
(PPVPN) solution. BGP/MPLS IP VPN uses BGP to advertise VPN routes and MPLS to forward
VPN packets on the provider's backbone network.
Characterized by flexible networking modes, excellent extensibility, and convenient support for
MPLS QoS, BGP/MPLS IP VPN is widely used.
Figure 2-1 shows the networking diagram of BGP/MPLS IP VPN.
Figure 2-1 BGP/MPLS IP VPN model
VPN 1
Site
CE
CE
Service provider's
P backbone
P
VPN 2
Site
PE
PE
PE
VPN 2
Site
CE
P
P
CE
VPN 1
Site
The BGP/MPLS IP VPN model consists of the following parts:
l
A Customer Edge (CE) is an edge device on the customer network, which has one or more
interfaces directly connected to the service provider network. A CE can be a router, a
switch or a host. Usually, CEs cannot "sense" the existence of the VPN, and do not need
to support MPLS.
l
A Provider Edge (PE) is an edge device on the provider network, which is directly connected
to the CE. In the MPLS network, PEs perform all the VPN-related processing.
l
A Provider (P) is a backbone device on the provider network, which is not directly
connected to the CE. Ps only need to possess basic MPLS forwarding capabilities and do
not need to maintain information about VPNs.
l
A site is a group of IP systems that have IP connectivity among themselves without being
connected to the service provider network. A site is connected to the provider network
through the CE. A site may contain many CEs, but a CE belongs only to a single site.
Issue 03 (2011-11-27)
Huawei Proprietary and Confidential
Copyright © Huawei Technologies Co., Ltd.
44
Huawei AR1200 Series Enterprise Routers
Configuration Guide - VPN
2 BGP MPLS IP VPN Configuration
2.2 BGP/MPLS IP VPN Features Supported by the AR1200
The AR1200 supports basic and typical networking of the BGP/MPLS IP VPN, and such features
as reliability and QoS of the BGP/MPLS IP VPN.
Basic Networking
The AR1200 uses the Multi-protocol Extensions for Border Gateway Protocol (MP-BGP) to
achieve the VPN route exchange between PEs. The static route, Routing Information Protocol
(RIP) multi-instance, Open Shortest Path First (OSPF) multi-instance, Intermediate System-toIntermediate System (IS-IS) multi-instance, or external BGP (EBGP) can be used to exchange
routes between a PE and a CE. In addition, by using VPN targets to control the transmission of
VPN routes, the AR1200 can implement multiple VPN networking topologies including
Intranet, Extranet, and Hub and Spoke.
Generally, LSPs tunnels are used on the VPN backbone network. In some cases where PEs
support MPLS functions but P routers support only IP functions, GRE tunnels can be used.
Typical Networking
The AR1200 supports the following typical VPN networking scheme:
l
Inter-AS VPN
If a VPN backbone network spans multiple ASs, the inter-AS VPN must be configured.
The inter-AS VPN can be classified as Option A, Option B, or Option C.
l
HoVPN
To relieve the stress on a PE, the Hierarchy of VPN (HoVPN) can be configured. A device
on the convergence layer or the access layer is selected as the Underlayer Provider Edge
(UPE), which works jointly with the PE, that is, the Superstratum Provider Edge (SPE) on
the backbone layer, to implement the functions of the PE.
l
Multi-VPN-Instance CE
The Multi-VPN-Instance CE can be configured to improve the routing capability of the
LAN, solve the security problem of the LAN at a low cost, and ensure that the LAN services
are safely differentiated. Currently, LAN services can be differentiated by utilizing VLAN
switches, but they have a weak routing capability.
l
VPN and Internet interworking
The AR1200 supports the interworking between VPNs and the Internet. This section
describes how to implement this interworking by means of configuring static routes and
Policy-based Routing (PBC) on PEs.
Reliability
To improve the reliability of a VPN, the following networking modes are generally adopted.
l
Issue 03 (2011-11-27)
The backbone network is an MPLS network, on which the devices adopt hierarchical
backup and are fully connected through high-speed interfaces. If there are many PEs on
the network, the BGP route reflector is deployed to reflect IPv4 VPN routes in order to
decrease the number of Multi-Protocol internal BGP (MP IBGP) connections.
Huawei Proprietary and Confidential
Copyright © Huawei Technologies Co., Ltd.
45
Huawei AR1200 Series Enterprise Routers
Configuration Guide - VPN
l
2 BGP MPLS IP VPN Configuration
Either a mesh topology or a ring topology is used at the convergence layer based on the
requirements.
2.3 Configuring a VPN Instance Enabled with the IPv4
Address Family
A VPN instance isolates VPN routes from public network routes. Configuring a VPN instance
enabled with the IPv4 address family allows a PE to advertise IPv4 routes and forward data.
2.3.1 Establishing the Configuration Task
Before configuring a VPN instance enabled with an IPv4 address family, familiarize yourself
with the applicable environment, complete the pre-configuration tasks, and obtain the data
required for the configuration. This will help you complete the configuration task quickly and
accurately.
Applicable Environment
In BGP/MPLS IP VPN, each VPN is instantiated, and the instances of private forwarding
information of each VPN are established, that is, a VPN instance is established. A VPN instance
is also called the VPN Routing and Forwarding (VRF) table. In RFC 4364 (BGP/MPLS IP
VPNs), a VPN instance is called the per-site forwarding table.
The VPN instance is used to separate the VPN routes from public routes. In all the BGP/MPLS
IP VPN networking scenarios, configure VPN instances.
The VPN instance IPv4 address family can realize the separation of address spaces based on the
Router Distinguisher (RD), and can control VPN membership and routing rules based on the
VPN target attribute.
In addition, to achieve enhanced routing control, you can also enforce inbound and outbound
routing policies. The inbound routing policy is used to filter the routes imported into the VPN
instance IPv4 address family, and the outbound routing policy is used to filter the routes
advertised to other PEs.
Pre-configuration Tasks
Before configuring a VPN instance enabled with an IPv4 address family, complete the following
tasks:
l
Configuring routing policies if import or export routing policies need to be applied to the
VPN instance IPv4 address family
l
Configuring tunnel policies if load balancing is required, or the default selecting sequence
of Label Switched Paths (LSPs), Multiprotocol Label Switching Traffic Engineering
(MPLS TE) tunnels, or Generic Routing Encapsulation (GRE) tunnels need to be changed.
For tunnel policy configuration, see the chapter "VPN Tunnel Management Configuration"
in this manual.
Data Preparation
To configure a VPN instance enabled with an IPv4 address family, you need the following data.
Issue 03 (2011-11-27)
Huawei Proprietary and Confidential
Copyright © Huawei Technologies Co., Ltd.
46
Huawei AR1200 Series Enterprise Routers
Configuration Guide - VPN
2 BGP MPLS IP VPN Configuration
No.
Data
1
Name of the VPN instance
2
(Optional) Description of the VPN instance
3
RD, VPN target attribute of the VPN instance IPv4 address families
4
(Optional) Maximum number of routes allowed by the VPN instance IPv4 address
families
5
(Optional) Routing policy that controls the receiving and sending of VPN routes
6
(Optional) Tunnel policy
2.3.2 Creating a VPN Instance
Configuring a VPN instance is the preliminary step for configuring other VPN attributes. After
a VPN instance is configured, a VPN routing and forwarding table is created.
Context
Perform the following steps on the PE that is connected to the CE.
Procedure
Step 1 Run:
system-view
The system view is displayed.
Step 2 Run:
ip vpn-instance vpn-instance-name
A VPN instance is created, and the VPN instance view is displayed.
NOTE
The VPN instance name is case sensitive. For example, vpn1 and VPN1 are considered different VPN
instances.
No default VPN instance exists on a PE, and multiple VPN instances can be created on the PE.
Step 3 (Optional) Run:
description description-information
The description of the VPN instance is configured.
The description of a VPN instance functions the same as the description of a host name or an
interface. It is recommended that the proper description be configured.
Step 4 (Optional) Run:
service-id service-id
A service ID is set for the VPN instance.
Issue 03 (2011-11-27)
Huawei Proprietary and Confidential
Copyright © Huawei Technologies Co., Ltd.
47
Huawei AR1200 Series Enterprise Routers
Configuration Guide - VPN
2 BGP MPLS IP VPN Configuration
A service ID identifies a specific VPN instance and is unique on the same device.
----End
2.3.3 Configuring Attributes for the VPN Instance IPv4 Address
Family
To facilitate the management for routes of the VPN instance IPv4 address family, configure
other VPN attributes, such as the VPN target, route limit, and routing policy.
Context
Perform the following steps on the PE that is configured with VPN instances.
NOTE
It is recommended to perform either Step 6 or Step 7.
Procedure
Step 1 Run:
system-view
The system view is displayed.
Step 2 Run:
ip vpn-instance vpn-instance-name
The VPN instance view is displayed.
Step 3 Run:
ipv4-family
The IPv4 address family is enabled for the VPN instance and the VPN instance IPv4 address
family view is displayed.
Step 4 Run:
route-distinguisher route-distinguisher
An RD is configured for the VPN instance IPv4 address family.
The VPN instance IPv4 address family takes effect only after an RD is configured for it. The
RDs configured in different VPN instance IPv4 address family views of the same PE must be
different.
NOTE
A configured RD cannot be changed or deleted. Delete a VPN instance or disable the VPN instance IPv4
address family before changing or deleting the RD of the VPN instance IPv4 address family.
Step 5 Run:
vpn-target vpn-target &<1-8> [ both | export-extcommunity | import-extcommunity ]
The VPN target extended community attribute for the VPN instance is created.
The VPN target is the extended community attribute of the Border Gateway Protocol (BGP). It
controls the import and export of VPN routes. You can configure a maximum of 8 VPN targets
with a command.
Issue 03 (2011-11-27)
Huawei Proprietary and Confidential
Copyright © Huawei Technologies Co., Ltd.
48
Huawei AR1200 Series Enterprise Routers
Configuration Guide - VPN
2 BGP MPLS IP VPN Configuration
Step 6 (Optional) Run:
routing-table limit number { alert-percent | simply-alert }
The maximum number of routes of the VPN instance is configured.
You can define the maximum number of routes for a VPN instance to prevent the PE from
importing too many routes from the CE.
NOTE
If the routing-table limit command is run, the system gives a prompt when the number of routes injected
into the routing table of the VPN instance IPv4 address family exceeds the maximum. If the routing-table
limit command is run to increase the maximum number of routes supported in a VPN instance IPv4 address
family or the undo routing-table limit command is run to remove the limit on the routing table, for excess
routes, the following operations are required:
l For the excessive static routes, reconfigure them manually.
l For the excessive routes learned from CEs through the IGP multi-instance routing protocol, re-initiate
the multi-instance process of the routing protocol on the PE.
For the remote cross routes learned through the MP-IBGP and the BGP routes learned from CEs, the system
automatically refreshes them.
Step 7 (Optional) Run:
prefix limit number { alert-percent [ route-unchanged ] | simply-alert }
The maximum number of prefixes for the VPN instance IPv4 address family is configured.
You can define the maximum number of prefixes for a VPN instance IPv4 address family to
avoid importing too many prefixes from the CE.
Step 8 (Optional) Run:
limit-log-interval interval
The frequency of displaying logs when the number of routes exceeds the threshold is configured.
Step 9 (Optional) Run:
import route-policy policy-name
The inbound routing policy of the VPN instance IPv4 address family is configured.
Step 10 (Optional) Run:
export route-policy policy-name
The outbound routing policy of the VPN instance IPv4 address family is configured.
----End
2.3.4 (Optional) Configuring MPLS Label Allocation Based on the
VPN Instance IPv4 Address Family
This section describes how the MPLS label is allocated in a VPN instance IPv4 address
family. Specifically, it covers how the local PE allocates the same MPLS label for all routes of
the VPN instance IPv4 address family. If there are a large number of VPN routes, you can reduce
the number of MPLS labels maintained by PEs.
Context
Perform the following steps on the PE configured with VPN instances IPv4 address family.
Issue 03 (2011-11-27)
Huawei Proprietary and Confidential
Copyright © Huawei Technologies Co., Ltd.
49
Huawei AR1200 Series Enterprise Routers
Configuration Guide - VPN
2 BGP MPLS IP VPN Configuration
Procedure
Step 1 Run:
system-view
The system view is displayed.
Step 2 Run:
ip vpn-instance vpn-instance-name
The VPN instance view is displayed.
Step 3 Run:
ipv4-family
The IPv4 address family is enabled for the VPN instance and the VPN instance IPv4 address
family view is displayed.
Step 4 Run:
apply-label per-instance
The MPLS label is allocated based on the VPN instance IPv4 address family, which ensures that
all the routes in a VPN instance IPv4 address family use the same MPLS label.
Generally, MPLS label allocation is in one label per route mode. When the number of routes
becomes larger, more labels are required.
Therefore, MPLS label allocation based on the VPN instance IPv4 address family is introduced
and provided by the AR1200. In this manner, all the routes of a VPN instance share the same
MPLS label.
----End
2.3.5 Checking the Configuration
After configuring a VPN instance enabled with IPv4 address family , you can view information
about it on the local device, including RD attributes and other attributes.
Prerequisite
The functions of the VPN instance enabled with IPv4 address family are fully configured.
Procedure
l
Run the display ip vpn-instance verbose vpn-instance-name command to check detailed
information about the VPN instance, including information about the IPv4 address
family.
l
Run the display ip vpn-instance vpn-instance-name command to check brief information
about the VPN instance.
l
Run the display ip vpn-instance import-vt ivt-value command to check information about
all VPN instances with the specified import VPN-target attribute.
----End
Example
Run the display ip vpn-instance command. If brief information about the VPN instance is
displayed, it means that the configuration succeeded. For example:
Issue 03 (2011-11-27)
Huawei Proprietary and Confidential
Copyright © Huawei Technologies Co., Ltd.
50
Huawei AR1200 Series Enterprise Routers
Configuration Guide - VPN
2 BGP MPLS IP VPN Configuration
<Huawei> display ip vpn-instance
Total VPN-Instances configured : 4
VPN-Instance Name
Address-family
vrf1
ipv4
vrf2
vrf3
ipv4
vrf4
ipv4
Run the display ip vpn-instance verbose command. If detailed information about the VPN
instance is displayed, it means the configuration succeeded. For example:
<Huawei> display ip vpn-instance verbose
Total VPN-Instances configured : 1
VPN-Instance Name and ID : vpn1, 1
Description : vrf1
Service ID : 123
Address family ipv4
Create date : 2010/03/05 16:26:27
Up time : 0 days, 00 hours, 09 minutes and 12 seconds
Route Distinguisher : 100:1
Export VPN Targets : 1:1
Import VPN Targets : 1:1
Label Policy : label per instance
Per-Instance Label : 1029
Import Route Policy : rp1
Export Route Policy : rp2
Tunnel Policy : tp1
Maximum Routes Limit : 200
Threshold Routes Limit : 10%
Prefix Routes Limit : 200
Threshold Prefixes Limit : 20%
Install Mode : route-unchanged
Log Interval : 30
Run the display ip vpn-instance import-vt ivt-value command. If information about all VPN
instances with the specified import VPN-target attribute is displayed, it means that the
configuration succeeded.
<Huawei> display ip vpn-instance import-vt 1:1
The number of ipv4-family matched the import-vt : 3
VPN-Instance Name and ID : vrf1, 1
VPN-Instance Name and ID : vrf4, 5
VPN-Instance Name and ID : vrf5, 4
2.4 Configuring Basic BGP/MPLS IP VPN
The basic BGP/MPLS IP VPN refers to a VPN that is established on one SP's MPLS backbone
network that does not span multiple ASs. The role of each PE, P, or CE of the basic BGP/MPLS
IP VPN is unique. For example, a router cannot function as both a PE and a CE.
2.4.1 Establishing the Configuration Task
Before configuring the basic BGP/MPLS IP VPN, familiarize yourself with the applicable
environment, complete the pre-configuration tasks, and obtain the required data. This can help
you complete the configuration task quickly and accurately.
Applicable Environment
This section describes the basic BGP/MPLS IP VPN networking. Specifically, networking
features only one carrier and one intra-AS MPLS backbone network. In addition, the roles of
the P, PE, and CE are unique. For example, no device serves both as the PE and CE.
Issue 03 (2011-11-27)
Huawei Proprietary and Confidential
Copyright © Huawei Technologies Co., Ltd.
51
Huawei AR1200 Series Enterprise Routers
Configuration Guide - VPN
2 BGP MPLS IP VPN Configuration
For special BGP/MPLS IP VPN networkings, such as HoVPN, and inter-AS VPN, additional
configurations are needed. You can refer to the related sections in this chapter for details.
In terms of the configuration of the BGP/MPLS IP VPN, it is critical for you to configure the
management of the advertisement of VPN routes on the MPLS backbone networks, including
the management of route advertisement between the PE and CE, and between PEs.
You can configure MP-IBGP to exchange routes between PEs. To exchange routes between the
PE and CE, you can configure static routes, RIP multi-instance, OSPF multi-instance, IS-IS
multi-instance, or BGP based on the specific networking situations.
NOTE
If a VPN is used to receive the external routes and the routes advertised by non-PE devices, and advertise
these routes to PEs, the VPN is called a transit VPN.
If a VPN is used to accept the internal routes and the routes advertised by PEs, the VPN is called a stub
VPN. In most cases, the static route is only used to exchange routes between the PE and CE in the stub
VPN.
Pre-configuration Tasks
Before configuring basic BGP/MPLS IP VPN, complete the following tasks:
l
Configuring IGP for the MPLS backbone network (PE, P) to implement IP connectivity
l
Configuring basic MPLS functions and MPLS LDP for the MPLS backbone network (PE,
P)
l
Configuring tunnels between PEs based on the tunnel policy
l
Configuring the IP address for the CE interface that is connected to the PE
Data Preparation
To configure basic BGP/MPLS IP VPN, you need the following data.
No.
Data
1
Data for configuring a VPN instance:
l Name of the VPN instance
l (Optional) Description of the VPN instance
l RD, VPN target attribute of the VPN instance IPv4 address families
l (Optional) Routing policy used to control the sending and receiving of VPN routes
l (Optional) Tunnel policy
l (Optional) Maximum number of routes permitted in a VPN instance IPv4 address
family
Issue 03 (2011-11-27)
2
IP address of the PE interface that is connected to the CE
3
Route-exchanging mode between the PE and CE, which can be the static route, RIP,
OSPF, IS-IS, or BGP
4
AS number of the PE
5
IP address and interface of the PE used to establish the BGP peer relationship
Huawei Proprietary and Confidential
Copyright © Huawei Technologies Co., Ltd.
52
Huawei AR1200 Series Enterprise Routers
Configuration Guide - VPN
2 BGP MPLS IP VPN Configuration
2.4.2 Configuring a VPN Instance
This section describes how to configure a VPN instance to manage VPN routes.
Procedure
Step 1 For the details, see Configuring VPN Instances.
----End
2.4.3 Binding an Interface with a VPN Instance
After associating an interface with a VPN instance, you can change the interface to a VPN
interface. As a result, packets that pass through the interface are forwarded based on the
forwarding information of the VPN instance, and Layer 3 attributes are deleted. These Layer 3
attributes, such as the IP address and routing protocol that are configured for the interface, need
to be re-configured if required.
Context
Perform the following steps on the PE that is connected to the CE.
Procedure
Step 1 Run:
system-view
The system view is displayed.
Step 2 Run:
interface interface-type interface-number
The view of the interface that is to be bound with the VPN instance is displayed.
Step 3 Run:
ip binding vpn-instance vpn-instance-name
The interface is bound to the VPN instance.
NOTE
The running of the ip binding vpn-instance command on an interface can delete the Layer 3 attributes,
such as the IP address and routing protocol. If these Layer 3 attributes are still required, configure them
again.
An interface cannot be bound to a VPN instance that is not enabled with an address family.
Disabling an address family of a VPN instance deletes the Layer 3 attributes, such as the IP address and
routing protocol of the interface bound to the VPN instance. Disabling all the address families of a VPN
instance unbinds all the bound interfaces from the VPN instance.
Step 4 Run:
ip address ip-address { mask | mask-length }
The IP address is configured.
----End
Issue 03 (2011-11-27)
Huawei Proprietary and Confidential
Copyright © Huawei Technologies Co., Ltd.
53
Huawei AR1200 Series Enterprise Routers
Configuration Guide - VPN
2 BGP MPLS IP VPN Configuration
2.4.4 (Optional) Configuring a Router ID for a BGP VPN Instance
IPv4 Address Family
You can configure different router IDs for BGP VPN instance IPv4 address families on the same
device.
Context
By default, no router ID is configured for a BGP VPN instance IPv4 address family, and the
BGP router ID is used. This makes different BGP VPN instance IPv4 address families on the
same device have the same router ID. In some cases, different router IDs need to be configured
for different BGP VPN instance IPv4 address families. For example, BGP peer relationships
need to be established between different BGP VPN instance IPv4 address families on the same
PE.
There are two methods to configure a router ID for a BGP VPN instance IPv4 address family.
You can choose either of the two methods as required.
Procedure
l
Configuring router IDs for all BGP VPN instance IPv4 address families
1.
Run:
system-view
The system view is displayed.
2.
Run:
bgp as-number
The BGP view is displayed.
3.
Run:
router-id vpn-instance auto-select
Automatic router ID selection is configured for all BGP VPN instance IPv4 address
families.
NOTE
Rules for automatically selecting a router ID for a BGP VPN instance IPv4 address family are
as follows:
l If the loopback interfaces configured with IP addresses are bound to the VPN instance
enabled with the IPv4 address family, the largest IP address among the IP addresses of the
loopback interfaces is selected as the router ID.
l If no loopback interfaces configured with IP addresses are bound to the VPN instance
enabled with the IPv4 address family, the largest IP address among the IP addresses of
other interfaces bound to the VPN instance is selected as the router ID, regardless of whether
the interface is Up or Down.
l
Configuring a router ID for a specified BGP VPN instance IPv4 address family
1.
Run:
system-view
The system view is displayed.
2.
Run:
bgp as-number
Issue 03 (2011-11-27)
Huawei Proprietary and Confidential
Copyright © Huawei Technologies Co., Ltd.
54
Huawei AR1200 Series Enterprise Routers
Configuration Guide - VPN
2 BGP MPLS IP VPN Configuration
The BGP view is displayed.
3.
Run:
ipv4-family vpn-instance vpn-instance-name
The BGP-VPN instance IPv4 address family view is displayed.
4.
Run:
router-id { ipv4-address | auto-select }
A router ID or automatic route ID selection is configured for the current BGP VPN
instance IPv4 address family.
----End
2.4.5 Configuring MP-IBGP Between PEs
By importing extended community attributes to BGP, MP-IBGP can advertise VPNv4 routes
between PEs.
Context
Perform the following steps on the PE that is connected to the CE.
Procedure
Step 1 Run:
system-view
The system view is displayed.
Step 2 Run:
bgp as-number
The BGP view is displayed.
Step 3 Run:
peer ipv4-address as-number as-number
The remote PE is specified as the peer.
Step 4 Run:
peer ipv4-address connect-interface loopback interface-number
The interface used to set up the TCP connection is specified.
NOTE
The 32-bit mask IP addresses of the loopback interfaces must be used to establish the MP-IBGP peer
relationship between PEs. This can ensure that the tunnel can be iterated. The route destined to the loopback
interface is advertised to the remote PE based on IGP on the MPLS backbone network.
Step 5 Run:
ipv4-family vpnv4
The BGP VPNv4 sub-address family view is displayed.
Step 6 Run:
peer ipv4-address enable
Issue 03 (2011-11-27)
Huawei Proprietary and Confidential
Copyright © Huawei Technologies Co., Ltd.
55
Huawei AR1200 Series Enterprise Routers
Configuration Guide - VPN
2 BGP MPLS IP VPN Configuration
The VPN IPv4 routing information can be exchanged between the peers.
----End
2.4.6 Configuring a Routing Protocol Between a PE and a CE
The routing protocol between a PE and a CE can be EBGP, IBGP, static route, RIP, OSPF, or
IS-IS. You can choose any of them as required in the configuration process.
Context
Select one of the following configurations as required:
l
Configuring EBGP between a PE and a CE
l
Configuring IBGP between a PE and a CE
l
Configuring the static route between a PE and a CE
l
Configuring RIP between a PE and a CE
l
Configuring OSPF between a PE and a CE
l
Configuring IS-IS between a PE and a CE
l
Configure EBGP between s PE and a CE.
Procedure
Perform the following steps on the PE:
1.
Run:
system-view
The system view is displayed.
2.
Run:
bgp as-number
The BGP view is displayed.
3.
Run:
ipv4-family vpn-instance vpn-instance-name
The BGP VPN instance IPv4 address family view is displayed.
4.
(Optional) Run:
as-number as-number
An AS number for the VPN instance IPv4 address family is specified.
During network transfer or service identification, a device needs to be simulated as
multiple BGP devices logically. In this case, you can run the as-number command
to configure an AS number for each VPN instance IPv4 address family.
NOTE
The AS number configured in the BGP-VPN instance IPv4 address family view cannot be the
same as the AS number configured in the BGP view.
5.
Run:
peer ipv4-address as-number as-number
The CE is specified as the peer of the VPN.
Issue 03 (2011-11-27)
Huawei Proprietary and Confidential
Copyright © Huawei Technologies Co., Ltd.
56
Huawei AR1200 Series Enterprise Routers
Configuration Guide - VPN
6.
2 BGP MPLS IP VPN Configuration
(Optional) Run:
peer { ipv4-address | group-name } ebgp-max-hop [ hop-count ]
The maximum number of hops is configured for the EBGP connection.
Generally, one or multiple directly connected physical links exist between EBGP
peers. If the directly connected physical link(s) are not available, run the peer ebgpmax-hop command to ensure that the TCP connection can be set up between the EBGP
peers through multiple hops.
7.
(Optional) When the direct route of the local CE needs to be imported to the VPN
routing table (for being advertised to the remote PE), you can choose either of the
following configurations:
– Run the import-route direct [ med med | route-policy route-policy-name ]*
command to import the direct routes of the local CE into the VPN routing table.
– Run the network ipv4-address [ mask | mask-length ] [ route-policy route-policyname ] command to import a specific direct route of the local CE into the VPN
routing table.
NOTE
The PE can automatically learn the direct route destined for the local CE, and the learned
direct route has a higher priority than the direct route that is advertised by the local CE
based on EBGP. Therefore, if this step is not configured, the PE cannot advertise the direct
route to the remote PE based on MP-BGP.
8.
(Optional) Run:
peer { group-name | ipv4-address } soo site-of-origin
The Site of Origin (SoO) attribute is configured for the specified CE.
When multiple CEs in a VPN site access different PEs, VPN routes sent from CEs to
PEs may return to this VPN site after traveling through the backbone network. This
may cause routing loops in the VPN site.
After the SoO attribute is configured on a PE, the PE adds the SoO attribute to the
route sent from a CE and advertises the route to other PE peers. Before advertising
the VPN route to the connected CE, the PE peers check the SoO attribute carried in
the VPN route. If the PE peers find that this SoO attribute is the same as the locally
configured SoO attribute, the PE peers do not advertise this VPN route to the connected
CE.
9.
(Optional) Run:
peer ip-address allow-as-loop [ number ]
The loop is allowed.
This step is optional and used in the Hub and Spoke networking.
Generally, BGP uses the AS number to detect a loop. In the Hub and Spoke
networking, however, if EBGP runs between the PE and CE at the Hub site, the HubPE carries the local AS number when advertising routes to the Hub-CE. Therefore,
the PE denies the subsequent routing update from the Hub-CE. To ensure the correct
transmission of routes in the Hub and Spoke networking, configure all the BGP peers
along the path, used for the Hub-CE to advertise private network routes to the SpokeCE and to accept the routes with the AS number repeated once.
10. (Optional) Run:
peer ip-address substitute-as
The AS number substitution is enabled for BGP.
Issue 03 (2011-11-27)
Huawei Proprietary and Confidential
Copyright © Huawei Technologies Co., Ltd.
57
Huawei AR1200 Series Enterprise Routers
Configuration Guide - VPN
2 BGP MPLS IP VPN Configuration
This step is used for the networking scenario in which physically-dispersed CEs use
the same AS number. The configuration is performed on the PE.
CAUTION
In the case of multi-homed CE, the BGP AS substitution function may lead to route
loops.
NOTE
Compared with the BGP view, the BGP-VPN instance IPv4 address family view does not
support the following commands:
l BGP confederation: confederation
l BGP graceful restart: graceful-restart
l Router ID of BGP: router-id
l Synchronization between BGP and IGP: synchronization
l BGP timer: timer
Perform the following steps on the CE:
1.
Run:
system-view
The system view is displayed.
2.
Run:
bgp as-number
The BGP view is displayed.
3.
Run:
peer ipv4-address as-number as-number
The PE is specified as the peer of the VPN.
4.
(Optional) Run:
peer { ipv4-address | group-name } ebgp-max-hop [ hop-count ]
The maximum number of hops is configured for the EBGP connection.
Generally, one or multiple directly-connected physical link(s) exist between a pair of
EBGP peers. If not, use the peer ebgp-max-hop command to ensure that the TCP
connection can be set up between the EBGP peers through multiple hops.
5.
Run:
import-route { direct | static | rip process-id | ospf process-id | isis
process-id } [ med med | route-policy route-policy-name ]*
Routes of the local site are imported.
The CE must advertise the reachable VPN segment addresses to the attached PE.
Through the PE, the addresses are advertised to the remote CEs. In applications, the
types of routes to be imported may be different.
l
Configure IBGP between a PE and a CE.
Perform the following steps on the PE:
1.
Issue 03 (2011-11-27)
Run:
Huawei Proprietary and Confidential
Copyright © Huawei Technologies Co., Ltd.
58
Huawei AR1200 Series Enterprise Routers
Configuration Guide - VPN
2 BGP MPLS IP VPN Configuration
system-view
The system view is displayed.
2.
Run:
bgp as-number
The BGP view is displayed.
3.
Run:
ipv4-family vpn-instance vpn-instance-name
The BGP-VPN instance IPv4 address family view is displayed.
4.
(Optional) Run:
as-number as-number
An AS number for the VPN instance IPv4 address family is specified.
During network transfer or service identification, a device needs to be simulated as
multiple BGP devices logically. In this case, you can run the as-number command
to configure an AS number for each VPN instance IPv4 address family.
NOTE
The AS number configured in the BGP-VPN instance IPv4 address family view cannot be the
same as the AS number configured in the BGP view.
5.
Run:
peer ipv4-address as-number as-number
The CE is specified as the peer of the VPN.
6.
(Optional) When the direct route of the local CE needs to be imported to the VPN
routing table (for being advertised to the remote PE), select either of the following
configurations:
– Run the import-route direct [ med med | route-policy route-policy-name ]*
command to import the direct routes of the local CE to the VPN routing table..
– Run the network ipv4-address [ mask | mask-length ] [ route-policy route-policyname ] command to import a specific direct route of the local CE to the VPN routing
table.
NOTE
The PE can automatically learn the direct route to the local CE. The route has a higher priority
than the direct route that is advertised by IBGP. Therefore, if this step is not performed, the PE
does not advertise the direct route to the remote PE using MP-BGP.
Perform the following steps on the CE:
1.
Run:
system-view
The system view is displayed.
2.
Run:
bgp as-number
The BGP view is displayed.
3.
Run:
peer ipv4-address as-number as-number
The PE is specified as the IBGP peer.
Issue 03 (2011-11-27)
Huawei Proprietary and Confidential
Copyright © Huawei Technologies Co., Ltd.
59
Huawei AR1200 Series Enterprise Routers
Configuration Guide - VPN
4.
2 BGP MPLS IP VPN Configuration
Run:
import-route { direct | static | rip process-id | ospf process-id | isis
process-id } [ med med | route-policy route-policy-name ]*
The route is imported to the local CE.
The CE advertises its VPN network segment to the connected PE, and the PE then
advertises the address to the remote CE. Note that the type of the imported route may
vary with different networking modes.
l
Configure the static route between a PE and a CE.
Perform the following steps on the PE. The CE is configured with the static route. The
configurations are common, therefore not mentioned here.
NOTE
For details, see the chapter "IP Static Route Configuration" in the Huawei AR1200 Series Enterprise
Routers Configuration Guide - IP Routing.
1.
Run:
system-view
The system view is displayed.
2.
Run:
ip route-static vpn-instance vpn-source-name destination-address { mask
| mask-length } interface-type interface-number [ nexthop-address ]
[ preference preference | tag tag ] *
The static route is configured for the specified VPN instance IPv4 address family.
3.
Run:
bgp as-number
The BGP view is displayed.
4.
Run:
ipv4-family vpn-instance vpn-instance-name
The BGP VPN instance IPv4 address family view is displayed.
5.
Run:
import-route static [ med med | route-policy route-policy-name ]*
The configured static route is imported into the routing table of the BGP VPN
instance IPv4 address family.
l
Configure RIP between a PE and a CE
Perform the following steps on the PE. The CE is configured with RIPv1 or RIPv2. The
configurations are common, therefore not mentioned here.
NOTE
For details, see Huawei AR1200 Series Enterprise Routers Configuration Guide - IP Routing.
1.
Run:
system-view
The system view is displayed.
2.
Run:
rip process-id vpn-instance vpn-instance-name
The RIP instance is created between the PE and the CE and the RIP view is displayed.
Issue 03 (2011-11-27)
Huawei Proprietary and Confidential
Copyright © Huawei Technologies Co., Ltd.
60
Huawei AR1200 Series Enterprise Routers
Configuration Guide - VPN
2 BGP MPLS IP VPN Configuration
A RIP process belongs to only one VPN instance. If you run a RIP process without
binding it to a VPN instance, this process is considered as a public network process.
A RIP process that belongs to a public network cannot be bound with a VPN instance.
3.
Run:
network network-address
The RIP is configured on the network segment of the interface bound with the VPN
instance.
4.
Run:
import-route bgp [ cost { cost | transparent } | route-policy route-policyname ]*
The BGP route is imported.
After the import-route bgp command is run in the RIP view, the PE imports the VPNIPv4 routes learned from the remote PE into the RIP, and advertises them to its CE.
5.
Run:
quit
Return to the system view.
6.
Run:
bgp as-number
The BGP view is displayed.
7.
Run:
ipv4-family vpn-instance vpn-instance-name
The BGP VPN instance IPv4 address family view is displayed.
8.
Run:
import-route rip process-id [ med med | route-policy route-policy-name ]*
The RIP route is imported into the routing table of the BGP VPN instance IPv4 address
family.
After the configuration of the import-route rip command in the BGP VPN view, the
PE imports the VPN routes learned from its CE into BGP, forms them into VPN-IPv4
routes, and advertises them to the remote PE.
NOTE
After a VPN instance is deleted or the IPv4 address family of the VPN instance is disabled, all
the associated RIP processes are deleted.
l
Configure OSPF between a PE and a CE
Perform the following steps on the PE. The CE is configured with OSPF. The configurations
are common, therefore not mentioned here.
NOTE
For details, see Huawei AR1200 Series Enterprise Routers Configuration Guide - IP Routing.
1.
Run:
system-view
The system view is displayed.
2.
Run:
ospf process-id [ router-id router-id ] vpn-instance vpn-instance-name
Issue 03 (2011-11-27)
Huawei Proprietary and Confidential
Copyright © Huawei Technologies Co., Ltd.
61
Huawei AR1200 Series Enterprise Routers
Configuration Guide - VPN
2 BGP MPLS IP VPN Configuration
The OSPF instance is created between the PE and the CE, and the OSPF view is
displayed.
An OSPF process belongs to only one VPN instance. If you run an OSPF process
without binding it to a VPN instance, this process is considered as a public network
process. An OSPF process that belongs to a public network cannot be bound with a
VPN instance.
The OSPF processes that are bound to the VPN instance do not use the public network
Router ID configured in the system view. Specify the router ID when starting an OSPF
process. Otherwise, based on the router ID selecting rule, the IP address of any
interface that is bound to the VPN instance is selected as the router ID in the OSPF
process.
3.
(Optional) Run:
domain-id domain-id [ secondary ]
The domain ID is configured.
The domain ID can be expressed by an integer or in dotted decimal notation.
You can configure two domain IDs for each OSPF process. The domain IDs of
different processes are independent of each other.
There is no limitation to configure the domain IDs of the OSPF processes in different
VPNs on the PE. However, all the OSPF processes in one VPN should be configured
with the same domain ID to ensure correct routing advertisement.
The domain ID of an OSPF process is contained in the routes generated by this process.
When the OSPF routes are imported into BGP, the domain ID is added into the BGP
VPN route and is transmitted as the BGP extended community attribute.
By default, the domain ID is 0.
4.
(Optional) Run:
route-tag tag
The VPN route tag is configured.
By default, OSPF automatically allocates the VPN route tag based on the algorithm:
– If the BGP process is not started on the local device, the tag value is 0 by default.
– If the BGP process is started on the local device, the first two bytes of the tag value
are fixed as 0xD000, and the last two bytes are the local AS number by default.
That is, the tag value equals 3489660928 plus the local AS number.
5.
Run:
import-route bgp [ cost cost | route-policy route-policy-name | tag tag |
type type ] *
The BGP route is imported.
6.
Run:
area area-id
The OSPF area view is displayed.
7.
Run:
network ip-address wildcard-mask
OSPF is run on the network segment where the interface bound to the VPN instance
resides.
Issue 03 (2011-11-27)
Huawei Proprietary and Confidential
Copyright © Huawei Technologies Co., Ltd.
62
Huawei AR1200 Series Enterprise Routers
Configuration Guide - VPN
2 BGP MPLS IP VPN Configuration
A network segment can belong to only one area. Therefore, specify to which area each
OSPF interface belongs.
OSPF can run on an interface if the following conditions are true:
– The mask length of the IP address on the interface must be equal to or longer than
the wildcard-mask specified in the network command.
– The primary IP address of the interface must be located in the network segment
specified in the network command.
For a loopback interface, OSPF advertises the IP address of the loopback interface as
a 32-bit host route by default, which bears no relation to the mask length configured
on the interface.
8.
Run:
quit
Return to the OSPF view.
9.
Run:
quit
Return to the system view.
10. Run:
bgp as-number
The BGP view is displayed.
11. Run:
ipv4-family vpn-instance vpn-instance-name
The BGP VPN instance IPv4 address family view is displayed.
12. Run:
import-route ospf process-id [ med med | route-policy route-policy-name ]*
The OSPF route is imported into the routing table of the BGP VPN instance IPv4
address family.
NOTE
After a VPN instance is deleted or the IPv4 address family of the VPN instance is disabled, all
related OSPF processes are deleted.
l
Configuring IS-IS between the PE and CE
Perform the following steps on the PE. The CE is configured with IS-IS. The configurations
are common, therefore not mentioned here.
NOTE
For details, see Huawei AR1200 Series Enterprise Routers Configuration Guide - IP Routing.
1.
Run:
system-view
The system view is displayed.
2.
Run:
isis process-id vpn-instance vpn-instance-name
The IS-IS instance between the CE and the PE is created and the IS-IS view is
displayed.
An IS-IS process belongs to only one VPN instance. If you run an IS-IS process
without binding it to a VPN instance, this process is considered as a public network
Issue 03 (2011-11-27)
Huawei Proprietary and Confidential
Copyright © Huawei Technologies Co., Ltd.
63
Huawei AR1200 Series Enterprise Routers
Configuration Guide - VPN
2 BGP MPLS IP VPN Configuration
process. An IS-IS process that belongs to a public network cannot be bound with a
VPN instance.
3.
Run:
network-entity net
The Network Entity Title (NET) is configured.
An NET defines the address of the current IS-IS area and the system ID of the
router. A maximum of three NETs can be configured for one process on a router.
4.
(Optional) Run:
is-level { level-1 | level-1-2 | level-2 }
The level of the router is configured.
By default, the level of a router is Level-1-2.
5.
Run:
import-route bgp [ cost-type { external | internal } | cost cost | tag
tag | route-policy route-policy-name | [ level-1 | level-2 | level-1-2 ] ]
*
The BGP route is imported.
6.
Run:
quit
Return to the system view.
7.
Run:
interface interface-type interface-number
The view of the interface bound to the VPN instance is displayed.
8.
Run:
isis enable [ process-id ]
IS-IS is enabled on the interface.
9.
Run:
quit
The system view is displayed.
10. Run:
bgp as-number
The BGP view is displayed.
11. Run:
ipv4-family vpn-instance vpn-instance-name
The BGP VPN instance IPv4 address family view is displayed.
12. Run:
import-route isis process-id [ med med | route-policy route-policy-name ]*
The IS-IS route is imported into the routing table of the BGP VPN instance IPv4
address family.
NOTE
After the VPN instance is deleted or the IPv4 address family of the VPN instance is disabled,
all IS-IS processes are deleted.
----End
Issue 03 (2011-11-27)
Huawei Proprietary and Confidential
Copyright © Huawei Technologies Co., Ltd.
64
Huawei AR1200 Series Enterprise Routers
Configuration Guide - VPN
2 BGP MPLS IP VPN Configuration
2.4.7 Checking the Configuration
After configuring the basic BGP/MPLS IP VPN function, you can view IPv4 VPN information
about the local and remote sites on the PE or the CE.
Prerequisite
The basic BGP/MPLS IP VPN function configurations are complete.
Procedure
l
Run the display ip routing-table vpn-instance vpn-instance-name command to check
routing information about the specified VPN instance IPv4 address family on the PE.
l
Run the display ip routing-table command to check routing information on the CE.
l
Run the display ip vpn-instance [ vpn-instance-name ] interface command to check
information about the interface to which a specific VPN instance is bound.
----End
Example
Run the display ip routing-table vpn-instance vpn-instance-name command. If the VPN routes
related to the CE are displayed, it means the configuration succeeded.
Run the display ip routing-table command. If the routes to the peer CE are displayed on the
CE, it means the configuration succeeded.
Run the display ip vpn-instance [ vpn-instance-name ] interface command on the PE. If the
interface bound to a VPN instance is displayed, it means that the configuration succeeded.
2.5 Configuring Hub and Spoke
In the Hub and Spoke networking, an access control device is specified in the VPN, and users
communicate with each other through the access control device.
2.5.1 Establishing the Configuration Task
Before configuring Hub and Spoke networking, familiarize yourself with the applicable
environment, complete the pre-configuration tasks, and obtain the required data. This can help
you complete the configuration task quickly and accurately.
Applicable Environment
If all the users are required to access to a central access control device, the Hub and Spoke
networking is adopted. In the Hub and Spoke network, all the Spoke stations communicate
through the Hub station.
Pre-configuration Task
Before configuring Hub and Spoke, complete the following tasks:
l
Issue 03 (2011-11-27)
Configuring IGP on PE devices and P devices in the MPLS backbone network
Huawei Proprietary and Confidential
Copyright © Huawei Technologies Co., Ltd.
65
Huawei AR1200 Series Enterprise Routers
Configuration Guide - VPN
2 BGP MPLS IP VPN Configuration
l
Configuring basic MPLS capability on PE devices and P devices in the MPLS backbone
network
l
Configuring the IP addresses, through which the CE devices access the PE devices, on the
CE devices
Data Preparation
Before configuring Hub and Spoke, you need the following data.
No.
Data
1
Data for configuring a VPN instance:
l Name of the VPN instance
l (Optional) Description of the VPN instance
l RD, VPN target attribute of the VPN instance IPv4 address families
l (Optional) Routing policy
l (Optional) Maximum number of routes permitted in the VPN instance IPv4
address families
2
IP addresses through which the CE devices access the PE devices
3
Data for route configuration (static route, RIP, OSPF, IS-IS, or EBGP) between HubPE and Hub-CE, and Spoke-PE and Spoke-CE
2.5.2 Creating a VPN Instance
This section describes how to configure a VPN instance to manage VPN routes.
Context
Configure the VPN instance on each Spoke-PE and Hub-PE.
Every Spoke-PE is configured with a VPN instance, while each Hub-PE is configured with the
following two VPN instances:
l
VPN-in: receives and maintains all the VPNv4 routes advertised by all the Spoke-PEs.
l
VPN-out: maintains the routes of all the Hub stations and Spoke stations and advertises
those routes to all the Spoke-PEs.
NOTE
l Different VPN instances on a device have different names, RDs, and description.
l Performing either Step 6 or Step 7 is recommended.
Procedure
Step 1 Run:
system-view
The system view is displayed.
Issue 03 (2011-11-27)
Huawei Proprietary and Confidential
Copyright © Huawei Technologies Co., Ltd.
66
Huawei AR1200 Series Enterprise Routers
Configuration Guide - VPN
2 BGP MPLS IP VPN Configuration
Step 2 Run:
ip vpn-instance vpn-instance-name
The VPN instance is created and the VPN instance view is displayed.
The name of the VPN instance is case sensitive. For example, vpn1 and VPN1 are considered
different VPN instances.
Step 3 (Optional) Run:
description description-information
The description about the VPN instance is configured.
The description can be used to record the relationship between a VPN instance and a VPN.
Step 4 Run:
ipv4-family
The IPv4 address family is enabled for the VPN instance, and the VPN instance IPv4 address
family view is displayed.
Step 5 Run:
route-distinguisher route-distinguisher
The RD of the VPN instance is configured.
A VPN instance takes effect only after the RD is configured. Before configuring the RD,
configure only the description about the VPN instance.
Step 6 (Optional) Run:
apply-label per-instance
The label is allocated based on VPN instance IPv4 address family. That is, all the routes in a
VPN instance IPv4 address family use the same label.
The MPLS labels are generally allocated in the "one label per route" manner.
The AR1200 provides the MPLS label allocation feature based on the VPN instance IPv4 address
family. That is, all the routes of a VPN instance IPv4 address family share the same label.
Step 7 (Optional) Run:
routing-table limit number { alert-percent | simply-alert }
The maximum number of routes of the VPN instance IPv4 address family is configured.
You can define the maximum number of routes for a VPN instance IPv4 address family to avoid
importing excessive routes.
NOTE
If the routing-table limit command is run, the system gives a prompt when the number of routes injected
into the routing table of the VPN instance IPv4 address family exceeds the upper limit. If the routing-table
limit command is run to increase the maximum number of routes supported in a VPN instance IPv4 address
family or the undo routing-table limit command is run to remove the limit on the routing table, for excess
routes, the following operations are required:
l For the excessive static routes, reconfigure them manually.
l For the excessive routes learned from CEs through the IGP multi-instance routing protocol, re-initiate
the multi-instance process of the routing protocol on the PE.
l For the remote cross routes learned through the MP-IBGP and the BGP routes learned from CEs, the
system automatically refreshes them.
Issue 03 (2011-11-27)
Huawei Proprietary and Confidential
Copyright © Huawei Technologies Co., Ltd.
67
Huawei AR1200 Series Enterprise Routers
Configuration Guide - VPN
2 BGP MPLS IP VPN Configuration
Step 8 (Optional) Run:
prefix limit number { alert-percent [ route-unchanged ] | simply-alert }
The maximum number of prefixes of the VPN instance IPv4 address family is configured.
You can define the maximum number of prefixes for a VPN instance IPv4 address family to
avoid importing excessive prefixes.
Step 9 (Optional) Run:
limit-log-interval interval
The frequency of displaying logs when the number of routes exceeds the threshold is configured.
----End
2.5.3 Configuring Route Attributes of the VPN Instance
This section describes how to configure the VPN target to control route advertisement and
acceptance.
Procedure
l
Configuring Hub-PE
1.
Run:
system-view
The system view is displayed.
2.
Run:
ip vpn-instance vpn-instance-name1
The VPN instance view of the VPN-in is displayed.
3.
Run:
ipv4-family
The VPN instance IPv4 address family view is displayed.
4.
Run:
vpn-target vpn-target1 &<1-8> import-extcommunity
The VPN target extended community for the VPN instance IPv4 address family is
created to import the IPv4 routes advertised by all the Spoke-PEs.
vpn-target1 lists the Export VPN targets advertised by all the Spoke-PEs.
5.
(Optional) Run:
import route-policy policy-name
The import routing policy of the VPN instance IPv4 address family is configured.
6.
(Optional) Run:
export route-policy policy-name
The export routing policy of the VPN instance IPv4 address family is configured.
7.
Run:
quit
Return to the system view.
8.
Run:
ip vpn-instance vpn-instance-name2
Issue 03 (2011-11-27)
Huawei Proprietary and Confidential
Copyright © Huawei Technologies Co., Ltd.
68
Huawei AR1200 Series Enterprise Routers
Configuration Guide - VPN
2 BGP MPLS IP VPN Configuration
The VPN instance view of the VPN-out is displayed.
9.
Run:
ipv4-family
The VPN instance IPv4 address family view is displayed.
10. Run:
vpn-target vpn-target2 &<1-8> export-extcommunity
The VPN target extended community for the VPN instance IPv4 address family is
created to advertise the routes of all the Hubs and Spokes.
vpn-target2 lists the Import VPN targets advertised by all the Spoke-PEs.
11. (Optional) Run:
import route-policy policy-name
The import routing policy of the VPN instance IPv4 address family is configured.
12. (Optional) Run:
export route-policy policy-name
The export routing policy of the VPN instance IPv4 address family is configured.
l
Configuring Spoke-PE
1.
Run:
system-view
The system view is displayed.
2.
Run:
ip vpn-instance vpn-instance-name1
The VPN instance view of the VPN-in is displayed.
3.
Run:
ipv4-family
The VPN instance IPv4 address family view is displayed.
4.
Run:
vpn-target vpn-target2 &<1-8> import-extcommunity
The VPN target extended community for the VPN instance IPv4 address family is
created to import the IPv4 routes advertised by all the Hub-PEs.
vpn-target2 should be included in the export VPN target list of the Hub-PE.
5.
Run:
vpn-target vpn-target1 &<1-8> export-extcommunity
The VPN target extended community for the VPN instance IPv4 address family is
created to advertise the IPv4 routes of the stations that the Spoke-PE accesses.
vpn-target1 should be included in the import VPN target list of the Hub-PE.
6.
(Optional) Run:
import route-policy policy-name
The import routing policy of the VPN instance IPv4 address family is configured.
7.
(Optional) Run:
export route-policy policy-name
Issue 03 (2011-11-27)
Huawei Proprietary and Confidential
Copyright © Huawei Technologies Co., Ltd.
69
Huawei AR1200 Series Enterprise Routers
Configuration Guide - VPN
2 BGP MPLS IP VPN Configuration
The export routing policy of the VPN instance IPv4 address family is configured.
----End
2.5.4 Binding an Interface with the VPN Instance
After associating an interface with a VPN instance, you can change the interface to a VPN
interface. As a result, packets that pass through the interface are forwarded based on the
forwarding information of the VPN instance, and such Layer 3 attributes as IP address and
routing protocol that are configured for the interface are deleted. These Layer 3 attributes need
to be re-configured if required.
Context
The configuration on the Hub-PE involves two interfaces or sub-interfaces: one is bound with
the VPN-in and receives the routes advertised by the Spoke-PE; the other is bound with the
VPN-out and advertises the routes of the Hub and all the Spokes.
Perform the following steps on the Hub-PE and all the Spoke-PEs.
Procedure
Step 1 Run:
system-view
The system view is displayed.
Step 2 Run:
interface interface-type interface-number
The view of the interface that is to be bound with the VPN instance is displayed.
Step 3 Run:
ip binding vpn-instance vpn-instance-name
The interface is bound with the VPN instance.
NOTE
Running the ip binding vpn-instance command on an interface can delete the Layer 3 attributes, such as
the IP address and routing protocol. If these Layer 3 attributes are still required, configure them again.
An interface cannot be bound to a VPN instance that is not enabled with an address family.
Disabling an address family of a VPN instance deletes the Layer 3 attributes, such as the IP address and
routing protocol of the interface bound to the VPN instance. Disabling all the address families of a VPN
instance unbinds all the bound interfaces from the VPN instance.
Step 4 Run:
ip address ip-address { mask | mask-length }
The IP address is configured.
----End
2.5.5 Configuring MP-IBGP Between Hub-PE and Spoke-PE
By importing extended community attributes to BGP, MP-IBGP can advertise VPNv4 routes
between PEs.
Issue 03 (2011-11-27)
Huawei Proprietary and Confidential
Copyright © Huawei Technologies Co., Ltd.
70
Huawei AR1200 Series Enterprise Routers
Configuration Guide - VPN
2 BGP MPLS IP VPN Configuration
Context
The Hub-PE must set up the MP-IBGP peer with all the Spoke-PEs. Spoke-PEs do not need to
set up the MP-IBGP peer between each other.
Perform the following steps on the Hub-PE and Spoke-PE.
Procedure
Step 1 Run:
system-view
The system view is displayed.
Step 2 Run:
bgp as-number
The BGP view is displayed.
Step 3 Run:
peer ipv4-address as-number as-number
The remote PE is specified as the peer.
Step 4 Run:
peer ipv4-address connect-interface loopback interface-number
The interface to set up the TCP connection is specified.
NOTE
The 32-bit mask IP addresses of the loopback interfaces must be used to establish the MP-IBGP peer
relationship between PEs. This can ensure that the tunnel can be iterated. The route destined to the loopback
interface is advertised to the remote PE based on IGP on the MPLS backbone network.
Step 5 Run:
ipv4-family vpnv4 [ unicast ]
The BGP VPNv4 address family view is displayed.
Step 6 Run:
peer ipv4-address enable
The VPN IPv4 routing information is exchanged between the peers.
----End
2.5.6 Configuring Route Exchange Between PE and CE
The routing protocol between a PE and a CE can be BGP, static route, or IGP. You can choose
any of them as required in the configuration process.
Context
The Hub-PE and the Hub-CE can exchange routes in the following ways.
Procedure
l
Issue 03 (2011-11-27)
Configuring EBGP between the Hub-PE and Hub-CE
Huawei Proprietary and Confidential
Copyright © Huawei Technologies Co., Ltd.
71
Huawei AR1200 Series Enterprise Routers
Configuration Guide - VPN
2 BGP MPLS IP VPN Configuration
In this way, EBGP, IGP, or static routes can be adopted between the Spoke-PE and the
Spoke-CE.
To set up the EBGP peer between the Hub-PE and the Hub-CE and between the Spoke-PE
and Spoke-CE, perform the following steps on the Hub-PE:
1.
Run:
system-view
The system view is displayed.
2.
Run:
bgp as-number
The BGP view is displayed.
3.
Run:
ipv4-family vpn-instance vpn-instance-name
The BGP VPN instance IPv4 address family view is displayed.
4.
Run:
peer ip-address allow-as-loop [ number ]
Allow the routing loop. Here the value of number is set as 1, which means the route
with the AS repeated once can be sent.
l
Configuring IGP between the Hub-PE and Hub-CE
In this way, instead of BGP, IGP or static routes are adopted between the Spoke-PE and
the Spoke-CE. For details, refer to the chapter "BGP/MPLS IP VPN" in the Huawei AR1200
Series Enterprise Routers Feature Desripiton- VPN.
l
Configuring static routes between the Hub-PE and the Hub-CE
In this way, EBGP, IGP, or static routes can be adopted between the Spoke-PE and the
Spoke-CE.
If the Hub-CE uses the default route to access the Hub-PE, to advertise the default route to
all the Spoke-PEs, perform the following steps on the Hub-PE:
1.
Run:
system-view
The system view is displayed.
2.
Run:
ip route-static vpn-instance vpn-source-name 0.0.0.0 0.0.0.0 nexthopaddress [ preference preference | tag tag ]* [ description text ]
Here, vpn-instance-name refers to the VPN-out. nexthop-address is the IP address of
the Hub-CE interface that is connected with the PE interface bound with the VPNout.
3.
Run:
bgp as-number
The BGP view is displayed.
4.
Run:
ipv4-family vpn-instance vpn-instance-name
The BGP VPN instance IPv4 address family view is displayed. vpn-instance-name
refers to the VPN-out.
Issue 03 (2011-11-27)
Huawei Proprietary and Confidential
Copyright © Huawei Technologies Co., Ltd.
72
Huawei AR1200 Series Enterprise Routers
Configuration Guide - VPN
5.
2 BGP MPLS IP VPN Configuration
Run:
network 0.0.0.0 0
Advertise the default route to all the Spoke-PEs through MP-BGP.
----End
Follow-up Procedure
Choose one of the preceding methods as required. For detailed configurations, see Configuring
a Routing Protocol Between PE and CE.
2.5.7 Checking the Configuration
After Hub and Spoke networking is configured, you can view VPN routing information on the
PE or CE.
Prerequisite
The configurations of the Hub and Spoke function are complete.
Procedure
l
Run the display ip routing-table vpn-instance vpn-instance-name command to check
routing information about the VPN-in and VPN-out on the Hub-PE.
l
Run the display ip routing-table command to check routing information on the Hub-CE
and all the Spoke-CEs.
----End
Example
Run the preceding commands. If the VPN-in routing table has routes to all the Spoke stations,
and the VPN-out routing table has routes to the Hub and all the Spoke stations, it means the
configuration is successful.
Additionally, the Hub-CE and all the Spoke-CEs have routes to the Hub and all the Spoke
stations.
2.6 Configuring Inter-AS VPN Option A
In inter-AS VPN OptionA, an ASBR takes the peer ASBR as its CE and advertises VPNv4 routes
to the peer ASBR through EBGP.
2.6.1 Establishing the Configuration Task
Before configuring inter-AS VPN OptionA, familiarize yourself with the applicable
environment, complete the pre-configuration tasks, and obtain the required data. This can help
you complete the configuration task quickly and accurately.
Applicable Environment
If the MPLS backbone network bearing the VPN routes is across multiple ASs, configure the
Inter-AS VPNs.
Issue 03 (2011-11-27)
Huawei Proprietary and Confidential
Copyright © Huawei Technologies Co., Ltd.
73
Huawei AR1200 Series Enterprise Routers
Configuration Guide - VPN
2 BGP MPLS IP VPN Configuration
The Inter-AS VPN Option A is convenient to implement and is suitable when the amount of the
VPNs and the VPN routes on the PE is small.
In VPN-Option A, the Autonomous System Boundary Routers (ASBRs) must support the VPN
instances and can manage VPN routes. In addition, the ASBRs must reserve special interfaces
including sub-interfaces and physical interfaces for each inter-AS VPN. Option A, therefore,
requires high performance of the ASBRs. No inter-AS configuration is needed on the ASBRs.
Pre-configuration Tasks
Before configuring inter-AS VPN Option A, complete the following tasks:
l
Configuring IGP for MPLS backbone networks in each AS to keep IP connectivity of the
backbones in one AS
l
Enabling MPLS and MPLS LDP on the PE and the ASBR
l
Setting up the tunnel (LSP or GRE) between the PE and the ASBR in the same AS
l
Configuring the IP address of the CE interface through which the CE accesses the PE
Data Preparation
To configure inter-AS VPN Option A, you need the following data:
No.
Data
1
Data for configuring a VPN instance on the PE and ASBR:
l Name of the VPN instance
l (Optional) Description of the VPN instance
l RD, VPN target attribute of the VPN instance IPv4 address families
l (Optional) Routing policy
l (Optional) Tunnel policy
l (Optional) Maximum number of routes permitted in the VPN instance IPv4
address families
2
IP address of the PE interface connected with the PE
3
AS number of the PE
4
IP addresses of the interfaces connected the ASBRs
5
Routing protocol configured between the PE and CE: static routes, RIP, OSPF, ISIS and BGP
6
IP addresses and interfaces setting up the IBGP peer between the PE and ASBR
2.6.2 Establishing Inter-AS VPN Option A
The VPN instance configured on a PE is used to access a CE, and the VPN instance configured
on an ASBR is used to access the peer ASBR.
Issue 03 (2011-11-27)
Huawei Proprietary and Confidential
Copyright © Huawei Technologies Co., Ltd.
74
Huawei AR1200 Series Enterprise Routers
Configuration Guide - VPN
2 BGP MPLS IP VPN Configuration
Context
Inter-AS VPN Option A is easy to deploy. When the amount of the VPNs and the VPN routes
on the PE is small, this solution can be adopted.
The inter-AS VPN Option A configurations are as follows:
Procedure
Step 1 2.4 Configuring Basic BGP/MPLS IP VPN on each AS
Step 2 Configuring ASBR by considering the peer ASBR as its CE
Step 3 Configuring VPN instances for the PE and the ASBR separately
The VPN instance for PE is used to access CE; that for ASBR is used to access its peer ASBR.
NOTE
In inter-AS VPN Option A mode, for the same VPN, the VPN targets of ASBR and the PE VPN instance
must be matched in an AS. This is not required for the PEs in different ASs.
----End
2.6.3 Checking the Configuration
After configuring inter-AS VPN Option A, you can view information about all the BGP peer
relationships and IPv4 VPN routes on PEs or ASBRs.
Prerequisite
The configurations of the inter-AS VPN Option A function are complete.
Procedure
l
Run the display bgp vpnv4 all peer command to check information about the BGP peers
on the PE or ASBR.
l
Run the display bgp vpnv4 all routing-table command to check the IPv4 VPN routes on
the PE or ASBR.
l
Run the display ip routing-table vpn-instance vpn-instance-name command to check the
VPN routing table on the PE or ASBR.
----End
Example
After the successful configuration, run the display bgp vpnv4 all peer command on the PE or
ASBR, and you can view that the BGP VPNv4 peer relationship between the ASBR and PE in
the same AS is "Established".
Run the display bgp vpnv4all routing-table command on the PE or the ASBR, and you can
view the VPNv4 routes on ASBR.
Run the display ip routing-table vpn-instance command on the PE or ASBR, and you can view
all the relevant routes in the VPN routing table.
Issue 03 (2011-11-27)
Huawei Proprietary and Confidential
Copyright © Huawei Technologies Co., Ltd.
75
Huawei AR1200 Series Enterprise Routers
Configuration Guide - VPN
2 BGP MPLS IP VPN Configuration
2.7 Configuring Inter-AS VPN Option B
In inter-AS VPN Option B through MP-EBGP, two ASBRs receive VPNv4 routes from PEs in
their respective ASs and exchange the VPNv4 routes with each other.
2.7.1 Establishing the Configuration Task
Before configuring inter-AS VPN OptionB, familiarize yourself with the applicable
environment, complete the pre-configuration tasks, and obtain the required data. This can help
you complete the configuration task quickly and accurately.
Applicable Environment
If the MPLS backbone network bearing VPN routes crosses multiple ASs, the inter-AS VPN is
needed. If the ASBR can manage VPN routes, but there are not enough interfaces for each interAS VPN, the inter-AS VPN Option B is adopted. In this option, the ASBR is involved in
maintaining and advertising VPN IPv4 routes.
Pre-configuration Tasks
Before configuring inter-AS VPN Option B, complete the following tasks:
l
Configuring IGP for MPLS backbone networks in each AS to realize IP connectivity of the
backbones in one AS
l
Configuring basic MPLS capability and MPLS LDP for the MPLS backbone network
l
Configuring VPN Instances on the PE devices connected with the CE devices and
Binding an Interface with a VPN Instance
l
Configuring the IP addresses of the CE interfaces through which the CE accesses the PE
Data Preparation
To configure inter-AS VPN Option B, you need the following data.
No.
Data
1
Data for configuring a VPN instance on the PE:
l Name of the VPN instance
l (Optional) Description of the VPN instance
l RD, VPN target attribute of the VPN instance IPv4 address families
l (Optional) Routing policy for controlling the import and export of VPN routes
l (Optional) Maximum number of routes permitted in the VPN instance IPv4
address families
Issue 03 (2011-11-27)
2
IP address of the PE interface connected with the PE
3
AS number of the PE
4
IP addresses of the interfaces connected the ASBRs
Huawei Proprietary and Confidential
Copyright © Huawei Technologies Co., Ltd.
76
Huawei AR1200 Series Enterprise Routers
Configuration Guide - VPN
2 BGP MPLS IP VPN Configuration
No.
Data
5
Routing policy configured between the PE and CE: static routes, RIP, OSPF, IS-IS
and BGP
6
IP addresses and interfaces setting up the IBGP peer between the PE and ASBR
2.7.2 Configuring MP-IBGP Between PEs and ASBRs in the Same
AS
By importing extended community attributes to BGP, MP-IBGP can advertise VPNv4 routes
between the PE and the ASBR.
Context
Perform the following steps on the PE and ASBR in the same AS.
Procedure
Step 1 Run:
system-view
The system view is displayed.
Step 2 Run:
bgp as-number
The BGP view is displayed.
Step 3 Run:
peer ipv4-address as-number as-number
The peer ASBR is specified as the IBGP peer.
Step 4 Run:
peer ipv4-address connect-interface loopback interface-number
The loopback interface is specified as the outgoing interface of the BGP session.
NOTE
The 32-bit mask IP addresses of the loopback interfaces must be used to establish the MP-IBGP peer
relationship between PEs. This can ensure that the tunnel can be iterated. The route destined to the loopback
interface is advertised to the remote PE based on IGP on the MPLS backbone network.
Step 5 Run:
ipv4-family vpnv4 [ unicast ]
The BGP-VPNv4 address family is displayed.
Step 6 Run:
peer ipv4-address enable
The exchange of IPv4 VPN routes between the PE and ASBR in the same AS is enabled.
----End
Issue 03 (2011-11-27)
Huawei Proprietary and Confidential
Copyright © Huawei Technologies Co., Ltd.
77
Huawei AR1200 Series Enterprise Routers
Configuration Guide - VPN
2 BGP MPLS IP VPN Configuration
2.7.3 Configuring MP-EBGP Between ASBRs in Different ASs
After the MP-EBGP peer relationship is established between ASBRs, either ASBR can advertise
the VPNv4 routes of its AS to the other ASBR.
Context
Perform the following steps on the ASBR.
Procedure
Step 1 Run:
system-view
The system view is displayed.
Step 2 Run:
interface interface-type interface-number
The view of the interface connected with the ASBR interface is displayed.
Step 3 Run:
ip address ip-address { mask | mask-length }
The interface IP address is configured.
Step 4 Run:
mpls
The MPLS capability is enabled.
Step 5 Run:
quit
Return to the system view.
Step 6 Run:
bgp as-number
The BGP view is displayed.
Step 7 Run:
peer ipv4-address as-number as-number
The peer ASBR is specified as the EBGP peer.
Step 8 (Optional) Run:
peer { ipv4-address | group-name } ebgp-max-hop [ hop-count ]
The maximum number of hops is configured for the EBGP connection.
Generally, one or multiple directly connected physical links exist between EBGP peers. If the
directly connected physical link(s) are not available, run the peer ebgp-max-hop command to
ensure that the TCP connection can be set up between the EBGP peers through multiple hops.
Step 9 Run:
ipv4-family vpnv4 [ unicast ]
The BGP-VPNv4 address family is displayed.
Issue 03 (2011-11-27)
Huawei Proprietary and Confidential
Copyright © Huawei Technologies Co., Ltd.
78
Huawei AR1200 Series Enterprise Routers
Configuration Guide - VPN
2 BGP MPLS IP VPN Configuration
Step 10 Run:
peer ipv4-address enable
The exchange of IPv4 VPN routes with the peer ASBR is enabled.
----End
2.7.4 Controlling the Receiving and Sending of VPN Routes by
Using Routing Policies
An ASBR can either save all VPNv4 routes or partial VPNv4 routes (by filtering VPN targets
through a routing policy).
Context
The following describes two methods for controlling the receiving and sending of VPN routes:
l
Without VPN Target Filtering
Without the filtering method, the ASBR stores all the VPN IPv4 routes.
l
VPN Target Filtering
With the filtering method, the ASBR stores partial VPN IPv4 routes through routing
policies.
In practical applications, only one of the preceding methods is selected.
Procedure
l
Without VPN Target Filtering
Perform the following steps on the ASBR:
1.
Run:
system-view
The system view is displayed.
2.
Run:
bgp as-number
The BGP view is displayed.
3.
Run:
ipv4-family vpnv4 [ unicast ]
The BGP-VPNv4 address family is displayed.
4.
Run:
undo policy vpn-target
The VPN IPv4 routes are not filtered by the VPN target.
By default, the PE performs VPN target filtering on the received IPv4 VPN routes.
The routes passing the filter are added to the routing table, and the others are discarded.
If the PE is not configured with VPN instance, or the VPN instance is not configured
with the VPN target, the PE discards all the received VPN IPv4 routes.
In the Inter-AS VPN Option B mode, if the ASBR does not store information about
the VPN instance, the ASBR must save all the VPNv4 routing information and
Issue 03 (2011-11-27)
Huawei Proprietary and Confidential
Copyright © Huawei Technologies Co., Ltd.
79
Huawei AR1200 Series Enterprise Routers
Configuration Guide - VPN
2 BGP MPLS IP VPN Configuration
advertise it to the peer ASBR. In this case, the ASBR should receive all the VPNv4
routing information without the VPN target filtering.
l
VPN Target Filtering
Perform the following steps on the ASBR:
1.
Run:
system-view
The system view is displayed.
2.
Run:
ip extcommunity-filter { basic-extcomm-filter-num | basic basic-extcommfilter-name | advanced-extcomm-filter-num | advanced advanced-extcommfilter-name } { permit | deny } { rt { as-number:nn | ipv4-address:nn } }
&<1-16>
The extended community filter is configured.
3.
Run:
route-policy route-policy-name permit node node
The routing policy is configured.
4.
Run:
if-match extcommunity-filter { { basic-extcomm-filter-num | advancedextcomm-filter-num } &<1-16> | advanced-extcomm-filter-name | basicextcomm-filter-name }
A matching rule based on the extended community filter is configured.
5.
Run:
quit
Return to the system view.
6.
Run:
bgp as-number
The BGP view is displayed.
7.
Run:
ipv4-family vpnv4 [ unicast ]
The BGP-VPNv4 address family is displayed.
8.
Run:
peer ipv4-address route-policy route-policy-name { export | import }
The routing policy is applied to controlling the VPN IPv4 routing information.
----End
2.7.5 (Optional) Storing Information About the VPN Instance on
the ASBR
If VPNv4 routes need to be sent and received on an ASBR, you can configure the relevant VPN
instance on the ASBR.
Context
If the VPN receives and sends the VPNv4 routing information through the ASBR, configure the
corresponding instance on the ASBR. Otherwise, the instance is not needed.
Issue 03 (2011-11-27)
Huawei Proprietary and Confidential
Copyright © Huawei Technologies Co., Ltd.
80
Huawei AR1200 Series Enterprise Routers
Configuration Guide - VPN
2 BGP MPLS IP VPN Configuration
Perform the following steps on the ASBR.
NOTE
Performing either Step 5 or Step 6 is recommended.
Procedure
Step 1 Run:
system-view
The system view is displayed.
Step 2 Run:
ip vpn-instance vpn-instance-name
A VPN instance is created and the VPN instance view is displayed.
Step 3 Run:
ipv4-family
The IPv4 address family is enabled for the VPN instance and the VPN instance IPv4 address
family view is displayed.
Step 4 Run:
route-distinguisher route-distinguisher
The RD of the VPN instance IPv4 address family is configured.
Step 5 Run:
vpn-target vpn-target &<1-8> import-extcommunity
The VPN target extended community for the VPN instance IPv4 address family is created.
For the same VPN in the inter-AS VPN Option B mode, the VPN targets of the ASBR and PE
in an AS should match each other.
The VPN targets of the PE in different ASs must also match each other.
Step 6 (Optional) Run:
apply-label per-instance
The MPLS label is allocated based on the VPN instance IPv4 address family, which ensures that
all the routes in a VPN instance use the same MPLS label.
Step 7 (Optional) Run:
routing-table limit number { alert-percent | simply-alert }
The maximum number of routes of the VPN instance IPv4 address family is configured.
Step 8 (Optional) Run:
prefix limit number { alert-percent [ route-unchanged ] | simply-alert }
The maximum number of prefixes of the VPN instance IPv4 address family is configured.
Step 9 (Optional) Run:
limit-log-interval interval
The frequency of displaying logs when the number of routes exceeds the threshold is configured.
Step 10 (Optional) Run:
Issue 03 (2011-11-27)
Huawei Proprietary and Confidential
Copyright © Huawei Technologies Co., Ltd.
81
Huawei AR1200 Series Enterprise Routers
Configuration Guide - VPN
2 BGP MPLS IP VPN Configuration
import route-policy policy-name
The import routing policy of the VPN instance IPv4 address family is configured.
Step 11 (Optional) Run:
export route-policy policy-name
The export routing policy of the VPN instance IPv4 address family is configured.
----End
2.7.6 (Optional) Enabling Next-Hop-based Label Allocation on the
ASBR
To save label resources on an ASBR, you can enable next-hop-based label allocation on the
ASBR. Note that next-hop-based label allocation and one label per instance need to be used
together on the ASBR.
Context
In a VPN Option B scenario, after next-hop-based label allocation is enabled on the ASBR, the
ASBR allocates only one label for the IPv4 VPN routes with the same next hop and outgoing
label. Compared with allocating a label for each IPv4 VPN route, next-hop-based label allocation
saves label resources.
Perform the following steps on the ASBR.
Procedure
Step 1 Run:
system-view
The system view is displayed.
Step 2 Run:
bgp as-number
The BGP view is displayed.
Step 3 Run:
ipv4-family vpnv4
The BGP VPNv4 view is displayed.
Step 4 Run:
apply-label per-nexthop
The next-hop-based label allocation for IPv4 VPN routes is enabled on the ASBR.
CAUTION
After next-hop-based label allocation is enabled or disabled, the label allocated by the ASBR
for a route changes, which leads to packet loss.
----End
Issue 03 (2011-11-27)
Huawei Proprietary and Confidential
Copyright © Huawei Technologies Co., Ltd.
82
Huawei AR1200 Series Enterprise Routers
Configuration Guide - VPN
2 BGP MPLS IP VPN Configuration
2.7.7 Configuring the Routing Protocol Between CE and PE
The routing protocol between a PE and CE can be BGP, static route, or IGP. You can choose
any of them as required in the configuration process.
Procedure
Step 1 Choose one of the preceding methods as required. For detailed configurations, see 2.4.6
Configuring a Routing Protocol Between a PE and a CE.
----End
2.7.8 Checking the Configuration
After configuring inter-AS VPN Option B, you can view information about all the BGP peer
relationships and VPNv4 routes on PEs or ASBRs.
Prerequisite
The configurations of the inter-AS VPN Option B function are complete.
Procedure
l
Run the display bgp vpnv4 all peer command to check the VPN IPv4 routing table on the
PE or ASBR.
l
Run the display bgp vpnv4 all routing-table command to check information about all the
BGP peers on the PE or ASBR.
l
Run the display ip routing-table vpn-instance vpn-instance-name command to check the
VPN routing table on the PE.
l
Run the display mpls lsp command to check information about the LSP and label on the
ASBR.
----End
Example
Run the display bgp vpnv4 all routing-table command on the ASBR. If the VPN IPv4 routes
are displayed, the configuration is successful.
Run the display bgp vpnv4 all peer command on the PE or ASBR. If the status of the IBGP
peer between the PE and ASBR in the same AS is "Established", and the status of the EBGP
peer between ASBRs in the different AS is "Established", the configuration is successful.
Run the display ip routing-table vpn-instance command on the PE. If the VPN routes are
displayed, the configuration is successful.
Run the display mpls lsp command on the ASBR. If information about the LSP and label is
displayed, it means that the configuration succeeds. If the ASBR is enabled with the next-hopbased label allocation, only one label is allocated for the VPN routes with the same next hop
and outgoing label.
Issue 03 (2011-11-27)
Huawei Proprietary and Confidential
Copyright © Huawei Technologies Co., Ltd.
83
Huawei AR1200 Series Enterprise Routers
Configuration Guide - VPN
2 BGP MPLS IP VPN Configuration
2.8 Configuring Inter-AS VPN Option C
EBGP connections in multi-hop mode are established between PEs of different ASs to exchange
VPNv4 routes.
2.8.1 Establishing the Configuration Task
Before configuring inter-AS VPN OptionC, familiarize yourself with the applicable
environment, complete the pre-configuration tasks, and obtain the required data. This can help
you complete the configuration task quickly and accurately.
Applicable Environment
If the MPLS backbone network bearing VPN routes crosses multiple ASs, the inter-AS VPN is
needed.
If each AS needs to exchange a large number of VPN routes, inter-AS VPN-Option C is a good
choice to prevent the ASBR from becoming a bottleneck that impedes network expansion. Two
solutions can be adopted to realize inter-AS VPN-Option C:
l
Solution 1: After learning the labeled BGP routes of the public network in the remote AS
from the remote ASBR, the local ASBR allocates labels for these routes and advertises
these routes to the IBGP peer that supports the label switching capability. A complete LSP
is set up as a result.
l
Solution 2: The IBGP peer relationship between the PE and ASBR is not needed. In this
solution, an ASBR learns the labeled public BGP routes of the remote AS from the peer
ASBR. Then these labeled public BGP routes are imported to IGP to trigger the
establishment of an LDP LSP. This process can establish a complete LDP LSP between
the two PEs.
Solution 1 is described here, and solution 2 is described in 2.9 Configuring Inter-AS VPN
Option C (Solution 2).
Pre-configuration Tasks
Before configuring inter-AS VPN Option C, complete the following tasks:
l
Configuring IGP for MPLS backbone networks in each AS to realize IP connectivity of the
backbones in one AS
l
Configuring basic MPLS capability and MPLS LDP for the MPLS backbone network
l
Configuring the IBGP peer relationship between the PE and ASBR in the same AS
l
2.3 Configuring a VPN Instance Enabled with the IPv4 Address Family on the PE
devices connected with the CE devices and 2.4.3 Binding an Interface with a VPN
Instance
l
Configuring the IP addresses of the CE interfaces through which the CE accesses the PE
Data Preparation
To configure inter-AS VPN Option C, you need the following data:
Issue 03 (2011-11-27)
Huawei Proprietary and Confidential
Copyright © Huawei Technologies Co., Ltd.
84
Huawei AR1200 Series Enterprise Routers
Configuration Guide - VPN
2 BGP MPLS IP VPN Configuration
No.
Data
1
Data for configuring a VPN instance on the PE and ASBR:
l Name of the VPN instance
l (Optional) Description of the VPN instance
l RD, VPN target attribute of the VPN instance IPv4 address families
l Routing policy for controlling the import and export of VPN routes
l (Optional) Maximum number of routes permitted in the VPN instance IPv4
address families
2
IP address of the PE interface connected with the CE
3
AS number of the PE
4
IP addresses of the interfaces connected the ASBRs
5
Routing policy configured on the ASBR
6
Routing protocol configured between the PE and CE: static routes, RIP, OSPF, ISIS, or BGP
7
IP addresses and interfaces setting up the IBGP peer between the PE and ASBR
NOTE
In inter-AS VPN-Option C, do not enable LDP between ASBRs.
If LDP is enabled on the interfaces between ASBRs, LDP sessions are then established between the ASBRs.
In this case, the ASBRs establish an egress LSP and send Mapping messages to the upstream ASBR. After
receiving Mapping messages, the upstream ASBR establishes a transit LSP. When there are high-volume
BGP routes, enabling LDP on the interfaces between ASBRs leads to the occupation of a large number of
LDP labels.
2.8.2 Enabling the Labeled IPv4 Route Exchange
In inter-AS VPN Option C, a BGP LSP needs to be established between ASs, and labeled IPv4
routes need to be exchanged between BGP peers.
Procedure
l
Configuring the PE
1.
Run:
system-view
The system view is displayed.
2.
Run:
bgp as-number
The BGP view is displayed.
3.
Run:
peer ipv4-address label-route-capability
The exchange of the labeled IPv4 routes with the ASBR in the same AS is enabled.
Issue 03 (2011-11-27)
Huawei Proprietary and Confidential
Copyright © Huawei Technologies Co., Ltd.
85
Huawei AR1200 Series Enterprise Routers
Configuration Guide - VPN
l
2 BGP MPLS IP VPN Configuration
Configuring the ASBR
1.
Run:
system-view
The system view is displayed.
2.
Run:
interface interface-type interface-number
The view of the interface connected with the peer ASBR is displayed.
3.
Run:
ip address ip-address { mask | mask-length }
The interface IP address is configured.
4.
Run:
mpls
The MPLS capability is enabled.
5.
Run:
quit
Return to the system view.
6.
Run:
bgp as-number
The BGP view is displayed.
7.
Run:
peer ipv4-address label-route-capability
The exchange of the labeled IPv4 routes with the PE of the same AS is enabled.
In the Option C solution, establish an inter-AS VPN LSP. The related PEs and ASBRs
exchange public network routes with the MPLS labels.
The ASBR establishes a common EBGP peer relationship with the remote ASBR to
switch labeled IPv4 routes.
The public network routes with the MPLS labels are advertised by the MP-BGP. Based
on RFC 3107 (Carrying Label Information in BGP-4), the label mapping information
of a route is carried by advertising BGP updates. This feature is implemented through
BGP extension attributes, which requires BGP peers to process the labeled IPv4 routes.
By default, BGP peers cannot process labeled IPv4 routes.
8.
Run:
peer ipv4-address as-number as-number
The peer ASBR is specified as the EBGP peer.
9.
(Optional) Run:
peer { ipv4-address | group-name } ebgp-max-hop [ hop-count ]
The maximum number of hops is configured for the EBGP connection.
Generally, one or multiple directly connected physical links exist between EBGP
peers. If the directly connected physical link(s) are not available, run the peer ebgpmax-hop command to ensure that the TCP connection can be set up between the EBGP
peers through multiple hops.
Issue 03 (2011-11-27)
Huawei Proprietary and Confidential
Copyright © Huawei Technologies Co., Ltd.
86
Huawei AR1200 Series Enterprise Routers
Configuration Guide - VPN
2 BGP MPLS IP VPN Configuration
10. Run:
peer ipv4-address label-route-capability [ check-tunnel-reachable ]
The exchange of the labeled IPv4 routes with the peer ASBR is enabled.
– If tunnel reachability checking is enabled, BGP advertises IPv4 unicast routes to
peers when routed tunnels are unreachable or advertises labeled routes to peers
when routed tunnels are reachable. This eliminates the risk of establishing an MPEBGP peer relationship between PEs over a faulty LSP because this will cause
data forwarding failures.
– If tunnel reachability checking is disabled, BGP advertises labeled routes to peers
whether the tunnels for imported routes are reachable or not.
----End
2.8.3 Configuring a Routing Policy to Control Label Distribution
Configure a routing policy to control label allocation for the inter-AS BGP LSP. If labeled IPv4
routes are advertised to the PE of the local AS, re-allocate MPLS labels to these routes. If routes
sent by the PE of the local AS are advertised to the peer ASBR, allocate MPLS labels to these
routes.
Procedure
l
Creating a routing policy
Perform the following steps on the ASBR:
1.
Run:
system-view
The system view is displayed.
2.
Run:
route-policy policy-name1 permit node node
The routing policy applied to the local PE is created.
For the labeled IPv4 routes received from peer ASBRs, and sent to the PEs in the same
AS, this policy ensures that a new MPLS label is allocated.
3.
Run:
if-match mpls-label
The IPv4 routes with labels are matched.
4.
Run:
apply mpls-label
The label is allocated to the IPv4 route.
5.
Run:
quit
Return to the system view.
6.
Run:
route-policy policy-name2 permit node node
The routing policy applied to the peer ASBR is created.
Issue 03 (2011-11-27)
Huawei Proprietary and Confidential
Copyright © Huawei Technologies Co., Ltd.
87
Huawei AR1200 Series Enterprise Routers
Configuration Guide - VPN
2 BGP MPLS IP VPN Configuration
For the labeled IPv4 routes received from PE in the local AS, and sent to the remote
ASBR, this policy ensures that a new MPLS label is allocated.
7.
Run:
apply mpls-label
The label is allocated to the IPv4 route.
l
Applying routing policies
1.
Run:
system-view
The system view is displayed.
2.
Run:
bgp as-number
The BGP view is displayed.
3.
Run:
peer ipv4-address route-policy policy-name1 export
The routing policy adopted when the route is advertised to the local PE is created.
4.
Run:
peer ipv4-address route-policy policy-name2 export
The routing policy adopted when the route is advertised to the peer ASBR is created.
----End
2.8.4 Establishing the MP-EBGP Peer Between PEs
By importing extended community attributes to BGP, MP-EBGP can advertise VPNv4 routes
between PEs. PEs of different ASs are generally not directly connected. Therefore, to set up the
EBGP connection between the PEs of different ASs, configure the permitted maximum hops
between the PEs.
Procedure
l
Configuring ASBRs
The address of the loopback interface that is used to set up the BGP session is advertised
to the peer ASBR and to the PEs of the other ASs.
1.
Run:
system-view
The system view is displayed.
2.
Run:
bgp as-number
The BGP view is displayed.
3.
Run:
network ip-address [ mask | mask-length ] [ route-policy route-policyname ]
The loopback address of the PE in the local AS is advertised to the remote ASBR.
l
Issue 03 (2011-11-27)
Configuring PE
Perform the following steps on the PE that is connected to a CE:
Huawei Proprietary and Confidential
Copyright © Huawei Technologies Co., Ltd.
88
Huawei AR1200 Series Enterprise Routers
Configuration Guide - VPN
1.
2 BGP MPLS IP VPN Configuration
Run:
system-view
The system view is displayed.
2.
Run:
bgp as-number
The BGP view is displayed.
3.
Run:
peer ipv4-address as-number as-number
The peer PE is specified as the EBGP peer.
4.
Run:
peer ipv4-address ebgp-max-hop [ hop-count ]
The maximum hop of the EBGP peer is configured.
PEs of different ASs are generally not directly connected. To set up the EBGP peer
between PEs of different ASs, configure the maximum hop between PEs and ensure
the PEs are reachable.
5.
Run:
ipv4-family vpnv4 [ unicast ]
The BGP VPNv4 address family is displayed.
6.
Run:
peer ipv4-address enable
The exchange of VPN IPv4 routes with the peer PE is enabled.
l
(Optional) Configuring route reflector (RR)
If the Route Reflector (RR) is used to advertise VPNv4 routes, perform the following steps
on the RR.
1.
Run:
system-view
The system view is displayed.
2.
Run:
bgp as-number
The BGP view is displayed.
3.
Run:
ipv4-family vpnv4 [ unicast ]
The BGP VPNv4 address family is displayed.
4.
Run:
peer ipv4-address enable
The exchange of VPN IPv4 routes with the peer RR is enabled.
5.
Run:
peer ipv4-address next-hop-invariable
The next hop is not changed when the route is advertised to the EBGP peer.
----End
Issue 03 (2011-11-27)
Huawei Proprietary and Confidential
Copyright © Huawei Technologies Co., Ltd.
89
Huawei AR1200 Series Enterprise Routers
Configuration Guide - VPN
2 BGP MPLS IP VPN Configuration
2.8.5 Configuring the Route Exchange Between CE and PE
The routing protocol between a PE and a CE can be BGP, static route, or IGP.
Context
For detailed configurations, see 2.4.6 Configuring a Routing Protocol Between a PE and a
CE.
2.8.6 Checking the Configuration
After configuring inter-AS VPN Option C, you can view information about all the BGP peer
relationships, VPNv4 routes on PEs or ASBRs, and labels of IPv4 routes on ASBRs.
Prerequisite
The configurations of the inter-AS VPN Option C function are complete.
Procedure
l
Run the display bgp vpnv4 all peer command to check the BGP peers on the PE.
l
Run the display bgp vpnv4 all routing-table command to check the VPN IPv4 routing
table on the PE or ASBR.
l
Run the display bgp routing-table label command to check information about the label
of the IPv4 route on the ASBR.
l
Run the display ip routing-table vpn-instance vpn-instance-name command to check the
VPN routing table on the PE.
----End
Example
Run the display bgp vpnv4 all peer command on the PE. If the status of the EBGP peer between
PEs is "Established", the configuration is successful.
Run the display bgp vpnv4 all routing-table command. You can view that the PE has the VPN
IPv4 routes while the ASBR has no VPN IPv4 route.
Run the display bgp routing-table label command on the ASBR. If information about the label
of the IPv4 route is displayed, the configuration is successful.
Run the display ip routing-table vpn-instance command on the PE. If the VPN routes to related
CEs are displayed, the configuration is successful.
2.9 Configuring Inter-AS VPN Option C (Solution 2)
After LDP LSPs are established for the labeled BGP routes of the public network, EBGP
connections in multi-hop mode are established between PEs of different ASs to exchange VPNv4
routes.
Issue 03 (2011-11-27)
Huawei Proprietary and Confidential
Copyright © Huawei Technologies Co., Ltd.
90
Huawei AR1200 Series Enterprise Routers
Configuration Guide - VPN
2 BGP MPLS IP VPN Configuration
2.9.1 Establishing the Configuration Task
Before configuring inter-AS VPN OptionC, familiarize yourself with the applicable
environment, complete the pre-configuration tasks, and obtain the required data. This can help
you complete the configuration task quickly and accurately.
Applicable Environment
If the MPLS backbone network bearing VPN routes spans multiple ASs, the inter-AS VPN is
required.
If each AS needs to exchange a large number of VPN routes, inter-AS VPN-Option C is a good
choice to prevent the ASBR from becoming a bottleneck that impedes network expansion. Two
solutions can be adopted to realize inter-AS VPN-Option C:
l
Solution 1: After learning the labeled BGP routes of the public network in the remote AS
from the remote ASBR, the local ASBR allocates labels for these routes, and advertises
these routes to the IBGP peer that supports the label switching capability. In this manner,
a complete LSP is set up.
l
Solution 2: The IBGP peer relationship between the PE and the ASBR is not needed. In
this solution, an ASBR learns the labeled public BGP routes of the remote AS from the
peer ASBR. Then these labeled public BGP routes are imported to IGP to trigger the
establishment of an LDP LSP. In this manner, a complete LDP LSP can be established
between the two PEs.
If an ASBR is ready to access a large number of PEs, Solution 2 is recommended because of the
easy configuration.
Pre-configuration Tasks
Before configuring inter-AS VPN-Option C, complete the following tasks:
l
Configuring IGP for the MPLS backbone network of each AS to ensure IP connectivity of
the backbone network within an AS
l
Configuring the basic MPLS functions and MPLS LDP for the MPLS backbone network
of each AS
l
Configuring VPN instances on PEs that access CEs, and associating VPN instances with
PE interfaces that connect CEs
l
Configuring IP addresses on CE interfaces that access PEs
l
Configuring a name for the prefix list used to filter labeled BGP routes of the public network
Data Preparation
To configure inter-AS VPN-Option C, you need the following data.
Issue 03 (2011-11-27)
Huawei Proprietary and Confidential
Copyright © Huawei Technologies Co., Ltd.
91
Huawei AR1200 Series Enterprise Routers
Configuration Guide - VPN
No.
Data
1
Data for configuring a VPN instance on a PE:
2 BGP MPLS IP VPN Configuration
l VPN instance name
l (Optional) Description of the VPN instance
l RD, VPN target attribute of the VPN instance IPv4 address families
l (Optional) The routing policy that controls the sending and receiving of VPN
routing information
l (Optional) The maximum number of routes allowed by the VPN instance IPv4
address families
2
IP addresses of PE interfaces that access CEs
3
AS number of each AS
4
IP addresses of the interfaces between ASBRs
5
Routing policies on ASBRs
6
Route protocol between PEs and CEs
7
(Optional) The name of the IP prefix list used to filter the labeled BGP routes of
the public network
NOTE
In inter-AS VPN-Option C, do not enable LDP between ASBRs.
If LDP is enabled on the interfaces between ASBRs, LDP sessions are then established between the ASBRs.
In this case, the ASBRs establish an egress LSP and send Mapping messages to the upstream ASBR. After
receiving Mapping messages, the upstream ASBR establishes a transit LSP. When there are high-volume
BGP routes, enabling LDP on the interfaces between ASBRs leads to the occupation of a large number of
LDP labels.
2.9.2 Establishing the EBGP Peer Relationship Between ASBRs
The EBGP peer relationship is established between ASBRs to advertise routes destined for the
loopback interfaces on PEs.
Procedure
l
Perform the following steps on ASBRs:
1.
Run:
system-view
The system view is displayed.
2.
Run:
interface interface-type interface-number
The view of the interface that connects the remote ASBR is displayed.
3.
Run:
ip address ip-address { mask | mask-length }
Issue 03 (2011-11-27)
Huawei Proprietary and Confidential
Copyright © Huawei Technologies Co., Ltd.
92
Huawei AR1200 Series Enterprise Routers
Configuration Guide - VPN
2 BGP MPLS IP VPN Configuration
The IP address is configured.
4.
Run:
quit
Return to the system view.
5.
Run:
bgp as-number
The BGP view is displayed.
6.
Run:
peer ipv4-address as-number as-number
The remote ASBR is configured as the EBGP peer.
7.
(Optional) Run:
peer { ipv4-address | group-name } ebgp-max-hop [ hop-count ]
The maximum number of hops is configured for the EBGP connection.
Generally, one or multiple directly connected physical links exist between EBGP
peers. If the directly connected physical link(s) are not available, run the peer ebgpmax-hop command to ensure that the TCP connection can be set up between the EBGP
peers through multiple hops.
----End
2.9.3 Advertising the Routes of the PE in the Local AS to the Remote
PE
After the routes of the loopback interface on a PE in an AS are advertised to the remote PE in
another AS, the MP-EBGP peer relationship is established between the PEs.
Procedure
l
The loopback address of the PE in the local AS is advertised to the remote ASBR.
Perform the following steps on an ASBR:
1.
Run:
system-view
The system view is displayed.
2.
Run:
bgp as-number
The BGP view is displayed.
3.
Run:
network ip-address [ mask | mask-length ]
The loopback address of the PE in the local AS is advertised to the remote ASBR.
4.
Run:
quit
Return to the system view.
l
Issue 03 (2011-11-27)
The BGP routes are imported to IGP.
Perform the following steps on the peer ASBR:
Huawei Proprietary and Confidential
Copyright © Huawei Technologies Co., Ltd.
93
Huawei AR1200 Series Enterprise Routers
Configuration Guide - VPN
1.
2 BGP MPLS IP VPN Configuration
Run:
system-view
The system view is displayed.
2.
Run:
ospf process-id
The OSPF view is displayed.
3.
Run:
import-route bgp [ cost cost ] [ route-policy route-policy-name ]
The BGP routes are imported to IGP.
4.
Run:
quit
Return to the system view.
----End
2.9.4 Enabling the Capability of Exchanging Labeled IPv4 Routes
To establish an inter-AS BGP LSP, enable labeled IPv4 route exchange between ASBRs.
Procedure
l
Creating a routing policy.
Perform the following steps on ASBRs:
1.
Run:
system-view
The system view is displayed.
2.
Run:
route-policy route-policy-name permit node seq-number
The routing policy applied to advertise routes to the remote ASBR is configured.
3.
Run:
apply mpls-label
Labels for IPv4 routes are distributed.
4.
Run:
quit
Return to the system view.
l
Applying a Routing Policy
Perform the following steps on ASBRs.
1.
Run:
system-view
The system view is displayed.
2.
Run:
bgp as-number
The BGP view is displayed.
Issue 03 (2011-11-27)
Huawei Proprietary and Confidential
Copyright © Huawei Technologies Co., Ltd.
94
Huawei AR1200 Series Enterprise Routers
Configuration Guide - VPN
3.
2 BGP MPLS IP VPN Configuration
Run:
peer ipv4-address route-policy route-policy-name export
The routing policy applied to advertise routes to the remote ASBR is configured.
4.
Run:
quit
Return to the system view.
l
Enabling the function of labeled IPv4 route exchange.
Perform the following steps on ASBRs:
1.
Run:
system-view
The system view is displayed.
2.
Run:
interface interface-type interface-number
The view of the interface connecting the remote ASBR is displayed.
3.
Run:
mpls
The MPLS function is enabled.
4.
Run:
quit
Return to the system view.
5.
Run:
bgp as-number
The BGP view is displayed.
6.
Run:
peer ipv4-address label-route-capability [ check-tunnel-reachable ]
The labeled IPv4 route exchange capability with the remote ASBR is configured.
– If tunnel reachability checking is enabled, BGP advertises IPv4 unicast routes to
peers when routed tunnels are unreachable or advertises labeled routes to peers
when routed tunnels are reachable. This eliminates the risk of establishing an MPEBGP peer relationship between PEs over a faulty LSP because this will cause
data forwarding failures.
– If tunnel reachability checking is disabled, BGP advertises labeled routes to peers
whether the tunnels for imported routes are reachable or not.
----End
2.9.5 Establishing an LDP LSP for the Labeled BGP Routes of the
Public Network
By enabling LDP on ASBRs to allocate labels for BGP, you can establish LDP LSPs for labeled
BGP routes of the public network that are filtered in the IP prefix list
Issue 03 (2011-11-27)
Huawei Proprietary and Confidential
Copyright © Huawei Technologies Co., Ltd.
95
Huawei AR1200 Series Enterprise Routers
Configuration Guide - VPN
2 BGP MPLS IP VPN Configuration
Procedure
l
An LDP LSP is established for the labeled BGP routes of the public network that is filtered
by the IP prefix list.
Perform the following steps on ASBRs:
1.
Run:
system-view
The system view is displayed.
2.
Run:
mpls
The MPLS view is displayed.
3.
Run:
lsp-trigger bgp-label-route [ ip-prefix ip-prefix-name ]
An LDP LSP is established for the labeled BGP routes of the public network that is
filtered by the IP prefix list.
----End
2.9.6 Establishing the MP-EBGP Peer Relationship Between PEs
By introducing extended community attributes to BGP, MP-IBGP can advertise VPNv4 routes
between PEs. PEs of different ASs are generally not directly connected. Therefore, to set up the
EBGP connection between the PEs of different ASs, configure the permitted maximum hops
between the PEs.
Procedure
l
Perform the following steps on PEs:
1.
Run:
system-view
The system view is displayed.
2.
Run:
bgp as-number
The BGP view is displayed.
3.
Run:
peer ipv4-address as-number as-number
The remote PE is specified as the EBGP peer.
4.
Run:
peer ipv4-address connect-interface interface-type interface-number ipv4source-address
The source interface that sends BGP packets is specified.
5.
Run:
peer ipv4-address ebgp-max-hop [ hop-count ]
The maximum number of hops permitted to establish the EBGP peer is specified.
6.
Run:
ipv4-family vpnv4
Issue 03 (2011-11-27)
Huawei Proprietary and Confidential
Copyright © Huawei Technologies Co., Ltd.
96
Huawei AR1200 Series Enterprise Routers
Configuration Guide - VPN
2 BGP MPLS IP VPN Configuration
The BGP VPNv4 sub-address family view is displayed.
7.
Run:
peer ipv4-address enable
The VPNv4 route exchange capability with the remote PE is enabled.
----End
2.9.7 Configuring the Route Exchange Between a CE and a PE
The routing protocol between a PE and a CE can be BGP, static route, or IGP.
Procedure
l
Configuring a PE.
Perform the following steps on the PE that is connected to a CE:
1.
Run:
system-view
The system view is displayed.
2.
Run:
bgp as-number
The BGP view is displayed.
3.
Run:
ipv4-family vpn-instance vpn-instance-name
The BGP-VPN instance IPv4 address family view is displayed.
4.
Run:
peer ipv4-address as-number as-number
The CE is configured to be the peer of the VPN private network.
5.
(Optional) Run:
peer { ipv4-address | group-name } ebgp-max-hop [ hop-count ]
The maximum number of hops in the EBGP connection is specified.
6.
(Optional) Run:
network ip-address mask
The direct routes are advertised to the local CE.
7.
(Optional) Run:
peer ip-address allow-as-loop [ number ]
The routing loop is permitted.
8.
(Optional) Run:
peer ip-address substitute-as
The function of BGP AS number substitution is enabled.
l
Configuring a CE.
Perform the following steps on the CE:
1.
Run:
system-view
Issue 03 (2011-11-27)
Huawei Proprietary and Confidential
Copyright © Huawei Technologies Co., Ltd.
97
Huawei AR1200 Series Enterprise Routers
Configuration Guide - VPN
2 BGP MPLS IP VPN Configuration
The system view is displayed.
2.
Run:
bgp as-number
The BGP view is displayed.
3.
Run:
peer ipv4-address as-number
The PE is configured as the peer.
4.
(Optional) Run:
peer { ipv4-address | group-name } ebgp-max-hop [ hop-count ]
The maximum number of hops in the EBGP connection is specified.
5.
Run:
import-route { direct | static | rip [ process-id ] | ospf process-id |
isis process-id } [ med med | route-policy route-policy-name ]*
Routes of the local site are imported.
----End
2.9.8 Checking the Configuration
After configuring inter-AS VPN Option C (solution 2), you can view information about all the
BGP peer relationships, VPNv4 routes on PEs, and labels of IPv4 routes on ASBRs.
Prerequisite
The configurations of the Inter-AS VPN Option C (Solution 2) function are complete.
Procedure
l
Run the display bgp vpnv4 all peer command to check information about the specified
VPNv4 peer on a PE.
l
Run the display bgp vpnv4 all routing-table command to check information about the
VPN-IPv4 routing table on a PE or an ASBR.
l
Run the display bgp routing-table label command to check information about the labels
of IPv4 routes on an ASBR.
l
Run the display ip routing-table vpn-instance vpn-instance-name command to check the
VPN routing table on a PE.
l
Run the display mpls route-state [ vpn-instance vpn-instance-name ] [ { exclude |
include } { idle | ready | settingup } * | destination-address mask-length ] [ verbose ]
command to check the matching relationship between routes and the LSP on an ASBR.
l
Run the display ip routing-table command to check information about the routing table
on an ASBR.
l
Run the display mpls lsp [ vpn-instance vpn-instance-name ] [ protocol ldp ]
[ { exclude | include } ip-address mask-length ] [ outgoing-interface interface-type
interface-number ] [ in-label in-label-value ] [ out-label out-lable-value ] [ lsr-role
{ egress | ingress | transit } ] [ verbose ] command to check whether an LDP LSP is
established on an ASBR.
----End
Issue 03 (2011-11-27)
Huawei Proprietary and Confidential
Copyright © Huawei Technologies Co., Ltd.
98
Huawei AR1200 Series Enterprise Routers
Configuration Guide - VPN
2 BGP MPLS IP VPN Configuration
Example
Run the display bgp vpnv4 all peer command. The command output shows that the EBGP peer
relationship between PEs is established.
Run the display bgp vpnv4 all routing-table command on a PE and an ASBR. The command
output shows that BGP VPNv4 routes and BGP VPN instance routes are on the PE, but not on
the ASBR.
Run the display bgp routing-table label command on an ASBR. The command output shows
information about labels of IPv4 routes.
Run the display ip routing-table vpn-instance vpn-instance-name command on a PE. The
command output shows that the VPN routing table of the PE has the VPN routes to the CE related
to the specified VPN instance.
Run the display mpls route-state verbose command on an ASBR. The command output shows
the routes with the type as L, that is, the labeled BGP routes of the public network.
Run the display ip routing-table command on an ASBR. The command output shows that the
routes to the remote PE are labeled BGP routes of the public network: The routing table is
"Public", the protocol type is "BGP", and the label has a non-zero value.
[ASBR] display ip routing-table 4.4.4.9 verbose
Route Flags: R - relay, D - download to fib
-----------------------------------------------------------------------------Routing Table : Public
Summary Count : 1
Destination
: 4.4.4.9/32
Protocol
: EBGP
Preference
: 255
NextHop
: 192.1.1.2
State
: Active Adv
Tag
: 0
Label
: 15360
IndirectID: 0x0
RelayNextHop
: 0.0.0.0
TunnelID
: 0x6002006
Process ID
: 0
Cost
: 1
Neighbour: 192.1.1.2
Age
: 00h12m53s
Priority
: low
QoSInfo
: 0x0
Interface
Flags
: GE2/0/0
: D
Run the display mpls lsp command on an ASBR. The command output shows that an LDP LSP
is established between the ASBR and the remote PE. Additionally, the LDP ingress LSP to the
remote PE can be found on the local PE.
[ASBR] display mpls lsp protocol ldp include 4.4.4.9 32 verbose
---------------------------------------------------------------------LSP Information: LDP LSP
---------------------------------------------------------------------No
: 1
VrfIndex
:
Fec
: 4.4.4.9/32
Nexthop
: 192.1.1.2
In-Label
: 1024
Out-Label
: NULL
In-Interface
: ---------Out-Interface
: ---------LspIndex
: 13313
Token
: 0x0
FrrToken
: 0x0
LsrType
: Egress
Outgoing token
: 0x6002006
Label Operation
: POPGO
Mpls-Mtu
: -----TimeStamp
: 15829sec
Bfd-State
: --BGPKey
: ---
Issue 03 (2011-11-27)
Huawei Proprietary and Confidential
Copyright © Huawei Technologies Co., Ltd.
99
Huawei AR1200 Series Enterprise Routers
Configuration Guide - VPN
2 BGP MPLS IP VPN Configuration
2.10 Configuring HoVPN
HoVPN indicates a hierarchical VPN in which multiple PEs play different roles and form a
hierarchical structure. With this structure, these PEs function as one PE, and the performance
requirements for the PEs are lowered.
2.10.1 Establishing the Configuration Task
Before configuring HoVPN, familiarize yourself with the applicable environment, complete the
pre-configuration tasks, and obtain the required data. This can help you complete the
configuration task quickly and accurately.
Applicable Environment
For hierarchical VPN networks, adopt the HoVPN to reduce the requirements for PE devices.
Pre-configuration Tasks
Before configuring HoVPN, complete the task of Configuring Basic BGP/MPLS IP VPN.
Data Preparation
To configure HoVPN, you need the following data.
No.
Data
1
Relationship between the UPE and SPE
2
Name of the VPN instance sending default routes to the UPE
2.10.2 Specifying UPE
Before configuring a UPE, establish the VPNv4 peer relationship between the UPE and SPE.
Context
Perform the following steps on the SPE.
Procedure
Step 1 Run:
system-view
The system view is displayed.
Step 2 Run:
bgp as-number
The BGP view is displayed.
Issue 03 (2011-11-27)
Huawei Proprietary and Confidential
Copyright © Huawei Technologies Co., Ltd.
100
Huawei AR1200 Series Enterprise Routers
Configuration Guide - VPN
2 BGP MPLS IP VPN Configuration
Step 3 Run:
peer { ipv4-address | group-name } as-number as-number
The UPE is specified as the BGP peer of the SPE.
Step 4 Run:
ipv4-family vpnv4 [ unicast ]
The BGP VPNv4 sub-address family is displayed.
Step 5 Run:
peer { ipv4-address | group-name } enable
The capability of exchanging BGP VPNv4 routing information with the peer is enabled.
Step 6 Run:
peer { ipv4-address | group-name } upe
The peer is specified as the UPE of the SPE.
----End
2.10.3 Advertising Default Routes of a VPN Instance
The SPE advertises the UPE of a default route with the next hop address as the local address.
This process enables the SPE to instruct VPN packet forwarding on the UPE.
Context
Perform the following steps on the SPE.
Procedure
Step 1 Run:
system-view
The system view is displayed.
Step 2 Run:
bgp as-number
The BGP view is displayed.
Step 3 Run:
ipv4-family vpnv4
The BGP-VPNv4 sub-address family view is displayed.
Step 4 Run:
peer { ipv4-address | group-name } default-originate vpn-instance vpn-instance-name
The default routes of a specified VPN instance are advertised to the UPE.
After running the command, the SPE advertises a default route to the UPE with its local address
as the next hop, regardless of whether there is a default route in the local routing table.
----End
Issue 03 (2011-11-27)
Huawei Proprietary and Confidential
Copyright © Huawei Technologies Co., Ltd.
101
Huawei AR1200 Series Enterprise Routers
Configuration Guide - VPN
2 BGP MPLS IP VPN Configuration
2.10.4 Checking the Configuration
After configuring HoVPN, the local CE has no route that is destined for the network segment
of the interface on the remote CE, but has a default route with the next hop as the UPE.
Prerequisite
The configurations of the HoVPN function are complete
Procedure
l
Run the display ip routing-table command to check the routing table on the CE.
----End
Example
Run the display ip routing-table on the CE connected with the UPE. The command output
shows that there is a default route whose next hop is the UPE and there is no route to the network
segment where the peer CE resides.
2.11 Configuring a Multi-VPN-Instance CE
By using OSPF multi-instance on CEs, you can implement service isolation on the LAN.
2.11.1 Establishing the Configuration Task
Before configuring a multi-VPN-instance CE, familiarize yourself with the applicable
environment, complete the pre-configuration tasks, and obtain the data required for the
configuration. This will help you complete the configuration task quickly and accurately.
Applicable Environment
The multi-VPN-instance CE is used in the LAN. You can implement service isolation through
the multiple OSPF instances on the CE devices.
One OSPF process can belong to only one VPN instance but one VPN instance can run several
OSPF processes.
The Multi-VPN-Instance CE can be considered a networking solution that isolates services by
isolating routes. Before configuring a multi-VPN-instance CE, disable routing loop detection.
Pre-configuration Tasks
Before configuring a multi-VPN-instance CE, complete the following tasks:
l
2.3 Configuring a VPN Instance Enabled with the IPv4 Address Family on the multiinstance CE, and the PE that is accessed by it (each service with a VPN instance)
l
Configuring the link layer protocol and network layer protocol for LAN interfaces and
connecting the LAN to the multi-instance CE (each service using an interface to access the
multi-instance CE)
Issue 03 (2011-11-27)
Huawei Proprietary and Confidential
Copyright © Huawei Technologies Co., Ltd.
102
Huawei AR1200 Series Enterprise Routers
Configuration Guide - VPN
l
2 BGP MPLS IP VPN Configuration
Binding related VPN instances to the interfaces of the multi-instance CE and PE interfaces
through which the PE accesses the multi-instance and configuring IP addresses for those
interfaces
Data Preparation
To configure a multi-VPN-instance CE, you need the following data.
No.
Data
1
Names of the VPN instances corresponding with the OSPF processes used by each
service
2
OSPF process number and Router ID used by each service
3
Routes advertised by each OSPF process
2.11.2 Configuring the OSPF Multi-Instance on the PE
Different services use different OSPF process IDs.
Context
Perform the following steps on the PE that is accessed by the multi-instance CE.
Procedure
Step 1 Run:
system-view
The system view is displayed.
Step 2 Run:
ospf process-id [ router-id router-id ] vpn-instance vpn-instance-name
The OSPF multi-instance is configured.
Different services have different OSPF process IDs. However, router IDs of different services
do not necessarily differ.
Step 3 Run:
area
area-id
The OSPF area view is displayed.
Step 4 Run:
network ip-address wildcard-mask
The IP address of the interface connected to the multi-instance CE is advertised.
Step 5 Run:
quit
The OSPF view is displayed.
Issue 03 (2011-11-27)
Huawei Proprietary and Confidential
Copyright © Huawei Technologies Co., Ltd.
103
Huawei AR1200 Series Enterprise Routers
Configuration Guide - VPN
2 BGP MPLS IP VPN Configuration
Step 6 Run:
import-route bgp
The BGP route is imported.
Step 7 Run:
quit
Return to the system view.
Step 8 Run:
bgp as-number
The BGP view is displayed.
Step 9 Run:
ipv4-family vpn-instance vpn-instance-name
The BGP-VPN instance IPv4 address family view is displayed.
Step 10 Run:
import-route ospf process-id
The OSPF multi-instance route is imported.
----End
2.11.3 Configuring the OSPF Multi-Instance on the Multi-Instance
CE
The process ID of the OSPF multi-instance configured on the multi-VPN-instance CE must be
the same as that configured on the PE.
Context
Perform the following steps on the multi-instance CE.
Procedure
Step 1 Run:
system-view
The system view is displayed.
Step 2 Run:
ospf process-id [ router-id router-id ] vpn-instance vpn-instance-name
The OSPF multi-instance is configured.
The OSPF process ID corresponds to that of the PE.
Step 3 Run:
area area-id
The OSPF area view is displayed.
Step 4 Run:
network ip-address wildcard-mask
Issue 03 (2011-11-27)
Huawei Proprietary and Confidential
Copyright © Huawei Technologies Co., Ltd.
104
Huawei AR1200 Series Enterprise Routers
Configuration Guide - VPN
2 BGP MPLS IP VPN Configuration
The IP address of the interface connected the PE is advertised.
NOTE
If the multi-instance CE does not learn the routes of a LAN through the OSPF multi-instance of the process,
the routes of the LAN need to be imported to the OSPF instances of the process.
----End
2.11.4 Canceling the Loop Detection on the Multi-Instance CE
If the route loop check is performed, the CE discards the route from the PE with the DN bit being
1.
Context
Perform the following steps on the PE.
Procedure
Step 1 Run:
system-view
The system view is displayed.
Step 2 Run:
ospf process-id [ router-id router-id ] vpn-instance vpn-instance-name
The OSPF view is displayed.
Step 3 Run:
vpn-instance-capability simple
Loop detection is not performed.
----End
2.11.5 Checking the Configuration
After the multi-VPN-instance CE is configured, the VPN routing table of the CE contains the
routes destined for the LAN and remote sites for each service.
Prerequisite
The configurations of the Multi-VPN-Instance CE function are complete.
Procedure
l
Run the display ip routing-table vpn-instance vpn-instance-name [ verbose ] command
to check the VPN routing table on the multi-instance CE.
----End
Example
Run the display ip routing-table vpn-instance command on the multi-instance CE to check
the VPN routing table. If there are routes to the LAN and the remote nodes for each service, the
configuration is successful.
Issue 03 (2011-11-27)
Huawei Proprietary and Confidential
Copyright © Huawei Technologies Co., Ltd.
105
Huawei AR1200 Series Enterprise Routers
Configuration Guide - VPN
2 BGP MPLS IP VPN Configuration
2.12 Connecting VPN and the Internet
Generally, users within a VPN can communicate only with each other, but cannot communicate
with Internet users because VPN users cannot access the Internet. If each VPN site needs to
access the Internet, configure the interconnection between the VPN and the Internet.
2.12.1 Establishing the Configuration Task
Before configuring the interconnection between a VPN and the Internet, familiarize yourself
with the applicable environment, complete the pre-configuration tasks, and obtain the required
data. This can help you complete the configuration task quickly and accurately.
Applicable Environment
You can enable VPN users to access the Internet, by supplementing certain software
configurations in the established VPN network.
Pre-configuration Tasks
Before configuring VPN users to access the Internet, complete the following task:
l
Setting up the VPN network
Data Preparation
To configure interconnection between a VPN and the Internet, you need the following data.
No.
Data
1
Names of the VPN instances
2
Destination IP address of static routes
2.12.2 Configuring the Static Route on the CE
This section describes how to configure static routes on CEs to forward packets from the VPN
to the Internet.
Context
Perform the following steps on the CE.
Procedure
Step 1 Run:
system-view
The system view is displayed.
Issue 03 (2011-11-27)
Huawei Proprietary and Confidential
Copyright © Huawei Technologies Co., Ltd.
106
Huawei AR1200 Series Enterprise Routers
Configuration Guide - VPN
2 BGP MPLS IP VPN Configuration
Step 2 Run:
ip route-static ip-address { mask | mask-length } { interface-type interfacenumber [ nexthop-address ] | nexthop-address } [ preference preference | tag tag ]
* [ description text ]
The static route to the public network destination address.
ip-address can be the destination address of the public network or 0.0.0.0. If the dest-ipaddress is 0.0.0.0, the static route is also called the default route, the mask of which must be
0.0.0.0 or the mask-length of which must be 0. Note that, the out-interface must be the interface
connected directly with the PE, and the next-hop is the IP address of the peer PE interface
connected directly with the CE.
NOTE
If the CE and the PE are connected through an Ethernet network, the next-hop must be specified.
----End
2.12.3 Configuring the Private Network Static Route on the PE
This section describes how to configure static routes on PEs to forward packets from the VPN
to the Internet.
Context
Perform the following steps on the PE.
Procedure
Step 1 Run:
system-view
The system view is displayed.
Step 2 Run:
ip route-static vpn-instance vpn-source-name destination-address { mask | masklength } nexthop-address public [ preference preference | tag tag ]* [ description
text ]
The static route from the VPN to the Internet is configured and the next-hop address is a public
network address.
----End
2.12.4 Configuring the Static Route to VPN on the Device of the
Public Network
This section describes how to configure static routes to VPN users to forward packets from the
Internet to the VPN.
Context
Perform the following steps on the PE.
Issue 03 (2011-11-27)
Huawei Proprietary and Confidential
Copyright © Huawei Technologies Co., Ltd.
107
Huawei AR1200 Series Enterprise Routers
Configuration Guide - VPN
2 BGP MPLS IP VPN Configuration
Procedure
Step 1 Run:
system-view
The system view is displayed.
Step 2 Run:
ip route-static ip-address { mask | mask-length } { interface-type interfacenumber | vpn-instance vpn-instance-name nexthop-address | nexthop-address }
[ preference preference | tag tag ]* [ description text ]
The static route from the public network to the VPN is configured and the next-hop address is
a private network address.
NOTE
If the CE and PE are connected through an Ethernet network, the next-hop must be specified.
----End
2.12.5 Checking the Configuration
After configuring the interconnection between a VPN and the Internet, the VPN routing table
contains the routes destined for the CE and the router in the public network, and the routing table
in the destined device of the public network contains the route to the CE.
Prerequisite
The configurations of the VPN and the Internet function are complete.
Procedure
l
Run the display ip routing-table vpn-instance vpn-instance-name command to check the
VPN routing table on the PE.
l
Run the display ip routing-table command to check the routing table on the CE and the
destination router in the public network.
----End
Example
Run the display ip routing-table vpn-instance command on the PE. The command output
shows that the route to the CE and the route to the destination router in the public network exist
in the VPN routing table.
Run the display ip routing-table command on the CE. The command output shows that the CE
has the route to the destination router in the public network and the destination router in the
public network has the route to the CE.
The CE and the destination router in the public network can successfully ping each other.
Issue 03 (2011-11-27)
Huawei Proprietary and Confidential
Copyright © Huawei Technologies Co., Ltd.
108
Huawei AR1200 Series Enterprise Routers
Configuration Guide - VPN
2 BGP MPLS IP VPN Configuration
2.13 Configuring Route Reflection to Optimize the VPN
Backbone Layer
Using an RR can reduce the number of MP IBGP connections between PEs. This not only reduces
the burden of PEs, but also facilitates network maintenance and management.
2.13.1 Establishing the Configuration Task
Before configuring an RR to optimize the VPN backbone layer, familiarize yourself with the
applicable environment, complete the pre-configuration tasks, and obtain the required data. This
can help you complete the configuration task quickly and accurately.
Applicable Environment
The BGP speaker does not advertise the routes learned from IBGP devices to its IBGP peers.
To make a PE advertise the routes of the VPN that the PE accesses to the BGP VPNv4 peers in
the same AS, the PE must establish IBGP connections with all the peers to directly exchange
VPN routing information. That is, MP IBGP peers must establish full connections between each
other. Suppose there are n PEs (including ASBRs) in an AS, n (n-1)/2 MP IBGP connections
need to be established. A large number of IBGP peers consume a great amount of network
resources.
The Route Reflector (RR) can solve this problem. In an AS, one router can be configured as the
RR to reflect VPNv4 routes and the other PEs and ASBRs serve as the clients, which are called
Client PEs. An RR can be a P, PE, ASBR, or a router of other types.
The introduction of the RR reduces the number of MP IBGP connections. This lightens the
burden on PEs and facilitates network maintenance and management.
Pre-configuration Tasks
Before configuring route reflection to optimize the VPN backbone layer, complete the following
tasks:
l
Configuring the routing protocol for the MPLS backbone network to implement IP
interworking between routers in the backbone network
l
Establishing tunnels (LSPs or GRE tunnels) between the RR and all Client PEs
Data Preparation
To configure the BGP VPNv4 route reflection, you need the following data.
Issue 03 (2011-11-27)
No.
Data
1
Local AS number and peer AS number
2
Type and number of the interfaces used to set up the TCP connection
3
BGP peer group name and IP addresses of peers
Huawei Proprietary and Confidential
Copyright © Huawei Technologies Co., Ltd.
109
Huawei AR1200 Series Enterprise Routers
Configuration Guide - VPN
2 BGP MPLS IP VPN Configuration
2.13.2 Configuring the Client PEs to Establish MP IBGP
Connections with the RR
An MP-IBGP connection is configured between the PE and the RR to facilitate VPNv4 route
reflection.
Context
Perform the following steps on all Client PEs.
Procedure
Step 1 Run:
system-view
The system view is displayed.
Step 2 Run:
bgp as-number
The BGP view is displayed.
Step 3 Run:
peer ipv4-address as-number as-number
The RR is specified as the BGP peer.
Step 4 Run:
peer ipv4-address connect-interface interface-type interface-number
The interface is specified as an interface to establish the TCP connection.
The interface IP address must be the same as the MPLS LSR ID. It is recommended to specify
a loopback interface to establish the TCP connection.
Step 5 Run:
ipv4-family vpnv4
The BGP VPNv4 address family view is displayed.
Step 6 Run:
peer
ipv4-address enable
The capability of exchanging VPNv4 routes between the PE and RR is enabled.
----End
2.13.3 Configuring the RR to Establish MP IBGP Connections with
the Client PEs
MP-IBGP connections are configured between the RR and all its clients (PEs) to facilitate
VPNv4 route reflection.
Context
Choose one of the following schemes to configure the RR.
Issue 03 (2011-11-27)
Huawei Proprietary and Confidential
Copyright © Huawei Technologies Co., Ltd.
110
Huawei AR1200 Series Enterprise Routers
Configuration Guide - VPN
2 BGP MPLS IP VPN Configuration
Procedure
l
Configuring the RR to Establish MP IBGP Connections with the Peer Group
1.
Run:
system-view
The system view is displayed.
2.
Run:
bgp as-number
The BGP view is displayed.
3.
Run:
group group-name [ internal ]
An IBGP peer group is created.
4.
Run:
peer group-name connect-interface interface-type interface-number
The interface is specified as an interface to establish the TCP connection. The interface
IP address must be the same as the MPLS LSR ID. It is recommended to specify a
loopback interface to establish the TCP connection.
5.
Run:
ipv4-family vpnv4
The BGP VPNv4 address family view is displayed.
6.
Run:
peer group-name enable
The capability of exchanging IPv4 VPN routes between the RR and the peer group is
enabled.
7.
Run:
peer ip-address group group-name
The peer is added to the peer group.
l
Configuring the RR to establish an MP IBGP connection with each client PE
1.
Run:
system-view
The system view is displayed.
2.
Run:
bgp as-number
The BGP view is displayed.
3.
Run:
peer ipv4-address as-number as-number
The client PE is specified as the BGP peer.
4.
Run:
peer ipv4-address connect-interface interface-type interface-number
The interface is specified as an interface to establish the TCP connection.
The interface IP address must be the same as the MPLS LSR ID. It is recommended
to specify a loopback interface to establish the TCP connection.
Issue 03 (2011-11-27)
Huawei Proprietary and Confidential
Copyright © Huawei Technologies Co., Ltd.
111
Huawei AR1200 Series Enterprise Routers
Configuration Guide - VPN
5.
2 BGP MPLS IP VPN Configuration
Run:
ipv4-family vpnv4
The BGP VPNv4 address family view is displayed.
6.
Run:
peer ipv4-address enable
The capability of exchanging VPNv4 routes between the RR and the client PE is
enabled.
----End
2.13.4 Configuring Route Reflection for BGP IPv4 VPN routes
The premise of enabling BGP VPNv4 route reflection is that the RR has established the MPIBGP connections with all its clients (PEs).
Context
Perform the following steps on the RR.
Procedure
Step 1 Run:
system-view
The system view is displayed.
Step 2 Run:
bgp as-number
The BGP view is displayed.
Step 3 Run:
ipv4-family vpnv4
The BGP VPNv4 address family view is displayed.
Step 4 Enable route reflection for BGP VPNv4 routes on the RR.
l Run the peer group-name reflect-client command to enable route reflection if the RR
establishes the MP IBGP connection with the peer group consisting of client PEs.
l Run the peer ipv4-address reflect-client command repeatedly to enable route reflection if
the RR establishes the MP IBGP connection with each PE rather than peer group.
Step 5 Run:
undo policy vpn-target
The filtering of VPNv4 routes based on the VPN target is disabled.
Step 6 (Optional) Run:
rr-filter extcomm-filter-number
The reflection policy is configured for the RR.
----End
Issue 03 (2011-11-27)
Huawei Proprietary and Confidential
Copyright © Huawei Technologies Co., Ltd.
112
Huawei AR1200 Series Enterprise Routers
Configuration Guide - VPN
2 BGP MPLS IP VPN Configuration
2.13.5 Checking the Configuration
After configuring an RR to optimize the VPN backbone layer, you can view BGP VPNv4 peer
information and VPNv4 routing information on the RR or its clients (PEs).
Prerequisite
The configurations of the reflection to optimize the VPN backbone layer function are complete.
Procedure
l
Run the display bgp vpnv4 all peer [ [ ipv4-address ] verbose ] command to check
information about the BGP VPNv4 peer on the RR or the Client PEs.
l
Run the display bgp vpnv4 all routing-table peer ipv4-address { advertised-routes |
received-routes } command or display bgp vpnv4 all routing-table statistics command
to check information about the routes received from the peer or the routes advertised to the
peer on the RR or the Client PEs.
l
Run the display bgp vpnv4 all group [ group-name ] command to check information about
the VPNv4 peer group on the RR.
----End
Example
If the configurations succeed,
l
The status of the MP IBGP connections between the RR and all Client PEs is "Established"
after running the display bgp vpnv4 all peer command on the RR or Client PEs.
l
The RR and each Client PE can receive and send VPNv4 routing information between each
other after running the display bgp vpnv4 all routing-table peer command on the RR or
the Client PEs.
l
If the peer group is configured, information about the group members is displayed and the
status of the BGP connections between the RR and the group members is "Established"
after running the display bgp vpnv4 all group command on the RR.
2.14 Configuring Route Reflection to Optimize the VPN
Access Layer
If a PE and the connected CEs are in the same AS, you can deploy a BGP route RR to reduce
the number of IBGP connections between CEs and facilitate maintenance and management.
2.14.1 Establishing the Configuration Task
Before configuring an RR to optimize the VPN access layer, familiarize yourself with the
applicable environment, complete the pre-configuration tasks, and obtain the required data. This
can help you complete the configuration task quickly and accurately.
Applicable Environment
If a PE and multiple CEs accessing the PE are located in the same AS, to reduce the IBGP
connections between the CEs, the PE can be configured as an RR to reflect the routes of the
Issue 03 (2011-11-27)
Huawei Proprietary and Confidential
Copyright © Huawei Technologies Co., Ltd.
113
Huawei AR1200 Series Enterprise Routers
Configuration Guide - VPN
2 BGP MPLS IP VPN Configuration
VPN instance, and the CEs can be configured as clients, which are called Client CEs. This
procedure simplifies and facilitates network maintenance and management.
Pre-configuration Tasks
Before configuring route reflection to optimize the VPN access layer, complete the following
tasks:
l
Configure a routing protocol for the MPLS backbone network to implement IP interworking
between the routers in the backbone network.
Data Preparation
Before configuring route reflection to optimize the VPN access layer, you need the following
data.
No.
Data
1
Local AS number and peer AS number
2
Type and number of the interfaces used to set up the TCP connection
3
BGP peer group name and IP addresses of peers
2.14.2 Configuring All Client CEs to Establish IBGP Connections
with the RR
This section describes how to configure an IBGP connection between the client (a CE) and the
RR to reflect VPNv4 routes.
Context
Perform the following steps on all Client CEs.
Procedure
Step 1 Run:
system-view
The system view is displayed.
Step 2 Run:
bgp as-number
The BGP view is displayed.
Step 3 Run:
peer ipv4-address as-number as-number
The RR is specified as the BGP peer.
Step 4 Run:
peer ipv4-address connect-interface
interface-type interface-number
Issue 03 (2011-11-27)
Huawei Proprietary and Confidential
Copyright © Huawei Technologies Co., Ltd.
114
Huawei AR1200 Series Enterprise Routers
Configuration Guide - VPN
2 BGP MPLS IP VPN Configuration
The interface is specified as an interface to establish the TCP connection.
The interface IP address must be the same as the MPLS LSR ID. It is recommended to specify
a loopback interface to establish the TCP connection.
----End
2.14.3 Configuring the RR to Establish MP IBGP Connections with
All Client CEs
This section describes how to configure MP-IBGP connections between the RR and all its clients
(CEs) to reflect VPNv4 routes to all clients (CEs).
Context
Perform the following steps on the RR.
Procedure
l
Establishing the MP-IBGP Connection with the Peer Group
1.
Run:
system-view
The system view is displayed.
2.
Run:
bgp as-number
The BGP view is displayed.
3.
Run:
ipv4-family vpn-instance vpn-instance-name
The BGP VPN instance IPv4 address family view is displayed.
4.
Run:
group group-name [ internal ]
An IBGP peer group is created.
5.
Run:
peer group-name connect-interface interface-type interface-number
The interface is specified as an interface to establish the TCP connection.
6.
Run:
peer ip-address
groupgroup-name
The peer is added to the peer group.
l
Establishing the MP-IBGP Connection with Each Peer
1.
Run:
system-view
The system view is displayed.
2.
Run:
bgp as-number
The BGP view is displayed.
Issue 03 (2011-11-27)
Huawei Proprietary and Confidential
Copyright © Huawei Technologies Co., Ltd.
115
Huawei AR1200 Series Enterprise Routers
Configuration Guide - VPN
3.
2 BGP MPLS IP VPN Configuration
Run:
ipv4-family vpn-instance vpn-instance-name
The BGP VPN instance IPv4 address family view is displayed.
4.
Run:
peer ipv4-address as-number as-number
The peer of the BGP IPv4 VPN instance is configured.
5.
Run:
peer ipv4-address connect-interface interface-type interface-number
The interface is specified as an interface to establish the TCP connection.
Perform Step 1 to Step 5 repeatedly on the RR to establish MP-IBGP connections with all
client CEs.
----End
2.14.4 Configuring Route Reflection for the Routes of the BGP VPN
Instance
The premise of enabling BGP VPNv4 route reflection is that the RR has established the MPIBGP connections with all its clients (CEs).
Context
Perform the following steps on the RR.
Procedure
Step 1 Run:
system-view
The system view is displayed.
Step 2 Run:
bgp as-number
The BGP view is displayed.
Step 3 Run:
ipv4-family vpn-instance vpn-instance-name
The BGP VPN instance IPv4 address family view is displayed.
Step 4 Enable route reflection for the routes of the BGP VPN instance IPv4 address family on the RR.
l Run the peer group-name reflect-client command to enable route reflection if the RR
establishes the IBGP connection with the peer group consisting of all Client CEs.
l Run the peer ipv4-address reflect-client command repeatedly to enable route reflection if
the RR establishes the IBGP connection with each PE rather than the peer group.
Step 5 (Optional) Run:
reflect between-clients
Route reflection between the Client CEs is enabled.
By default, route reflection between the Client CEs is enabled.
Issue 03 (2011-11-27)
Huawei Proprietary and Confidential
Copyright © Huawei Technologies Co., Ltd.
116
Huawei AR1200 Series Enterprise Routers
Configuration Guide - VPN
2 BGP MPLS IP VPN Configuration
If the Client CEs are fully connected, you can use the undo reflect between-clients command
to disable route reflection between the clients to reduce costs.
Step 6 (Optional) Run:
reflector cluster-id cluster-id
The RR cluster ID is set.
If a cluster has multiple RRs, you can use this command to set the same cluster ID for these RRs
to prevent routing loops. By default, the cluster ID is the router ID.
----End
2.14.5 Checking the Configuration
After configuring an RR to optimize the VPN access layer, you can view information on the RR
about peers of the BGP VPN instance, routes received from the peers, and the VPNv4 routes
advertised to the peers.
Prerequisite
The configurations of the route reflection to optimize the VPN access layer function are
complete.
Procedure
l
Run the display bgp [ vpnv4 vpn-instance vpn-instance-name ] peer [ ipv4-address ]
verbose command to check information about the peer group of the BGP VPN instance on
the RR.
l
Run the display bgp peer [ ipv4-address ] verbose command to check information about
the BGP peer on the Client CE.
l
Run the display bgp vpnv4 all routing-table peer ipv4-address { advertised-routes |
received-routes } command or display bgp vpnv4 all routing-table statistics command
to check information about the routes received from the peer or the routes advertised to the
peer on the RR.
l
Run the display bgp routing-table peer ipv4-address { advertised-routes | receivedroutes }command or display bgp routing-table statistics command to check information
about the routes received from the peer or the routes advertised to the peer on the Client
CE.
l
Run the display bgp vpnv4 vpn-instance vpn-instance-name group [ group-name ]
command to check information about the VPNv4 peer group on the RR.
l
Run the display bgp group [ group-name ] command to check information about the
VPNv4 peer group on the CE.
----End
Example
If the configurations succeed, you can achieve the following objects:
l
Issue 03 (2011-11-27)
You can find that the status of the MP IBGP connections between the RR and all Client
CEs is "Established" after running the display bgp vpnv4 all peer command on the RR.
Huawei Proprietary and Confidential
Copyright © Huawei Technologies Co., Ltd.
117
Huawei AR1200 Series Enterprise Routers
Configuration Guide - VPN
2 BGP MPLS IP VPN Configuration
l
You can find that the status of the IBGP connections between the RR and all Client CEs is
"Established" after running the display bgp peer command on the Client CE.
l
You can view the routing information advertised by the RR to the Client CE or the routing
information advertised by the Client CE to the RR after running the display bgp vpnv4
all routing-table peer command on the RR.
l
You can view the routing information advertised by the Client CE to the RR and the routing
information advertised by the RR to the Client CE after running the display bgp routingtable peer ipv4-address { advertised-routes | received-routes } command or display bgp
vpnv4 all routing-table statistics command on the Client CE.
l
If the peer group is configured, you can view information about the group members and
find that the status of the BGP connections between the RR and the group members is
"Established" after running the display bgp vpnv4 all group command on the RR.
2.15 Maintaining BGP/MPLS IP VPN
This section describes how to maintain the BGP/MPLS IP VPN, which involves L3VPN traffic
checking, network connectivity monitoring, BGP connection resetting.
2.15.1 Viewing the Integrated Route Statistics of All IPv4 VPN
Instances
Integrated route statistics of all VPN instances refer to the sum of statistics of all VPN instances.
Procedure
l
Run the display ip routing-table all-vpn-instance statistics command to check the
integrated route statistics of all VPN instances.
----End
2.15.2 Displaying BGP/MPLS IP VPN Information
This section describes how to monitor the running status of the BGP/MPLS IP VPN, which
involves VPN instance information checking, VPNv4 peer information checking, and BGP peer
log information checking.
Context
In routine maintenance, you can run the following commands in any view to check the status of
BGP/MPLS IP VPN.
Procedure
l
Run the display ip routing-table vpn-instance vpn-instance-name command to check the
IP routing table of a VPN instance.
l
Run the display ip vpn-instance [ verbose ] [ vpn-instance-name ] command to check
information about the VPN instance.
l
Run the display bgp [ vpnv4 { all | vpn-instance vpn-instance-name } ] routing-table
label command to check information about labeled routes in the BGP routing table.
Issue 03 (2011-11-27)
Huawei Proprietary and Confidential
Copyright © Huawei Technologies Co., Ltd.
118
Huawei AR1200 Series Enterprise Routers
Configuration Guide - VPN
2 BGP MPLS IP VPN Configuration
l
Run the display bgp vpnv4 { all | route-distinguisher route-distinguisher | vpninstance vpn-instance-name } routing-table ipv4-address [ mask | mask-length ] command
to check information about the BGP VPNv4 routing table.
l
Run the display bgp vpnv4 { all | route-distinguisher route-distinguisher | vpninstance vpn-instance-name } routing-table statistics [ match-options ] command to
check statistics about the BGP VPNv4 routing table.
l
Run the display bgp vpnv4 { all | route-distinguisher route-distinguisher | vpninstance vpn-instance-name } routing-table [ match-options ] command to check
information about the BGP VPNv4 routing table.
l
Run the display bgp vpnv4 { all | vpn-instance vpn-instance-name } group [ groupname ] command to check information about the BGP VPNv4 peer group.
l
Run the display bgp vpnv4 { all | vpn-instance vpn-instance-name } peer [ [ ipv4address ] verbose ] command to check BGP VPNv4 peer information.
l
Run the display bgp vpnv4 { all | vpn-instance vpn-instance-name } network command
to check the routing information advertised by BGP VPNv4.
l
Run the display bgp vpnv4 { all | vpn-instance vpn-instance-name } paths [ as-regularexpression ] command to check the AS path information of BGP VPNv4.
l
Run the display bgp vpnv4 vpn-instance vpn-instance-name peer { group-name | ipv4address } log-info command to check the BGP peer's log information of a specified VPN
instance.
----End
2.15.3 Checking the Network Connectivity and Reachability
This section describes how to use the ping command to detect the network connectivity between
the source and the destination, and how to use the tracert command to check the devices through
which data packets are sent from the source to the destination.
Procedure
l
Run the ping [ ip ] [ -a source-ip-address | -c count | -d | -f | -h ttl-value | -i interfacetype interface-number | -m time | -n | -p pattern | -q | -r | -s packetsize | -t timeout | -tos tosvalue | -v | -vpn-instance vpn-instance-name ] * host command to check the network
connectivity.
l
Run the tracert [ -a source-ip-address | -f first-ttl | -m max-ttl | -p port | -q nqueries | -vpninstance vpn-instance-name | -w timeout ] * host command to trace the gateways that the
packet passes by from the source to the destination.
l
Run the ping lsp [ -a source-ip | -c count | -exp exp-value | -h ttl-value | -m interval | -r
reply-mode | -s packet-size | -t time-out | -v ] * vpn-instance vpn-name remote remoteaddress mask-length command to check the connectivity of the L3VPN LSP.
----End
Example
After the VPN configuration, run the ping command with vpn-instance vpn-instance-name on
the PE to check whether the PE and the CEs that belong to the same VPN can communicate with
each other. If the ping fails, you can use the tracert command with vpn-instance vpn-instancename to locate the fault.
Issue 03 (2011-11-27)
Huawei Proprietary and Confidential
Copyright © Huawei Technologies Co., Ltd.
119
Huawei AR1200 Series Enterprise Routers
Configuration Guide - VPN
2 BGP MPLS IP VPN Configuration
If multiple interfaces bound to the same VPN exist on the PE, specify the source IP address (a source-ip-address) when you ping or tracert the remote CE that accesses the peer PE.
Otherwise, the ping or tracert may fail.
If you do not specify a source IP address, the PE randomly chooses the smallest IP address of
the interface bound to the VPN on the PE as the source address of the ICMP packet. If no route
to the selected address exists on the CE, the ICMP packet sent back from the peer PE is discarded.
2.15.4 Resetting BGP Statistics of a VPN Instance IPv4 Address
Family
BGP statistics of the VPN instance IPv4 address family cannot be restored after being cleared.
Exercise caution when performing the action.
Procedure
l
Run the reset bgp vpn-instance vpn-instance-name ipv4-family [ ipv4-address ]flapinfo command in the user view to clear statistics of the BGP peer flap for a specified VPN
instance IPv4 address family.
l
Run the reset bgp vpn-instance vpn-instance-name ipv4-family dampening [ ipv4address [ mask | mask-length ] ] command in the user view to clear dampening information
of the VPN instance IPv4 address family.
----End
2.15.5 Resetting BGP Connections
After BGP configurations are changed, you can validate the new configurations through a soft
reset or a reset of the BGP connection. Note that resetting the BGP connection leads to VPN
service interruptions.
Context
CAUTION
VPN services are interrupted after the BGP connection is reset. Exercise caution when running
the commands.
When the BGP configuration changes, you can use the soft reset or reset BGP connections to
let the new configurations take effect. A soft reset requires that the BGP peers have route
refreshment capability (supporting Route-Refresh messages).
Procedure
l
Run the refresh bgp vpn-instance vpn-instance-name ipv4-family { all | ipv4-address |
group group-name | internal | external } import command in the user view to trigger the
inbound soft reset of the VPN instance IPv4 address family's BGP connection.
l
Run the refresh bgp vpn-instance vpn-instance-name ipv4-family { all | ipv4-address |
group group-name | internal | external } export command in the user view to trigger the
outbound soft reset of the VPN instance IPv4 address family's BGP connection.
Issue 03 (2011-11-27)
Huawei Proprietary and Confidential
Copyright © Huawei Technologies Co., Ltd.
120
Huawei AR1200 Series Enterprise Routers
Configuration Guide - VPN
2 BGP MPLS IP VPN Configuration
l
Run the refresh bgp vpnv4 { all | ipv4-address | group group-name | internal | external }
import command in the user view to trigger the inbound soft reset of the BGP VPNv4
connection.
l
Run the refresh bgp vpnv4 { all | ipv4-address | group group-name | internal | external }
export command in the user view to trigger the outbound soft reset of the BGP VPNv4
connection.
l
Run the reset bgp vpn-instance vpn-instance-name ipv4-family { as-number | ipv4address | group group-name | all | internal | external } command in the user view to reset
BGP connections of the VPN instance IPv4 address family.
l
Run the reset bgp vpnv4 { as-number | ipv4-address | group group-name | all | internal |
external } command in the user view to reset BGP VPNv4 connections.
----End
2.16 Configuration Examples
This section provides several configuration examples of VPN networking. In each configuration
example, the networking requirements, configuration roadmap, configuration notes,
configuration procedures, and configuration files are described.
2.16.1 Example for Configuring BGP/MPLS IP VPN
This section describes how to configure the basic BGP/MPLS IP VPN, which involves the
configurations of MPLS LSPs, VPNv4 peers, and VPN instances.
Networking Requirements
As shown in Figure 2-2:
l
CE1 and CE3 are in VPN-A.
l
CE2 and CE4 are in VPN-B.
l
The VPN target attribute of VPN-A is 111:1, and that of VPN-B is 222:2.
l
Users in different VPN cannot access each other.
Issue 03 (2011-11-27)
Huawei Proprietary and Confidential
Copyright © Huawei Technologies Co., Ltd.
121
Huawei AR1200 Series Enterprise Routers
Configuration Guide - VPN
2 BGP MPLS IP VPN Configuration
Figure 2-2 BGP/MPLS IP VPN networking diagram
AS: 65410
AS: 65430
VPN-A
VPN-A
CE1
CE3
Eth1/0/0
10.3.1.1/24
Eth1/0/0
10.1.1.1/24
Eth1/0/0
10.1.1.2/24
Loopback1
1.1.1.9/32
Eth2/0/0
10.2.1.2/24
Loopback1
2.2.2.9/32
PE1
Eth2/0/0
PE2
172.2.1.1/24
Eth1/0/0
172.1.1.2/24
Eth2/0/1
172.1.1.1/24
P
Eth2/0/1
172.2.1.2/24
MPLS backbone
Eth1/0/0
10.3.1.2/24
Loopback1
3.3.3.9/32
Eth2/0/0
10.4.1.2/24
AS: 100
Eth1/0/0
10.2.1.1/24
Eth1/0/0
10.4.1.1/24
CE2
CE4
VPN-B
VPN-B
AS: 65420
AS: 65440
Configuration Roadmap
The configuration roadmap is as follows:
1.
Configure OSPF on the backbone network to enable interworking between PEs.
2.
Configure the basic MPLS functions and MPLS LDP on the PEs, and establish the MPLS
LSPs between the PEs.
3.
Configure MP IBGP to exchange the VPN routing information between the PEs.
4.
Configure the VPN instance on the PE connected with the CE in the backbone network,
and bind the PE interface connected with the CE to the corresponding VPN instance.
5.
Configure EBGP between the CE and the PE to exchange VPN routing information.
Data Preparation
To configure BGP/MPLS IP VPN, you need the following data:
l
MPLS LSR-IDs on the PEs and the Ps
l
RDs of VPN-A and VPN-B
l
VPN targets of VPN-A and VPN-B
Procedure
Step 1 Configure an IGP on the MPLS backbone to allow the PEs and the Ps to reach each other.
# Configure PE1.
Issue 03 (2011-11-27)
Huawei Proprietary and Confidential
Copyright © Huawei Technologies Co., Ltd.
122
Huawei AR1200 Series Enterprise Routers
Configuration Guide - VPN
2 BGP MPLS IP VPN Configuration
<Huawei> system-view
[Huawei] sysname PE1
[PE1] interface loopback 1
[PE1-LoopBack1] ip address 1.1.1.9 32
[PE1-LoopBack1] quit
[PE1] interface ethernet2/0/1
[PE1-Ethernet2/0/1] ip address 172.1.1.1 24
[PE1-Ethernet2/0/1] quit
[PE1] ospf
[PE1-ospf-1] area 0
[PE1-ospf-1-area-0.0.0.0] network 172.1.1.0 0.0.0.255
[PE1-ospf-1-area-0.0.0.0] network 1.1.1.9 0.0.0.0
[PE1-ospf-1-area-0.0.0.0] quit
[PE1-ospf-1] quit
# Configure the P.
<Huawei> system-view
[Huawei] sysname P
[P] interface loopback 1
[P-LoopBack1] ip address 2.2.2.9 32
[P-LoopBack1] quit
[P] interface ethernet 1/0/0
[P-Ethernet1/0/0] ip address 172.1.1.2 24
[P-Ethernet1/0/0] quit
[P] interface ethernet 2/0/0
[P-Ethernet2/0/0] ip address 172.2.1.1 24
[P-Ethernet2/0/0] quit
[P] ospf
[P-ospf-1] area 0
[P-ospf-1-area-0.0.0.0] network 172.1.1.0 0.0.0.255
[P-ospf-1-area-0.0.0.0] network 172.2.1.0 0.0.0.255
[P-ospf-1-area-0.0.0.0] network 2.2.2.9 0.0.0.0
[P-ospf-1-area-0.0.0.0] quit
[P-ospf-1] quit
# Configure PE2.
<Huawei> system-view
[Huawei] sysname PE2
[PE2] interface loopback 1
[PE2-LoopBack1] ip address 3.3.3.9 32
[PE2-LoopBack1] quit
[PE2] interface ethernet 2/0/1
[PE2-Ethernet2/0/1] ip address 172.2.1.2 24
[PE2-Ethernet2/0/1] quit
[PE2] ospf
[PE2-ospf-1] area 0
[PE2-ospf-1-area-0.0.0.0] network 172.2.1.0 0.0.0.255
[PE2-ospf-1-area-0.0.0.0] network 3.3.3.9 0.0.0.0
[PE2-ospf-1-area-0.0.0.0] quit
[PE2-ospf-1] quit
After the configuration, the OSPF neighbor relationship should be established between PE1 and
the P and between the P and PE2. After running the display ospf peer command, you can find
that the OSPF neighbor relationship is in Full state. Run the display ip routing-table command
on the PEs, and you can find that the PEs have learned the routes of the Loopback1 interface of
each other.
Use PE1 as an example:
[PE1] display ip routing-table
Route Flags: R - relay, D - download to fib
-----------------------------------------------------------------------------Routing Tables: Public
Destinations : 8
Routes : 8
Destination/Mask Proto Pre Cost
Flags NextHop
Interface
1.1.1.9/32 Direct 0
0
D 127.0.0.1
InLoopBack0
2.2.2.9/32 OSPF
10
2
D 172.1.1.2
Ethernet2/0/1
Issue 03 (2011-11-27)
Huawei Proprietary and Confidential
Copyright © Huawei Technologies Co., Ltd.
123
Huawei AR1200 Series Enterprise Routers
Configuration Guide - VPN
2 BGP MPLS IP VPN Configuration
3.3.3.9/32 OSPF
10
3
D 172.1.1.2
127.0.0.0/8
Direct 0
0
D 127.0.0.1
127.0.0.1/32 Direct 0
0
D 127.0.0.1
172.1.1.0/24 Direct 0
0
D 172.1.1.1
172.1.1.1/32 Direct 0
0
D 127.0.0.1
172.2.1.0/24 OSPF
10
2
D 172.1.1.2
[PE1] display ospf peer
OSPF Process 1 with Router ID 1.1.1.9
Neighbors
Area 0.0.0.0 interface 172.1.1.1(Ethernet2/0/1)'s neighbors
Router ID: 2.2.2.9
Address: 172.1.1.2
State: Full Mode:Nbr is Master Priority: 1
DR: None
BDR: None
MTU: 1500
Dead timer due in 38 sec
Neighbor is up for 00:02:44
Authentication Sequence: [ 0 ]
Ethernet2/0/1
InLoopBack0
InLoopBack0
Ethernet2/0/1
InLoopBack0
Ethernet2/0/1
Step 2 Configure basic MPLS capabilities and MPLS LDP on the MPLS backbone network to set up
the LDP LSP.
# Configure PE1.
[PE1] mpls lsr-id 1.1.1.9
[PE1] mpls
[PE1-mpls] quit
[PE1] mpls ldp
[PE1-mpls-ldp] quit
[PE1] interface ethernet 2/0/1
[PE1-Ethernet2/0/1] mpls
[PE1-Ethernet2/0/1] mpls ldp
[PE1-Ethernet2/0/1] quit
# Configure the P.
[P] mpls lsr-id 2.2.2.9
[P] mpls
[P-mpls] quit
[P] mpls ldp
[P-mpls-ldp] quit
[P] interface ethernet 1/0/0
[P-Ethernet1/0/0] mpls
[P-Ethernet1/0/0] mpls ldp
[P-Ethernet1/0/0] quit
[P] interface ethernet 2/0/0
[P-Ethernet2/0/0] mpls
[P-Ethernet2/0/0] mpls ldp
[P-Ethernet2/0/0] quit
# Configure PE2.
[PE2] mpls lsr-id 3.3.3.9
[PE2] mpls
[PE2-mpls] quit
[PE2] mpls ldp
[PE2-mpls-ldp] quit
[PE2] interface ethernet 2/0/1
[PE2-Ethernet2/0/1] mpls
[PE2-Ethernet2/0/1] mpls ldp
[PE2-Ethernet2/0/1] quit
After the configuration, LDP sessions are set up between PE1 and the P and between the P and
PE2. After running the display mpls ldp session command on the routers, you can find that the
status of the session is "Operational" in the display result. Run the display mpls ldp lsp
command, and view the status of the LDP LSP.
Use PE1 as an example:
[PE1] display mpls ldp session
Issue 03 (2011-11-27)
Huawei Proprietary and Confidential
Copyright © Huawei Technologies Co., Ltd.
124
Huawei AR1200 Series Enterprise Routers
Configuration Guide - VPN
2 BGP MPLS IP VPN Configuration
LDP Session(s) in Public Network
Codes: LAM(Label Advertisement Mode), SsnAge Unit(DDDD:HH:MM)
A '*' before a session means the session is being deleted.
------------------------------------------------------------------------PeerID
Status
LAM SsnRole SsnAge
KASent/Rcv
------------------------------------------------------------------------2.2.2.9:0
Operational DU Passive 0000:00:01 5/5
------------------------------------------------------------------------TOTAL: 1 session(s) Found.
[PE1] display mpls ldp lsp
LDP LSP Information
------------------------------------------------------------------------------DestAddress/Mask
In/OutLabel
UpstreamPeer
NextHop
OutInterface
------------------------------------------------------------------------------1.1.1.9/32
3/NULL
2.2.2.9
127.0.0.1
InLoop0
*1.1.1.9/32
Liberal
2.2.2.9/32
NULL/3
172.1.1.2
Ethernet2/0/1
2.2.2.9/32
1024/3
2.2.2.9
172.1.1.2
Ethernet2/0/1
3.3.3.9/32
NULL/1025
172.1.1.2
Ethernet2/0/1
3.3.3.9/32
1025/1025
2.2.2.9
172.1.1.2
Ethernet2/0/1
------------------------------------------------------------------------------TOTAL: 5 Normal LSP(s) Found.
TOTAL: 1 Liberal LSP(s) Found.
TOTAL: 0 Frr LSP(s) Found.
A '*' before an LSP means the LSP is not established
A '*' before a Label means the USCB or DSCB is stale
A '*' before a UpstreamPeer means the session is in GR state
A '*' before a NextHop means the LSP is FRR LSP
Step 3 Establish the MP-IBGP peer relationship between the PEs.
# Configure PE1.
[PE1] bgp 100
[PE1-bgp] peer 3.3.3.9 as-number 100
[PE1-bgp] peer 3.3.3.9 connect-interface loopback 1
[PE1-bgp] ipv4-family vpnv4
[PE1-bgp-af-vpnv4] peer 3.3.3.9 enable
[PE1-bgp-af-vpnv4] quit
[PE1-bgp] quit
# Configure PE2.
[PE2] bgp 100
[PE2-bgp] peer 1.1.1.9 as-number 100
[PE2-bgp] peer 1.1.1.9 connect-interface loopback 1
[PE2-bgp] ipv4-family vpnv4
[PE2-bgp-af-vpnv4] peer 1.1.1.9 enable
[PE2-bgp-af-vpnv4] quit
[PE2-bgp] quit
After the configuration, run the display bgp peer command or the display bgp vpnv4 all peer
command, you can see that the BGP peer relationship is set up between the PE and the CE, and
the peer status is Established.
[PE1] display bgp vpnv4 all peer
BGP local router ID : 1.1.1.9
Local AS number : 100
Total number of peers : 1
Peer
V
AS MsgRcvd
3.3.3.9
4
100
12
MsgSent
18
Peers in established state : 1
OutQ Up/Down
State
PrefRcv
0
00:09:38
Established 0
Step 4 Configure VPN instances on PEs and bind the instances to the CE interfaces.
# Configure PE1.
[PE1] ip vpn-instance vpna
[PE1-vpn-instance-vpna] ipv4-family
[PE1-vpn-instance-vpna-af-ipv4] route-distinguisher 100:1
Issue 03 (2011-11-27)
Huawei Proprietary and Confidential
Copyright © Huawei Technologies Co., Ltd.
125
Huawei AR1200 Series Enterprise Routers
Configuration Guide - VPN
2 BGP MPLS IP VPN Configuration
[PE1-vpn-instance-vpna-af-ipv4] vpn-target 111:1 both
[PE1-vpn-instance-vpna-af-ipv4] quit
[PE1-vpn-instance-vpna] quit
[PE1] ip vpn-instance vpnb
[PE1-vpn-instance-vpnb] ipv4-family
[PE1-vpn-instance-vpnb-af-ipv4] route-distinguisher 100:2
[PE1-vpn-instance-vpnb-af-ipv4] vpn-target 222:2 both
[PE1-vpn-instance-vpnb-af-ipv4] quit
[PE1-vpn-instance-vpnb] quit
[PE1] interface ethernet 1/0/0
[PE1-Ethernet1/0/0] ip binding vpn-instance vpna
[PE1-Ethernet1/0/0] ip address 10.1.1.2 24
[PE1-Ethernet1/0/0] quit
[PE1] interface ethernet 2/0/0
[PE1-Ethernet2/0/0] ip binding vpn-instance vpnb
[PE1-Ethernet2/0/0] ip address 10.2.1.2 24
[PE1-Ethernet2/0/0] quit
# Configure PE2.
[PE2] ip vpn-instance vpna
[PE2-vpn-instance-vpna] ipv4-family
[PE2-vpn-instance-vpna-af-ipv4] route-distinguisher 200:1
[PE2-vpn-instance-vpna-af-ipv4] vpn-target 111:1 both
[PE2-vpn-instance-vpna-af-ipv4] quit
[PE2-vpn-instance-vpna] quit
[PE2] ip vpn-instance vpnb
[PE2-vpn-instance-vpnb] ipv4-family
[PE2-vpn-instance-vpnb-af-ipv4] route-distinguisher 200:2
[PE2-vpn-instance-vpnb-af-ipv4] vpn-target 222:2 both
[PE2-vpn-instance-vpnb-af-ipv4] quit
[PE2-vpn-instance-vpnb] quit
[PE2] interface ethernet 1/0/0
[PE2-Ethernet1/0/0] ip binding vpn-instance vpna
[PE2-Ethernet1/0/0] ip address 10.3.1.2 24
[PE2-Ethernet1/0/0] quit
[PE2] interface ethernet 2/0/0
[PE2-Ethernet2/0/0] ip binding vpn-instance vpnb
[PE2-Ethernet2/0/0] ip address 10.4.1.2 24
[PE2-Ethernet2/0/0] quit
# Configure an IP address for the CE interface according to Figure 2-2. Details for the
configuration procedure are not provided here.
After the configuration, check the configuration of VPN instances by running the display ip
vpn-instance verbose command on the PEs. Each PE can successfully ping its own CE.
NOTE
When the interfaces on a PE are bound to the same VPN, you need to specify the source IP address when
you use the ping command to ping the CE connected to the peer PE. This means that you need to specify
-a source-ip-address in the ping -a source-ip-address -vpn-instance vpn-instance-name dest-ip-address
command; otherwise, the ping fails.
Use PE1 and CE1 as an example:
[PE1] display ip vpn-instance verbose
Total VPN-Instances configured : 2
VPN-Instance Name and ID : vpna, 1
Interfaces : Ethernet1/0/0
Address family ipv4
Create date : 2009/01/21 11:30:35
Up time : 0 days, 00 hours, 05 minutes and 19 seconds
Route Distinguisher : 100:1
Export VPN Targets : 111:1
Import VPN Targets : 111:1
Label Policy : label per route
The diffserv-mode Information is : uniform
The ttl-mode Information is : pipe
Issue 03 (2011-11-27)
Huawei Proprietary and Confidential
Copyright © Huawei Technologies Co., Ltd.
126
Huawei AR1200 Series Enterprise Routers
Configuration Guide - VPN
2 BGP MPLS IP VPN Configuration
Log Interval : 5
VPN-Instance Name and ID : vpnb, 2
Interfaces : Ethernet2/0/0
Address family ipv4
Create date : 2009/01/21 11:31:18
Up time : 0 days, 00 hours, 04 minutes and 36 seconds
Route Distinguisher : 100:2
Export VPN Targets : 222:2
Import VPN Targets : 222:2
Label Policy : label per route
The diffserv-mode Information is : uniform
The ttl-mode Information is : pipe
Log Interval : 5
[PE1] ping -vpn-instance vpna 10.1.1.1
PING 10.1.1.1: 56 data bytes, press CTRL_C to break
Reply from 10.1.1.1: bytes=56 Sequence=1 ttl=255 time=56 ms
Reply from 10.1.1.1: bytes=56 Sequence=2 ttl=255 time=4 ms
Reply from 10.1.1.1: bytes=56 Sequence=3 ttl=255 time=4 ms
Reply from 10.1.1.1: bytes=56 Sequence=4 ttl=255 time=52 ms
Reply from 10.1.1.1: bytes=56 Sequence=5 ttl=255 time=3 ms
--- 10.1.1.1 ping statistics --5 packet(s) transmitted
5 packet(s) received
0.00% packet loss
round-trip min/avg/max = 3/23/56 ms
Step 5 Establish the EBGP peer relationship between the PE and the CE to import VPN routes.
# Configure CE1.
[CE1] bgp 65410
[CE1-bgp] peer 10.1.1.2 as-number 100
[CE1-bgp] import-route direct
NOTE
The configuration procedures of CE2, CE3 and CE4 are similar to that of CE1.
# Configure PE1.
[PE1] bgp 100
[PE1-bgp] ipv4-family vpn-instance vpna
[PE1-bgp-vpna] peer 10.1.1.1 as-number 65410
[PE1-bgp-vpna] import-route direct
[PE1-bgp-vpna] quit
[PE1-bgp] ipv4-family vpn-instance vpnb
[PE1-bgp-vpnb] peer 10.2.1.1 as-number 65420
[PE1-bgp-vpnb] import-route direct
[PE1-bgp-vpnb] quit
NOTE
The configuration of PE2 is similar to that of PE1, and the details for the configuration procedure are not
provided here.
After the configuration, run the display bgp vpnv4 all peer command on the PE. You can see
that the BGP peer relationship is set up between the PE and the CE, and the peer status is
Established.
Use the peer relationship between PE1 and CE1 as an example.
[PE1] display bgp vpnv4 vpn-instance vpna peer
BGP local router ID : 1.1.1.9
Local AS number : 100
VPN-Instance vpna, router ID 1.1.1.9:
Total number of peers : 1
Peers in established state : 1
Peer
V
AS MsgRcvd MsgSent
OutQ Up/Down
State
PrefRcv
10.1.1.1
4
65410 11
9
0
00:06:37
Established 1
Issue 03 (2011-11-27)
Huawei Proprietary and Confidential
Copyright © Huawei Technologies Co., Ltd.
127
Huawei AR1200 Series Enterprise Routers
Configuration Guide - VPN
2 BGP MPLS IP VPN Configuration
Step 6 Verify the configuration.
Running the display ip routing-table vpn-instance command on the PE, you can find the route
to peer CEs.
Use PE1 as an example.
[PE1] display ip routing-table vpn-instance vpna
Route Flags: R - relay, D - download to fib
-----------------------------------------------------------------------------Routing Tables: vpna
Destinations : 3
Routes : 3
Destination/Mask
Proto Pre Cost
Flags NextHop
Interface
10.1.1.0/24
Direct 0
0
D
10.1.1.2
Ethernet1/0/0
10.1.1.2/32
Direct 0
0
D
127.0.0.1
InLoopBack0
10.3.1.0/24
IBGP
255 0
RD
3.3.3.9
Ethernet2/0/1
[PE1] display ip routing-table vpn-instance vpnb
Route Flags: R - relay, D - download to fib
-----------------------------------------------------------------------------Routing Tables: vpnb
Destinations : 3
Routes : 3
Destination/Mask
Proto Pre Cost
Flags NextHop
Interface
10.2.1.0/24
Direct 0
0
D
10.2.1.2
Ethernet2/0/0
10.2.1.2/32
Direct 0
0
D
127.0.0.1
InLoopBack0
10.4.1.0/24
IBGP
255 0
RD
3.3.3.9
Ethernet2/0/1
The CEs in the same VPN can successfully ping each other whereas two CEs in different VPNs
cannot ping each other.
For example, CE1 can successfully ping CE3 (10.3.1.1/24) but cannot ping CE4 (10.4.1.1/24).
[CE1] ping 10.3.1.1
PING 10.3.1.1: 56 data bytes, press CTRL_C to break
Reply from 10.3.1.1: bytes=56 Sequence=1 ttl=253 time=72
Reply from 10.3.1.1: bytes=56 Sequence=2 ttl=253 time=34
Reply from 10.3.1.1: bytes=56 Sequence=3 ttl=253 time=50
Reply from 10.3.1.1: bytes=56 Sequence=4 ttl=253 time=50
Reply from 10.3.1.1: bytes=56 Sequence=5 ttl=253 time=34
--- 10.3.1.1 ping statistics --5 packet(s) transmitted
5 packet(s) received
0.00% packet loss
round-trip min/avg/max = 34/48/72 ms
[CE1] ping 10.4.1.1
PING 10.4.1.1: 56 data bytes, press CTRL_C to break
Request time out
Request time out
Request time out
Request time out
Request time out
--- 10.4.1.1 ping statistics --5 packet(s) transmitted
0 packet(s) received
100.00% packet loss
ms
ms
ms
ms
ms
----End
Configuration Files
l
Configuration file of PE1
#
sysname PE1
#
ip vpn-instance vpna
ipv4-family
route-distinguisher 100:1
vpn-target 111:1 export-extcommunity
Issue 03 (2011-11-27)
Huawei Proprietary and Confidential
Copyright © Huawei Technologies Co., Ltd.
128
Huawei AR1200 Series Enterprise Routers
Configuration Guide - VPN
2 BGP MPLS IP VPN Configuration
vpn-target 111:1 import-extcommunity
#
ip vpn-instance vpnb
ipv4-family
route-distinguisher 100:2
vpn-target 222:2 export-extcommunity
vpn-target 222:2 import-extcommunity
#
mpls lsr-id 1.1.1.9
mpls
#
mpls ldp
#
interface Ethernet1/0/0
ip binding vpn-instance vpna
ip address 10.1.1.2 255.255.255.0
#
interface Ethernet2/0/0
ip binding vpn-instance vpnb
ip address 10.2.1.2 255.255.255.0
#
interface Ethernet2/0/1
ip address 172.1.1.1 255.255.255.0
mpls
mpls ldp
#
interface LoopBack1
ip address 1.1.1.9 255.255.255.255
#
bgp 100
peer 3.3.3.9 as-number 100
peer 3.3.3.9 connect-interface LoopBack1
#
ipv4-family unicast
undo synchronization
peer 3.3.3.9 enable
#
ipv4-family vpnv4
policy vpn-target
peer 3.3.3.9 enable
#
ipv4-family vpn-instance vpna
peer 10.1.1.1 as-number 65410
import-route direct
#
ipv4-family vpn-instance vpnb
peer 10.2.1.1 as-number 65420
import-route direct
#
ospf 1
area 0.0.0.0
network 172.1.1.0 0.0.0.255
network 1.1.1.9 0.0.0.0
#
return
l
Configuration file of the P
#
sysname P
#
mpls lsr-id 2.2.2.9
mpls
#
mpls ldp
#
interface Ethernet1/0/0
ip address 172.1.1.2 255.255.255.0
mpls
mpls ldp
#
Issue 03 (2011-11-27)
Huawei Proprietary and Confidential
Copyright © Huawei Technologies Co., Ltd.
129
Huawei AR1200 Series Enterprise Routers
Configuration Guide - VPN
2 BGP MPLS IP VPN Configuration
interface Ethernet2/0/0
ip address 172.2.1.1 255.255.255.0
mpls
mpls ldp
#
interface LoopBack1
ip address 2.2.2.9 255.255.255.255
#
ospf 1
area 0.0.0.0
network 172.1.1.0 0.0.0.255
network 172.2.1.0 0.0.0.255
network 2.2.2.9 0.0.0.0
#
return
l
Configuration file of PE2
#
sysname PE2
#
ip vpn-instance vpna
ipv4-family
route-distinguisher 200:1
vpn-target 111:1 export-extcommunity
vpn-target 111:1 import-extcommunity
#
ip vpn-instance vpnb
ipv4-family
route-distinguisher 200:2
vpn-target 222:2 export-extcommunity
vpn-target 222:2 import-extcommunity
#
mpls lsr-id 3.3.3.9
mpls
#
mpls ldp
#
interface Ethernet1/0/0
ip binding vpn-instance vpna
ip address 10.3.1.2 255.255.255.0
#
interface Ethernet2/0/0
ip binding vpn-instance vpnb
ip address 10.4.1.2 255.255.255.0
#
interface Ethernet2/0/1
ip address 172.2.1.2 255.255.255.0
mpls
mpls ldp
#
interface LoopBack1
ip address 3.3.3.9 255.255.255.255
#
bgp 100
peer 1.1.1.9 as-number 100
peer 1.1.1.9 connect-interface LoopBack1
#
ipv4-family unicast
undo synchronization
peer 1.1.1.9 enable
#
ipv4-family vpnv4
policy vpn-target
peer 1.1.1.9 enable
#
ipv4-family vpn-instance vpna
peer 10.3.1.1 as-number 65430
import-route direct
#
ipv4-family vpn-instance vpnb
Issue 03 (2011-11-27)
Huawei Proprietary and Confidential
Copyright © Huawei Technologies Co., Ltd.
130
Huawei AR1200 Series Enterprise Routers
Configuration Guide - VPN
2 BGP MPLS IP VPN Configuration
peer 10.4.1.1 as-number 65440
import-route direct
#
ospf 1
area 0.0.0.0
network 172.2.1.0 0.0.0.255
network 3.3.3.9 0.0.0.0
#
return
l
Configuration file of CE1
#
sysname CE1
#
interface Ethernet1/0/0
ip address 10.1.1.1 255.255.255.0
#
bgp 65410
peer 10.1.1.2 as-number 100
#
ipv4-family unicast
undo synchronization
import-route direct
peer 10.1.1.2 enable
#
return
l
Configuration file of CE2
#
sysname CE2
#
interface Ethernet1/0/0
ip address 10.2.1.1 255.255.255.0
#
bgp 65420
peer 10.2.1.2 as-number 100
#
ipv4-family unicast
undo synchronization
import-route direct
peer 10.2.1.2 enable
#
return
l
Configuration file of CE3
#
sysname CE3
#
interface Ethernet1/0/0
ip address 10.3.1.1 255.255.255.0
#
bgp 65430
peer 10.3.1.2 as-number 100
#
ipv4-family unicast
undo synchronization
import-route direct
peer 10.3.1.2 enable
#
return
l
Configuration file of CE4
#
sysname CE4
#
interface Ethernet1/0/0
ip address 10.4.1.1 255.255.255.0
#
bgp 65440
Issue 03 (2011-11-27)
Huawei Proprietary and Confidential
Copyright © Huawei Technologies Co., Ltd.
131
Huawei AR1200 Series Enterprise Routers
Configuration Guide - VPN
2 BGP MPLS IP VPN Configuration
peer 10.4.1.2 as-number 100
#
ipv4-family unicast
undo synchronization
import-route direct
peer 10.4.1.2 enable
#
return
2.16.2 Example for Configuring the BGP AS Number Substitution
If two VPN sites have the same AS number, and EBGP connections are established between
PEs and CEs, you must enable the AS number substitution function on the PEs that the two VPN
sites access. Otherwise, EBGP discards the routes of the same AS number.
Networking Requirements
As shown in Figure 2-3,CE1 and CE2 belong to the same VPN, and access PE1 and PE2
respectively. CE1 and CE2 use the same AS number 600.
Figure 2-3 Networking diagram of BGP AS number substitution
Loopback1
1.1.1.9/32
PE1
GE1/0/0
10.1.1.2/24
GE1/0/0
10.1.1.1/24
CE1
Loopback1
2.2.2.9/32
Loopback1
3.3.3.9/32
GE1/0/0
20.1.1.2/24
GE2/0/0
PE2
30.1.1.2/24
GE1/0/0
10.2.1.2/24
GE2/0/0
GE2/0/0
30.1.1.1/24
20.1.1.1/24
P
Backbone
GE1/0/0
AS 100
10.2.1.1/24
CE2
GE2/0/0
200.1.1.1/24
GE2/0/0
100.1.1.1/24
VPN1
AS 600
VPN1
AS 600
Configuration Roadmap
The configuration roadmap is as follows:
1.
Configure IGP on the backbone network to realize the interconnection between PEs and
between the PE and the P.
2.
Set up the MPLS LDP LSP between PEs. Create the VPN instance on the PE. Configure
the CE to access the PE.
3.
Set up the EBGP relationship between the PE and the CE. Import the route of the CE to
the PE.
Issue 03 (2011-11-27)
Huawei Proprietary and Confidential
Copyright © Huawei Technologies Co., Ltd.
132
Huawei AR1200 Series Enterprise Routers
Configuration Guide - VPN
4.
2 BGP MPLS IP VPN Configuration
Configure the BGP AS number substitution on the PE.
Data Preparation
To configure the BGP AS number substitution, you need the following data:
l
MPLS LSR-IDs of the PE and the P
l
The VPN instances created on the PE1 and PE2
l
The same AS number used by the CE1 and the CE2 (It is different from the AS number of
the backbone network.)
Procedure
Step 1 Configure basic BGP/MPLS IP VPN.
The configuration of basic BGP/MPLS IP VPN includes:
l Configure OSPF on the MPLS backbone network. PE and P can learn routes of the Loopback
interface from each other.
l Configure MPLS basic capability and MPLS LDP on the MPLS backbone network to
establish LDP LSP.
l Establish the MP-IBGP neighbor between PEs to advertise VPN-IPv4 routes.
l Configure the VPN instances of VPN1 on PE2 and associate it with CE2.
l Configure the VPN instances of VPN1 on PE1 and associate it with CE1.
l Configure BGP between PE1 and CE1, and between PE2 and CE2 to import CEs routes into
PEs.
After the configuration given above, run the display ip routing-table command on CE2. It
shows that CE2 can learn the route of the network segment (10.1.1.0/24) of the interface on CE1
that is connected with PE1. There is no route to the VPN site (100.1.1.0/24) of the CE1. The
same situation occurs on CE1.
[CE2] display ip routing-table
Route Flags: R - relay, D - download to fib
-----------------------------------------------------------------------------Routing Tables: Public
Destinations : 9
Routes : 9
Destination/Mask Proto Pre Cost
Flags NextHop
Interface
10.1.1.0/24 EBGP
255 0
D
10.2.1.2
GigabitEthernet1/0/0
10.1.1.1/32 EBGP
255 0
D
10.2.1.2
GigabitEthernet1/0/0
10.2.1.0/24 Direct 0
0
D
10.2.1.1
GigabitEthernet1/0/0
10.2.1.2/32 Direct 0
0
D
10.2.1.2
GigabitEthernet1/0/0
10.2.1.1/32 Direct 0
0
D
127.0.0.1
InLoopBack0
127.0.0.0/8 Direct 0
0
D
127.0.0.1
InLoopBack0
127.0.0.1/32 Direct 0
0
D
127.0.0.1
InLoopBack0
200.1.1.0/24 Direct 0
0
D
200.1.1.1
GigabitEthernet2/0/0
200.1.1.1/32 Direct 0
0
D
127.0.0.1
InLoopBack0
Run the display ip routing-table vpn-instance command on PE. It shows that there are routes
to the VPN site of the remote CE in the VPN instances of the PE.
Consider PE2 as an example:
[PE2] display ip routing-table vpn-instance vpn1
Route Flags: R - relay, D - download to fib
-----------------------------------------------------------------------------Routing Tables: vpn1
Destinations : 8
Routes : 8
Destination/Mask Proto Pre Cost
Flags NextHop
Interface
Issue 03 (2011-11-27)
Huawei Proprietary and Confidential
Copyright © Huawei Technologies Co., Ltd.
133
Huawei AR1200 Series Enterprise Routers
Configuration Guide - VPN
10.1.1.0/24
10.1.1.1/32
10.1.1.2/32
10.2.1.0/24
10.2.1.1/32
10.2.1.2/32
100.1.1.0/24
200.1.1.0/24
EBGP
EBGP
EBGP
Direct
Direct
Direct
EBGP
EBGP
2 BGP MPLS IP VPN Configuration
255
255
255
0
0
0
255
255
0
0
0
0
0
0
0
0
RD
RD
RD
D
D
D
RD
D
1.1.1.9
1.1.1.9
1.1.1.9
10.2.1.2
10.2.1.1
127.0.0.1
1.1.1.9
10.2.1.1
GigabitEthernet2/0/0
GigabitEthernet2/0/0
GigabitEthernet2/0/0
GigabitEthernet1/0/0
GigabitEthernet1/0/0
InLoopBack0
GigabitEthernet2/0/0
GigabitEthernet1/0/0
Run the display bgp routing-table peer received-routes command on CE2. It shows that CE2
does not receive the route to 100.1.1.0/24.
[CE2] display bgp routing-table peer 10.2.1.2 received-routes
Total Number of Routes: 4
BGP Local router ID is 10.2.1.1
Status codes: * - valid, > - best, d - damped,
h - history, i - internal, s - suppressed, S - Stale
Origin : i - IGP, e - EGP, ? - incomplete
Network
NextHop
MED
LocPrf
PrefVal Path/Ogn
*>
10.1.1.0/24
10.2.1.2
0
100?
*>
10.1.1.1/32
10.2.1.2
0
100?
*
10.2.1.0/24
10.2.1.2
0
0
100?
*>
10.2.1.1/32
10.2.1.2
0
0
100?
Step 2 Substitute the BGP AS number.
# Substitute the BGP AS number on the PEs.
Consider PE2 as an example.
[PE2] bgp 100
[PE2-bgp] ipv4-family vpn-instance vpn1
[PE2-bgp-vpn1] peer 10.2.1.1 substitute-as
Display the routing information and routing table received by CE2.
[CE2] display bgp routing-table peer 10.2.1.2 received-routes
Total Number of Routes: 6
BGP Local router ID is 10.2.1.1
Status codes: * - valid, > - best, d - damped,
h - history, i - internal, s - suppressed, S - Stale
Origin : i - IGP, e - EGP, ? - incomplete
Network
NextHop
MED
LocPrf
PrefVal Path/Ogn
*>
10.1.1.0/24
10.2.1.2
0
100?
*>
10.1.1.1/32
10.2.1.2
0
100?
*>
10.1.1.2/32
10.2.1.2
0
100 100?
*
10.2.1.0/24
10.2.1.2
0
0
100?
*
10.2.1.1/32
10.2.1.2
0
0
100?
*>
100.1.1.0/24
10.2.1.2
0
100 100?
[CE2] display ip routing-table
Route Flags: R - relay, D - download to fib
-----------------------------------------------------------------------------Routing Tables: Public
Destinations : 10
Routes : 10
Destination/Mask Proto Pre Cost
Flags NextHop
Interface
10.1.1.0/24 EBGP
255 0
D
10.2.1.2
GigabitEthernet1/0/0
10.1.1.1/32 EBGP
255 0
D
10.2.1.2
GigabitEthernet1/0/0
10.2.1.0/24 Direct 0
0
D
10.2.1.1
GigabitEthernet1/0/0
10.2.1.1/32 Direct 0
0
D
127.0.0.1
InLoopBack0
10.2.1.2/32 Direct 0
0
D
10.2.1.2
GigabitEthernet1/0/0
100.1.1.1/24 EBGP
255 0
D
10.2.1.2
GigabitEthernet1/0/0
127.0.0.0/8
Direct 0
0
D
127.0.0.1
InLoopBack0
127.0.0.1/32 Direct 0
0
D
127.0.0.1
InLoopBack0
200.1.1.0/24 Direct 0
0
D
127.0.0.1
GigabitEthernet2/0/0
200.1.1.1/32 Direct 0
0
D
127.0.0.1
InLoopBack0
Configure the BGP AS number substitution function on the PE1. The GigabitEthernet interfaces
of CE1 and CE2 can then ping through each other.
Issue 03 (2011-11-27)
Huawei Proprietary and Confidential
Copyright © Huawei Technologies Co., Ltd.
134
Huawei AR1200 Series Enterprise Routers
Configuration Guide - VPN
2 BGP MPLS IP VPN Configuration
[CE1] ping -a 100.1.1.1 200.1.1.1
PING 200.1.1.1: 56 data bytes, press CTRL_C to break
Reply from 200.1.1.1: bytes=56 Sequence=1 ttl=253 time=109 ms
Reply from 200.1.1.1: bytes=56 Sequence=2 ttl=253 time=67 ms
Reply from 200.1.1.1: bytes=56 Sequence=3 ttl=253 time=66 ms
Reply from 200.1.1.1: bytes=56 Sequence=4 ttl=253 time=85 ms
Reply from 200.1.1.1: bytes=56 Sequence=5 ttl=253 time=70 ms
--- 200.1.1.1 ping statistics --5 packet(s) transmitted
5 packet(s) received
0.00% packet loss
round-trip min/avg/max = 66/79/109 ms
----End
Configuration Files
l
Configuration file of CE1
#
sysname CE1
#
interface GigabitEthernet1/0/0
ip address 10.1.1.1 255.255.255.0
#
interface GigabitEthernet2/0/0
ip address 100.1.1.1 255.255.255.0
#
bgp 600
peer 10.1.1.2 as-number 100
#
ipv4-family unicast
undo synchronization
import-route direct
peer 10.1.1.2 enable
#
return
l
Configuration file of PE1
#
sysname PE1
#
ip vpn-instance vpn1
ipv4-family
route-distinguisher 100:1
vpn-target 1:1 export-extcommunity
vpn-target 1:1 import-extcommunity
#
mpls lsr-id 1.1.1.9
mpls
#
mpls ldp
#
interface GigabitEthernet1/0/0
ip binding vpn-instance vpn1
ip address 10.1.1.2 255.255.255.0
#
interface GigabitEthernet2/0/0
ip address 20.1.1.1 255.255.255.0
mpls
mpls ldp
#
interface LoopBack1
ip address 1.1.1.9 255.255.255.255
#
bgp 100
peer 3.3.3.9 as-number 100
peer 3.3.3.9 connect-interface LoopBack1
#
Issue 03 (2011-11-27)
Huawei Proprietary and Confidential
Copyright © Huawei Technologies Co., Ltd.
135
Huawei AR1200 Series Enterprise Routers
Configuration Guide - VPN
2 BGP MPLS IP VPN Configuration
ipv4-family unicast
undo synchronization
peer 3.3.3.9 enable
#
ipv4-family vpnv4
policy vpn-target
peer 3.3.3.9 enable
#
ipv4-family vpn-instance vpn1
peer 10.1.1.1 as-number 600
peer 10.1.1.1 substitute-as
import-route direct
#
ospf 1
area 0.0.0.0
network 1.1.1.9 0.0.0.0
network 20.1.1.0 0.0.0.255
#
return
l
Configuration file of P
#
sysname P
#
mpls lsr-id 2.2.2.9
mpls
#
mpls ldp
#
interface GigabitEthernet1/0/0
ip address 20.1.1.2 255.255.255.0
mpls
mpls ldp
#
interface GigabitEthernet2/0/0
ip address 30.1.1.1 255.255.255.0
mpls
mpls ldp
#
interface LoopBack1
ip address 2.2.2.9 255.255.255.255
#
ospf 1
area 0.0.0.0
network 2.2.2.9 0.0.0.0
network 20.1.1.0 0.0.0.255
network 30.1.1.0 0.0.0.255
#
return
l
Configuration file of PE2
#
sysname PE2
#
ip vpn-instance vpn1
ipv4-family
route-distinguisher 100:1
vpn-target 1:1 export-extcommunity
vpn-target 1:1 import-extcommunity
#
mpls lsr-id 3.3.3.9
mpls
#
mpls ldp
#
interface GigabitEthernet1/0/0
ip binding vpn-instance vpn1
ip address 10.2.1.2 255.255.255.0
#
interface GigabitEthernet2/0/0
Issue 03 (2011-11-27)
Huawei Proprietary and Confidential
Copyright © Huawei Technologies Co., Ltd.
136
Huawei AR1200 Series Enterprise Routers
Configuration Guide - VPN
2 BGP MPLS IP VPN Configuration
ip address 30.1.1.2 255.255.255.0
mpls
mpls ldp
#
interface LoopBack1
ip address 3.3.3.9 255.255.255.255
#
bgp 100
peer 1.1.1.9 as-number 100
peer 1.1.1.9 connect-interface LoopBack1
#
ipv4-family unicast
undo synchronization
peer 1.1.1.9 enable
#
ipv4-family vpnv4
policy vpn-target
peer 1.1.1.9 enable
#
ipv4-family vpn-instance vpn1
peer 10.2.1.1 as-number 600
peer 10.2.1.1 substitute-as
import-route direct
#
ospf 1
area 0.0.0.0
network 3.3.3.9 0.0.0.0
network 30.1.1.0 0.0.0.255
#
return
l
Configuration file of CE2
#
sysname CE2
#
interface GigabitEthernet1/0/0
ip address 10.2.1.1 255.255.255.0
#
interface GigabitEthernet2/0/0
ip address 200.1.1.1 255.255.255.0
#
bgp 600
peer 10.2.1.2 as-number 100
#
ipv4-family unicast
undo synchronization
import-route direct
peer 10.2.1.2 enable
#
return
2.16.3 Example for Configuring Hub and Spoke
In the networking of Hub and Spoke, an access control device is specified in the VPN, and users
communicate with each other through the access control device.
Networking Requirements
The communication between the Spoke-CEs is controlled by the Hub-CE in the central site, that
is, the traffic between the Spoke-CEs is forwarded by not only the Hub-PE but also the HubCE, as shown in Figure 2-4.
Issue 03 (2011-11-27)
Huawei Proprietary and Confidential
Copyright © Huawei Technologies Co., Ltd.
137
Huawei AR1200 Series Enterprise Routers
Configuration Guide - VPN
2 BGP MPLS IP VPN Configuration
Figure 2-4 Hub and Spoke networking diagram
AS: 65430
Hub-CE
Eth1/0/0
110.1.1.1/24
Eth2/0/0
110.2.1.1/24
Eth2/0/1
110.1.1.2/24
Eth1/0/1
110.2.1.2/24
Hub-PE
Eth2/0/0
11.1.1.2/24
Eth1/0/0
10.1.1.2/24
Loopback1
1.1.1.9/32
Eth2/0/0
11.1.1.1/24
Eth2/0/0
10.1.1.1/24
Eth1/0/0
100.1.1.2/24
Spoke-PE1
Loopback1
3.3.3.9/32
Loopback1
2.2.2.9/32
Backbone
Spoke-PE2
Eth1/0/0
120.1.1.2/24
AS100
Eth1/0/0
100.1.1.1/24
Eth1/0/0
120.1.1.1/24
Spoke-CE1
AS: 65410
Spoke-CE2
AS: 65420
Configuration Roadmap
The configuration roadmap is as follows:
1.
Set up the MP-IBGP peer relationship between the Hub-PE and Spoke-PE. (There is no
need to set up the MP-IBGP peer relationship between the Spoke-PEs.)
2.
Create a VPN instance on the Spoke-PE and set the Import-Target differenet from the
Export-Target.
3.
Create two VPN instances, namely, vpn_in and vpn_out on the Hub-PE. Set the VPNTarget community attribute received by vpn_in as those advertised by two Spoke-PEs. Set
the VPN target community attribute advertised by vpn_out to be the VPN target community
attribute received by the two Spoke-PEs and to be different from the attributes received by
vpn_out.
4.
Configure EBGP between the CE and the PE.
5.
Configure Hub-PE to allow Hub-PE to receive the route with the AS repeated for one time.
Data Preparation
To configure the Hub&Spoke, you need the following data:
Issue 03 (2011-11-27)
Huawei Proprietary and Confidential
Copyright © Huawei Technologies Co., Ltd.
138
Huawei AR1200 Series Enterprise Routers
Configuration Guide - VPN
2 BGP MPLS IP VPN Configuration
l
MPLS LSR IDs on the PEs
l
The VPN instance name of the Hub-PE and Spoke-PE, RD and the VPN-target
Procedure
Step 1 Configure IGP to implement the inter-networking between the Hub-PE and the Spoke-PE in the
backbone network.
The OSPF is used in this example, and the specific configuration procedures are not mentioned.
After the configuration, the OSPF neighbor relationship is established between each pair of HubPE and Spoke-PE.
After running the display ospf peer command, you can see that the status of the neighbor is
Full.
After running the display ip routing-table command on the PE, you can find that PEs learn the
Lookback routes of each other.
Step 2 Configure the basic MPLS capabilities and MPLS LDP on the backbone networks and establish
LDP LSP.
The specific configuration procedures are not mentioned here.
After the configuration, LDP neighbor relationship is established between the Hub-PE and the
Spoke-PE.
After running the display mpls ldp session command on each device, you can see that the status
of the session is "Operational".
Step 3 Configure VPN instances on each PE and connect the CE to the PE.
NOTE
The Import-Target list of one of the VPN on Hub-PE should include the Export-Targets of all Spoke-PEs.
The Export-Target list of another VPN on Hub-PE should include the Import-Targets of all Spoke-PEs.
# Configure Spoke-PE 1.
<Spoke-PE1> system-view
[Spoke-PE1] ip vpn-instance vpna
[Spoke-PE1-vpn-instance-vpna] ipv4-family
[Spoke-PE1-vpn-instance-vpna-af-ipv4] route-distinguisher 100:1
[Spoke-PE1-vpn-instance-vpna-af-ipv4] vpn-target 100:1 export-extcommunity
[Spoke-PE1-vpn-instance-vpna-af-ipv4] vpn-target 200:1 import-extcommunity
[Spoke-PE1-vpn-instance-vpna-af-ipv4] quit
[Spoke-PE1-vpn-instance-vpna] quit
[Spoke-PE1] interface ethernet 1/0/0
[Spoke-PE1-Ethernet1/0/0] ip binding vpn-instance vpna
[Spoke-PE1-Ethernet1/0/0] ip address 100.1.1.2 24
[Spoke-PE1-Ethernet1/0/0] quit
# Configure Spoke-PE 2.
<Spoke-PE2> system-view
<Spoke-PE2> system-view
[Spoke-PE2] ip vpn-instance vpna
[Spoke-PE2-vpn-instance-vpna] ipv4-family
[Spoke-PE2-vpn-instance-vpna-af-ipv4] route-distinguisher 100:3
[Spoke-PE2-vpn-instance-vpna-af-ipv4] vpn-target 100:1 export-extcommunity
[Spoke-PE2-vpn-instance-vpna-af-ipv4] vpn-target 200:1 import-extcommunity
[Spoke-PE2-vpn-instance-vpna-af-ipv4] quit
[Spoke-PE2-vpn-instance-vpna] quit
[Spoke-PE2] interface ethernet 1/0/0
Issue 03 (2011-11-27)
Huawei Proprietary and Confidential
Copyright © Huawei Technologies Co., Ltd.
139
Huawei AR1200 Series Enterprise Routers
Configuration Guide - VPN
2 BGP MPLS IP VPN Configuration
[Spoke-PE2-Ethernet1/0/0] ip binding vpn-instance vpna
[Spoke-PE2-Ethernet1/0/0] ip address 120.1.1.2 24
[Spoke-PE2-Ethernet1/0/0] quit
# Configure Hub-PE.
<Hub-PE> system-view
[Hub-PE] ip vpn-instance vpn_in
[Hub-PE-vpn-instance-vpn_in] ipv4-family
[Hub-PE-vpn-instance-vpn_in-af-ipv4] route-distinguisher 100:21
[Hub-PE-vpn-instance-vpn_in-af-ipv4] vpn-target 100:1 import-extcommunity
[Hub-PE-vpn-instance-vpn_in-af-ipv4] quit
[Hub-PE-vpn-instance-vpn_in] quit
[Hub-PE] ip vpn-instance vpn_out
[Hub-PE-vpn-instance-vpn_out] ipv4-family
[Hub-PE-vpn-instance-vpn_out-af-ipv4] route-distinguisher 100:22
[Hub-PE-vpn-instance-vpn_out-af-ipv4] vpn-target 200:1 export-extcommunity
[Hub-PE-vpn-instance-vpn_out-af-ipv4] quit
[Hub-PE-vpn-instance-vpn_out] quit
[Hub-PE] interface ethernet 2/0/1
[Hub-PE-Ethernet2/0/1] ip binding vpn-instance vpn_in
[Hub-PE-Ethernet2/0/1] ip address 110.1.1.2 24
[Hub-PE-Ethernet2/0/1] quit
[Hub-PE] interface ethernet 1/0/1
[Hub-PE-Ethernet1/0/1] ip binding vpn-instance vpn_out
[Hub-PE-Ethernet1/0/1] ip address 110.2.1.2 24
[Hub-PE-Ethernet1/0/1] quit
# Configure IP addresses of the CE interfaces as shown in Figure 2-4.
The configuration procedures are not mentioned here.
After the configuration, run the display ip vpn-instance verbose command on the PE devices,
and you can see the configurations of VPN instances. Each PE can ping through its attached CEs
using the ping -vpn-instance vpn-name ip-address command.
NOTE
When the interfaces on a PE are bound to the same VPN, you need to specify the source IP address when
you use the ping command to ping the CE connected with the peer PE. That is, you need to specify -a
source-ip-address in the ping -a source-ip-address -vpn-instance vpn-instance-name dest-ip-address
command; otherwise, the ping fails.
Step 4 Establish EBGP peers between the PE and the CE and import the VPN routes.
NOTE
To accept the routes advertised by Hub-PE, configure the Hub-CE to allow AS number to be repeated once.
You need not allow the AS number to be repeated once on the Spoke-PE because a router does not check
the AS-PATH attribute when the router receives the routes advertised by the IBGP peer.
# Configure Spoke-CE 1.
[Spoke-CE1] bgp
[Spoke-CE1-bgp]
[Spoke-CE1-bgp]
[Spoke-CE1-bgp]
65410
peer 100.1.1.2 as-number 100
import-route direct
quit
# Configure Spoke-PE 1.
[Spoke-PE1] bgp 100
[Spoke-PE1-bgp] ipv4-family vpn-instance vpna
[Spoke-PE1-bgp-vpna] peer 100.1.1.1 as-number 65410
[Spoke-PE1-bgp-vpna] quit
[Spoke-PE1-bgp] quit
# Configure Spoke-CE 2.
[Spoke-CE2] bgp 65420
Issue 03 (2011-11-27)
Huawei Proprietary and Confidential
Copyright © Huawei Technologies Co., Ltd.
140
Huawei AR1200 Series Enterprise Routers
Configuration Guide - VPN
2 BGP MPLS IP VPN Configuration
[Spoke-CE2-bgp] peer 120.1.1.2 as-number 100
[Spoke-CE2-bgp] import-route direct
[Spoke-CE2-bgp] quit
# Configure Spoke-PE 2.
[Spoke-PE2] bgp 100
[Spoke-PE2-bgp] ipv4-family vpn-instance vpna
[Spoke-PE2-bgp-vpna] peer 120.1.1.1 as-number 65420
[Spoke-PE2-bgp-vpna] quit
[Spoke-PE2-bgp] quit
# Configure Hub-CE.
[Hub-CE] bgp
[Hub-CE-bgp]
[Hub-CE-bgp]
[Hub-CE-bgp]
[Hub-CE-bgp]
65430
peer 110.1.1.2 as-number 100
peer 110.2.1.2 as-number 100
import-route direct
quit
# Configure Hub-PE.
[Hub-PE] bgp 100
[Hub-PE-bgp] ipv4-family vpn-instance vpn_in
[Hub-PE-bgp-vpn_in] peer 110.1.1.1 as-number 65430
[Hub-PE-bgp-vpn_in] quit
[Hub-PE-bgp] ipv4-family vpn-instance vpn_out
[Hub-PE-bgp-vpn_out] peer 110.2.1.1 as-number 65430
[Hub-PE-bgp-vpn_out] peer 110.2.1.1 allow-as-loop 1
[Hub-PE-bgp-vpn_out] quit
[Hub-PE-bgp] quit
After the configuration, run the display bgp vpnv4 all peer command on each PE devices and
you can see that the BGP peer relationship is established between the PE and the CE.
Step 5 Establish MP-IBGP peers between the PEs
# Configure Spoke-PE 1.
[Spoke-PE1] bgp 100
[Spoke-PE1-bgp] peer 2.2.2.9 as-number 100
[Spoke-PE1-bgp] peer 2.2.2.9 connect-interface loopback 1
[Spoke-PE1-bgp] ipv4-family vpnv4
[Spoke-PE1-bgp-af-vpnv4] peer 2.2.2.9 enable
[Spoke-PE1-bgp-af-vpnv4] quit
# Configure Spoke-PE 2.
[Spoke-PE2] bgp 100
[Spoke-PE2-bgp] peer 2.2.2.9 as-number 100
[Spoke-PE2-bgp] peer 2.2.2.9 connect-interface loopback 1
[Spoke-PE2-bgp] ipv4-family vpnv4
[Spoke-PE2-bgp-af-vpnv4] peer 2.2.2.9 enable
[Spoke-PE2-bgp-af-vpnv4] quit
# Configure Hub-PE.
[Hub-PE] bgp 100
[Hub-PE-bgp] peer 1.1.1.9 as-number 100
[Hub-PE-bgp] peer 1.1.1.9 connect-interface loopback 1
[Hub-PE-bgp] peer 3.3.3.9 as-number 100
[Hub-PE-bgp] peer 3.3.3.9 connect-interface loopback 1
[Hub-PE-bgp] ipv4-family vpnv4
[Hub-PE-bgp-af-vpnv4] peer 1.1.1.9 enable
[Hub-PE-bgp-af-vpnv4] peer 3.3.3.9 enable
[Hub-PE-bgp-af-vpnv4] quit
Issue 03 (2011-11-27)
Huawei Proprietary and Confidential
Copyright © Huawei Technologies Co., Ltd.
141
Huawei AR1200 Series Enterprise Routers
Configuration Guide - VPN
2 BGP MPLS IP VPN Configuration
After the configuration, run the display bgp peer or display bgp vpnv4 all peer command on
each PE device. You can see the BGP peer relationship is set up between the PEs, and the status
is Established.
Step 6 Verify the configuration.
After the configuration, the Spoke-CEs can ping through each other. Run the tracert command,
and you can see that the traffic between Spoke-CEs is forwarded through Hub-CE. You can also
deduce the number of forwarding devices between Spoke-CEs based on the TTL in the Ping
result.
Consider Spoke-CE 1 as an example:
[Spoke-CE1] ping 120.1.1.1
PING 120.1.1.1: 56 data bytes, press CTRL_C to break
Reply from 120.1.1.1: bytes=56 Sequence=1 ttl=250 time=80 ms
Reply from 120.1.1.1: bytes=56 Sequence=2 ttl=250 time=129 ms
Reply from 120.1.1.1: bytes=56 Sequence=3 ttl=250 time=132 ms
Reply from 120.1.1.1: bytes=56 Sequence=4 ttl=250 time=92 ms
Reply from 120.1.1.1: bytes=56 Sequence=5 ttl=250 time=126 ms
--- 120.1.1.1 ping statistics --5 packet(s) transmitted
5 packet(s) received
0.00% packet loss
round-trip min/avg/max = 80/111/132 ms
[Spoke-CE1] tracert 120.1.1.1
traceroute to 120.1.1.1(120.1.1.1), max hops: 30 ,packet length: 40
1 100.1.1.2 8 ms 2 ms 2 ms
2 110.2.1.2 3 ms 2 ms 2 ms
3 110.2.1.1 3 ms 2 ms 2 ms
4 110.1.1.2 3 ms 2 ms 2 ms
5 120.1.1.2 6 ms 6 ms 6 ms
6 120.1.1.1 6 ms 6 ms 6 ms
Run the display bgp routing-table command on Spoke-CE, and you can see that there are
repetitive AS numbers in AS paths of the BGP routes toward the remote Spoke-CE.
Consider Spoke-CE 1 as an example:
[Spoke-CE1] display bgp routing-table
Total Number of Routes: 6
BGP Local router ID is 100.1.1.1
Status codes: * - valid, > - best, d - damped,
h - history, i - internal, s - suppressed, S - Stale
Origin : i - IGP, e - EGP, ? - incomplete
Network
NextHop
MED
LocPrf
PrefVal Path/Ogn
*> 100.1.1.0/24
0.0.0.0
0
0
?
*
100.1.1.2
0
0
100?
*> 100.1.1.1/32
0.0.0.0
0
0
?
*> 110.1.1.0/24
100.1.1.2
0
100 65430?
*> 110.2.1.0/24
100.1.1.2
0
100?
*> 120.1.1.0/24
100.1.1.2
0
100 65430 100?
----End
Configuration Files
l
Configuration file of Spoke-CE 1
#
sysname Spoke-CE1
#
interface Ethernet1/0/0
ip address 100.1.1.1 255.255.255.0
#
bgp 65410
peer 100.1.1.2 as-number 100
Issue 03 (2011-11-27)
Huawei Proprietary and Confidential
Copyright © Huawei Technologies Co., Ltd.
142
Huawei AR1200 Series Enterprise Routers
Configuration Guide - VPN
2 BGP MPLS IP VPN Configuration
#
ipv4-family unicast
undo synchronization
import-route direct
peer 100.1.1.2 enable
#
return
l
Configuration file of Spoke-PE 1
#
sysname Spoke-PE1
#
ip vpn-instance vpna
ipv4-family
route-distinguisher 100:1
vpn-target 100:1 export-extcommunity
vpn-target 200:1 import-extcommunity
#
mpls lsr-id 1.1.1.9
mpls
#
mpls ldp
#
interface Ethernet1/0/0
ip binding vpn-instance vpna
ip address 100.1.1.2 255.255.255.0
#
interface Ethernet2/0/0
ip address 10.1.1.1 255.255.255.0
mpls
mpls ldp
#
interface LoopBack1
ip address 1.1.1.9 255.255.255.255
#
bgp 100
peer 2.2.2.9 as-number 100
peer 2.2.2.9 connect-interface LoopBack1
#
ipv4-family unicast
undo synchronization
peer 2.2.2.9 enable
#
ipv4-family vpnv4
policy vpn-target
peer 2.2.2.9 enable
#
ipv4-family vpn-instance vpna
peer 100.1.1.1 as-number 65410
import-route direct
#
ospf 1
area 0.0.0.0
network 10.1.1.0 0.0.0.255
network 1.1.1.9 0.0.0.0
#
return
l
Configuration file of Spoke-PE 2
#
sysname Spoke-PE2
#
ip vpn-instance vpna
ipv4-family
route-distinguisher 100:3
vpn-target 100:1 export-extcommunity
vpn-target 200:1 import-extcommunity
#
mpls lsr-id 3.3.3.9
mpls
Issue 03 (2011-11-27)
Huawei Proprietary and Confidential
Copyright © Huawei Technologies Co., Ltd.
143
Huawei AR1200 Series Enterprise Routers
Configuration Guide - VPN
2 BGP MPLS IP VPN Configuration
#
mpls ldp
#
interface Ethernet1/0/0
ip binding vpn-instance vpna
ip address 120.1.1.2 255.255.255.0
#
interface Ethernet2/0/0
ip address 11.1.1.1 255.255.255.0
mpls
mpls ldp
#
interface LoopBack1
ip address 3.3.3.9 255.255.255.255
#
bgp 100
peer 2.2.2.9 as-number 100
peer 2.2.2.9 connect-interface LoopBack1
#
ipv4-family unicast
undo synchronization
peer 2.2.2.9 enable
#
ipv4-family vpnv4
policy vpn-target
peer 2.2.2.9 enable
#
ipv4-family vpn-instance vpna
peer 120.1.1.1 as-number 65420
import-route direct
#
ospf 1
area 0.0.0.0
network 3.3.3.9 0.0.0.0
network 11.1.1.0 0.0.0.255
#
return
l
Configuration file of Spoke-CE 2
#
sysname Spoke-CE2
#
interface Ethernet1/0/0
ip address 120.1.1.1 255.255.255.0
#
bgp 65420
peer 120.1.1.2 as-number 100
#
ipv4-family unicast
undo synchronization
import-route direct
peer 120.1.1.2 enable
#
return
l
Configuration file of Hub-CE
#
sysname Hub-CE
#
interface Ethernet1/0/0
ip address 110.1.1.1 255.255.255.0
#
interface Ethernet2/0/0
ip address 110.2.1.1 255.255.255.0
#
bgp 65430
peer 110.1.1.2 as-number 100
peer 110.2.1.2 as-number 100
#
ipv4-family unicast
Issue 03 (2011-11-27)
Huawei Proprietary and Confidential
Copyright © Huawei Technologies Co., Ltd.
144
Huawei AR1200 Series Enterprise Routers
Configuration Guide - VPN
2 BGP MPLS IP VPN Configuration
undo synchronization
import-route direct
peer 110.2.1.2 enable
peer 110.1.1.2 enable
#
return
l
Configuration file of Hub-PE
#
sysname Hub-PE
#
ip vpn-instance vpn_in
ipv4-family
route-distinguisher 100:21
vpn-target 100:1 import-extcommunity
#
ip vpn-instance vpn_out
ipv4-family
route-distinguisher 100:22
vpn-target 200:1 export-extcommunity
#
mpls lsr-id 2.2.2.9
mpls
#
mpls ldp
#
interface Ethernet1/0/0
ip address 10.1.1.2 255.255.255.0
mpls
mpls ldp
#
interface Ethernet2/0/0
ip address 11.1.1.2 255.255.255.0
mpls
mpls ldp
#
interface Ethernet2/0/1
ip binding vpn-instance vpn_in
ip address 110.1.1.2 255.255.255.0
#
interface Ethernet1/0/1
ip binding vpn-instance vpn_out
ip address 110.2.1.2 255.255.255.0
#
interface LoopBack1
ip address 2.2.2.9 255.255.255.255
#
bgp 100
peer 1.1.1.9 as-number 100
peer 1.1.1.9 connect-interface LoopBack1
peer 3.3.3.9 as-number 100
peer 3.3.3.9 connect-interface LoopBack1
#
ipv4-family unicast
undo synchronization
peer 1.1.1.9 enable
peer 3.3.3.9 enable
#
ipv4-family vpnv4
policy vpn-target
peer 1.1.1.9 enable
peer 3.3.3.9 enable
#
ipv4-family vpn-instance vpn_in
peer 110.1.1.1 as-number 65430
import-route direct
#
ipv4-family vpn-instance vpn_out
peer 110.2.1.1 as-number 65430
peer 110.2.1.1 allow-as-loop
Issue 03 (2011-11-27)
Huawei Proprietary and Confidential
Copyright © Huawei Technologies Co., Ltd.
145
Huawei AR1200 Series Enterprise Routers
Configuration Guide - VPN
2 BGP MPLS IP VPN Configuration
import-route direct
#
ospf 1
area 0.0.0.0
network 2.2.2.9 0.0.0.0
network 10.1.1.0 0.0.0.255
network 11.1.1.0 0.0.0.255
#
return
2.16.4 Example for Configuring Inter-AS VPN Option A
After VPN instances are configured on ASBRs, you can implement the OptionA solution to
manage VPN routes in VRF-to-VRF mode.
Networking Requirements
As shown in Figure 2-5, CE1 and CE2 belong to the same VPN. The CE1 accesses the network
through the PE1 in AS 100 and the CE2 accesses the network through the PE2 in AS 200.
The Inter-AS BGP/MPLS IP VPN is implemented using Option A. That is, VRF-to-VRF method
is used to manage the VPN routes.
Figure 2-5 Networking diagram of inter-AS VPN
BGP/MPLS Backbone
BGP/MPLS Backbone
AS 200
AS 100
Loopback1
Loopback1
2.2.2.9/32
3.3.3.9/32
GE1/0/0
GE2/0/0
GE2/0/0
GE1/0/0
172.1.1.1/24
192.1.1.1/24 192.1.1.2/24
162.1.1.1/24
Loopback1
Loopback1
ASBR1
ASBR2
1.1.1.9/32
4.4.4.9/32
GE1/0/0
GE1/0/0
172.1.1.2/24
PE1
PE2
162.1.1.2/24
GE2/0/0
10.1.1.2/24
GE1/0/0
10.1.1.1/24
CE1
AS 65001
GE2/0/0
10.2.1.2/24
GE1/0/0
10.2.1.1/24
CE2
AS 65002
Configuration Roadmap
The configuration roadmap is as follows:
1.
Issue 03 (2011-11-27)
Set up the EBGP peer relationship between the PE and the CE. Set up the MP-IBGP peer
relationship between the PE and the ASBR
Huawei Proprietary and Confidential
Copyright © Huawei Technologies Co., Ltd.
146
Huawei AR1200 Series Enterprise Routers
Configuration Guide - VPN
2.
2 BGP MPLS IP VPN Configuration
Create the VPN instance on two ASBRs and bind the instance to the interface connected
another ASBR. Set up the EBGP peer relationship between ASBRs
Data Preparation
To complete the configuration, you need the following data:
l
MPLS LSR-ID of the PE and the ASBR
l
The VPN instance names of the PE and the ASBR, RDs and the VPN-targets
Procedure
Step 1 Configure IGP on the MPLS backbone of AS 100 and AS 200 respectively to make ASBR and
PE can reach each other in the same AS.
OSPF is used as the IGP in this example, the configuration procedure is not mentioned.
NOTE
The 32-bit loopback interface address used as LSR ID should be advertised by OSPF.
After the configuration, the OSPF neighbor relationship should be established between the
ASBR and the PE of the same AS. Run the display ospf peer command to find that the OSPF
neighbor relationship is in "Full" state.
The ASBR and the PE in the same AS can ping through each other and can learn the Loopback
interface address of each other.
Step 2 Configure MPLS basic capability and MPLS LDP on the MPLS backbone of AS 100 and AS
200 respectively to set up LDP LSP.
# Configure basic MPLS capability on PE1 and enable LDP on the interface connecting ASBR1.
<PE1> system-view
[PE1] mpls lsr-id 1.1.1.9
[PE1] mpls
[PE1-mpls] quit
[PE1] mpls ldp
[PE1-mpls-ldp] quit
[PE1] interface gigabitethernet1/0/0
[PE1-GigabitEthernet1/0/0] mpls
[PE1-GigabitEthernet1/0/0] mpls ldp
[PE1-GigabitEthernet1/0/0] quit
# Configure basic MPLS capability on ASBR1 and enable LDP on the interface connecting PE1.
<ASBR1> system-view
[ASBR1] mpls lsr-id 2.2.2.9
[ASBR1] mpls
[ASBR1-mpls] quit
[ASBR1] mpls ldp
[ASBR1-mpls-ldp] quit
[ASBR1] interface gigabitethernet1/0/0
[ASBR1-GigabitEthernet1/0/0] mpls
[ASBR1-GigabitEthernet1/0/0] mpls ldp
[ASBR1-GigabitEthernet1/0/0] quit
# Configure basic MPLS capability on ASBR2 and enable LDP on the interface connecting PE2.
<ASBR2> system-view
[ASBR2] mpls lsr-id 3.3.3.9
[ASBR2] mpls
[ASBR2-mpls] quit
[ASBR2] mpls ldp
Issue 03 (2011-11-27)
Huawei Proprietary and Confidential
Copyright © Huawei Technologies Co., Ltd.
147
Huawei AR1200 Series Enterprise Routers
Configuration Guide - VPN
2 BGP MPLS IP VPN Configuration
[ASBR2-mpls-ldp] quit
[ASBR2] interface gigabitethernet1/0/0
[ASBR2-GigabitEthernet1/0/0] mpls
[ASBR2-GigabitEthernet1/0/0] mpls ldp
[ASBR2-GigabitEthernet1/0/0] quit
# Configure basic MPLS capability on PE2 and enable LDP on the interface connecting ASBR2.
<PE2> system-view
[PE2] mpls lsr-id 4.4.4.9
[PE2] mpls
[PE2-mpls] quit
[PE2] mpls ldp
[PE2-mpls-ldp] quit
[PE2] interface gigabitethernet1/0/0
[PE2-GigabitEthernet1/0/0] mpls
[PE2-GigabitEthernet1/0/0] mpls ldp
[PE2-GigabitEthernet1/0/0] quit
After the configuration, the LDP neighbor relationship should be established between the PE
and the ASBR in the same AS. Running the display mpls ldp session command on the PE or
ASBR, you can find the session state is "Operational" in the output information.
Consider PE1 as an example.
[PE1] display mpls ldp session
LDP Session(s) in Public Network
Codes: LAM(Label Advertisement Mode), SsnAge Unit(DDDD:HH:MM)
A '*' before a session means the session is being deleted.
-------------------------------------------------------------------------PeerID
Status
LAM SsnRole SsnAge
KASent/Rcv
-------------------------------------------------------------------------2.2.2.9:0
Operational DU
Passive 0000:00:02 9/9
-------------------------------------------------------------------------TOTAL: 1 session(s) Found.
Step 3 Configure basic BGP/MPLS IP VPN on the MPLS backbone of AS 100 and AS 200 respectively.
NOTE
The VPN target of the VPN instances of the ASBR and the PE in the same AS should match. In different
ASs, the matching of the VPN target attributes of the PEs is unnecessary.
# Configure CE1.
<CE1> system-view
[CE1] interface gigabitethernet 1/0/0
[CE1-GigabitEthernet1/0/0] ip address 10.1.1.1 24
[CE1-GigabitEthernet1/0/0] quit
[CE1] bgp 65001
[CE1-bgp] peer 10.1.1.2 as-number 100
[CE1-bgp] import-route direct
[CE1-bgp] quit
# Configure PE1 to set up the EBGP peer relationship with CE1.
[PE1] ip vpn-instance vpn1
[PE1-vpn-instance-vpn1] ipv4-family
[PE1-vpn-instance-vpn1-af-ipv4] route-distinguisher 100:1
[PE1-vpn-instance-vpn1-af-ipv4] vpn-target 1:1 both
[PE1-vpn-instance-vpn1-af-ipv4] quit
[PE1-vpn-instance-vpn1] quit
[PE1] interface gigabitethernet 2/0/0
[PE1-GigabitEthernet2/0/0] ip binding vpn-instance vpn1
[PE1-GigabitEthernet2/0/0] ip address 10.1.1.2 24
[PE1-GigabitEthernet2/0/0] quit
[PE1] bgp 100
[PE1-bgp] ipv4-family vpn-instance vpn1
[PE1-bgp-vpn1] peer 10.1.1.1 as-number 65001
Issue 03 (2011-11-27)
Huawei Proprietary and Confidential
Copyright © Huawei Technologies Co., Ltd.
148
Huawei AR1200 Series Enterprise Routers
Configuration Guide - VPN
2 BGP MPLS IP VPN Configuration
[PE1-bgp-vpn1] quit
[PE1-bgp] quit
# Configure PE1 to set up the MP-IBGP peer relationship with ASBR1.
[PE1] bgp 100
[PE1-bgp] peer 2.2.2.9 as-number 100
[PE1-bgp] peer 2.2.2.9 connect-interface loopback 1
[PE1-bgp] ipv4-family vpnv4
[PE1-bgp-af-vpnv4] peer 2.2.2.9 enable
[PE1-bgp-af-vpnv4] quit
# Configure ASBR1 to set up the MP-IBGP peer relationship with PE1.
[ASBR1] bgp 100
[ASBR1-bgp] peer 1.1.1.9 as-number 100
[ASBR1-bgp] peer 1.1.1.9 connect-interface loopback 1
[ASBR1-bgp] ipv4-family vpnv4
[ASBR1-bgp-af-vpnv4] peer 1.1.1.9 enable
[ASBR1-bgp-af-vpnv4] quit
[ASBR1-bgp] quit
NOTE
The configurations of CE2, PE2 and ASBR2 are similar to that of CE1, PE1 and ASBR1 and are not
mentioned here.
After the above configurations, run the display bgp vpnv4 vpn-instance peer command. You
can find the BGP peer relationship between PE and CE is set up, that is the "State" in display is
"Established". Run display bgp vpnv4 all peer to find the BGP peer relationship is "Established"
between the PE and the CE, and between the PE and the ASBR.
Consider PE1 as an example.
[PE1] display bgp vpnv4 vpn-instance vpn1 peer
BGP local router ID : 1.1.1.9
Local AS number : 100
VPN-Instance vpn1, router ID 1.1.1.9:
Total number of peers : 1
Peers in established state : 1
Peer
V AS MsgRcvd MsgSent OutQ Up/Down
State
PrefRcv
10.1.1.1 4 65001
10
10
0 00:07:10 Established
2
[PE1] display bgp vpnv4 all peer
BGP local router ID : 1.1.1.9
Local AS number : 100
Total number of peers : 2
Peers in established state : 2
Peer
V
AS MsgRcvd MsgSent OutQ Up/Down
State PrefRcv
2.2.2.9
4
100
3
7
0 00:01:36 Established
0
Peer of IPv4-family for vpn instance :
VPN-Instance vpn1, router ID 1.1.1.9:
10.1.1.1
4 65001
13
13
0 00:04:00 Established
2
Step 4 Configure inter-AS VPN in VRF-to-VRF mode.
# Configure ASBR1. Create a VPN instance and bind it to the interface connected to ASBR2.
(ASBR1 regards ASBR2 as its own CE.)
[ASBR1] ip vpn-instance vpn1
[ASBR1-vpn-instance-vpn1] ipv4-family
[ASBR1-vpn-instance-vpn1-af-ipv4] route-distinguisher 100:2
[ASBR1-vpn-instance-vpn1-af-ipv4] vpn-target 1:1 both
[ASBR1-vpn-instance-vpn1-af-ipv4] quit
[ASBR1-vpn-instance-vpn1] quit
[ASBR1] interface gigabitethernet 2/0/0
[ASBR1-GigabitEthernet2/0/0] ip binding vpn-instance vpn1
[ASBR1-GigabitEthernet2/0/0] ip address 192.1.1.1 24
[ASBR1-GigabitEthernet2/0/0] quit
Issue 03 (2011-11-27)
Huawei Proprietary and Confidential
Copyright © Huawei Technologies Co., Ltd.
149
Huawei AR1200 Series Enterprise Routers
Configuration Guide - VPN
2 BGP MPLS IP VPN Configuration
# Configure ASBR2. Create a VPN instance and bind it to the interface connected to ASBR1.
(ASBR2 regards ASBR1 as its CE after configuration.)
[ASBR2] ip vpn-instance vpn1
[ASBR2-vpn-instance-vpn1] ipv4-family
[ASBR2-vpn-instance-vpn1-af-ipv4] route-distinguisher 200:2
[ASBR2-vpn-instance-vpn1-af-ipv4] vpn-target 2:2 both
[ASBR2-vpn-instance-vpn1-af-ipv4] quit
[ASBR2-vpn-instance-vpn1] quit
[ASBR2] interface gigabitethernet 2/0/0
[ASBR2-GigabitEthernet2/0/0] ip binding vpn-instance vpn1
[ASBR2-GigabitEthernet2/0/0] ip address 192.1.1.2 24
[ASBR2-GigabitEthernet2/0/0] quit
# Configure ASBR1 to set up the EBGP peer relationship with ASBR2.
[ASBR1] bgp 100
[ASBR1-bgp] ipv4-family vpn-instance vpn1
[ASBR1-bgp-vpn1] peer 192.1.1.2 as-number 200
[ASBR1-bgp-vpn1] import-route direct
[ASBR1-bgp-vpn1] quit
[ASBR1-bgp] quit
# Configure ASBR2 to set up the EBGP peer relationship with ASBR1.
[ASBR2] bgp 200
[ASBR2-bgp] ipv4-family vpn-instance vpn1
[ASBR2-bgp-vpn1] peer 192.1.1.1 as-number 100
[ASBR2-bgp-vpn1] import-route direct
[ASBR2-bgp-vpn1] quit
[ASBR2-bgp] quit
After the above configuration, run the display bgp vpnv4 vpn-instance peer command on
ASBRs, and you can see that the BGP peer relationship is established between the ASBRs.
Step 5 Verify the configuration.
After the above configuration, the CEs learn interface routes of each other. CE1 and CE2 can
ping through each other.
Consider CE1 as an example.
[CE1] display ip routing-table
Route Flags: R - relay, D - download to fib
-----------------------------------------------------------------------------Routing Tables: Public
Destinations : 7
Routes : 7
Destination/Mask
Proto Pre Cost
Flags NextHop
Interface
10.1.1.0/24 Direct 0
0
D 10.1.1.1
GigabitEthernet1/0/0
10.1.1.1/32 Direct 0
0
D 127.0.0.1
InLoopBack0
10.2.1.0/24 EBGP
255 0
D 10.1.1.2
GigabitEthernet1/0/0
127.0.0.0/8
Direct 0
0
D 127.0.0.1
InLoopBack0
127.0.0.1/32 Direct 0
0
D 127.0.0.1
InLoopBack0
192.1.1.0/24 EBGP
255 0
D 10.1.1.2
GigabitEthernet1/0/0
192.1.1.2/32 EBGP
255 0
D 10.1.1.2
GigabitEthernet1/0/0
[CE1] ping 10.2.1.1
PING 10.2.1.1: 56 data bytes, press CTRL_C to break
Reply from 10.2.1.1: bytes=56 Sequence=1 ttl=251 time=119 ms
Reply from 10.2.1.1: bytes=56 Sequence=2 ttl=251 time=141 ms
Reply from 10.2.1.1: bytes=56 Sequence=3 ttl=251 time=136 ms
Reply from 10.2.1.1: bytes=56 Sequence=4 ttl=251 time=113 ms
Reply from 10.2.1.1: bytes=56 Sequence=5 ttl=251 time=78 ms
--- 10.2.1.1 ping statistics --5 packet(s) transmitted
5 packet(s) received
0.00% packet loss
Issue 03 (2011-11-27)
Huawei Proprietary and Confidential
Copyright © Huawei Technologies Co., Ltd.
150
Huawei AR1200 Series Enterprise Routers
Configuration Guide - VPN
2 BGP MPLS IP VPN Configuration
round-trip min/avg/max = 78/117/141 ms
Run the display ip routing-table vpn-instance command on ASBR to see the information of
the VPN routing table.
[ASBR1] display ip routing-table vpn-instance vpn1
Route Flags: R - relay, D - download to fib
-----------------------------------------------------------------------------Routing Tables: vpn1
Destinations : 7
Routes : 7
Destination/Mask
Proto Pre Cost
Flags NextHop
Interface
10.1.1.0/24 IBGP
255 0
RD 1.1.1.9
GigabitEthernet1/0/0
10.1.1.1/32 IBGP
255 0
RD 1.1.1.9
GigabitEthernet1/0/0
10.2.1.0/24 IBGP
255 0
D 192.1.1.2
GigabitEthernet2/0/0
10.2.1.1/32 IBGP
255 0
D 192.1.1.2
GigabitEthernet2/0/0
192.1.1.0/24 Direct 0
0
D 192.1.1.1
GigabitEthernet2/0/0
192.1.1.1/32 Direct 0
0
D 127.0.0.1
InLoopBack0
192.1.1.2/32 Direct 0
0
D 192.1.1.2
GigabitEthernet2/0/0
Run the display bgp vpnv4 all routing-table command on the ASBR, and you can see the
VPNv4 routes on the ASBR.
[ASBR1] display bgp vpnv4 all routing-table
Local AS number : 100
BGP Local router ID is 2.2.2.9
Status codes: * - valid, > - best, d - damped,
h - history, i - internal, s - suppressed, S - Stale
Origin : i - IGP, e - EGP, ? - incomplete
Total number of routes from all PE: 5
Route Distinguisher: 100:1
*>i
Network
NextHop
MED
LocPrf
10.1.1.0/24
1.1.1.9
0
100
MED
LocPrf
PrefVal Path/Ogn
0
?
Route Distinguisher: 100:2
Network
NextHop
10.2.1.0/24
192.1.1.0
192.1.1.1/32
192.1.1.2
0.0.0.0
192.1.1.2
0.0.0.0
Network
NextHop
*>i
*>
*>
10.1.1.0/24
10.2.1.0/24
192.1.1.0
*>
192.1.1.1/32
1.1.1.9
192.1.1.2
0.0.0.0
192.1.1.2
0.0.0.0
*>
*>
*
*>
PrefVal Path/Ogn
0
0
0
0
0
0
0
MED
LocPrf
0
100
0
0
0
200?
?
200?
?
PrefVal Path/Ogn
0
0
0
0
0
?
200?
?
200?
?
----End
Configuration Files
l
Configuration file of CE1
#
sysname CE1
Issue 03 (2011-11-27)
Huawei Proprietary and Confidential
Copyright © Huawei Technologies Co., Ltd.
151
Huawei AR1200 Series Enterprise Routers
Configuration Guide - VPN
2 BGP MPLS IP VPN Configuration
#
interface GigabitEthernet1/0/0
ip address 10.1.1.1 255.255.255.0
#
bgp 65001
peer 10.1.1.2 as-number 100
#
ipv4-family unicast
undo synchronization
import-route direct
peer 10.1.1.2 enable
#
return
l
Configuration file of PE1
#
sysname PE1
#
ip vpn-instance vpn1
ipv4-family
route-distinguisher 100:1
vpn-target 1:1 export-extcommunity
vpn-target 1:1 import-extcommunity
#
mpls lsr-id 1.1.1.9
mpls
#
mpls ldp
#
interface GigabitEthernet1/0/0
ip address 172.1.1.2 255.255.255.0
mpls
mpls ldp
#
interface GigabitEthernet2/0/0
ip binding vpn-instance vpn1
ip address 10.1.1.2 255.255.255.0
#
interface LoopBack1
ip address 1.1.1.9 255.255.255.255
#
bgp 100
peer 2.2.2.9 as-number 100
peer 2.2.2.9 connect-interface LoopBack1
#
ipv4-family unicast
undo synchronization
peer 2.2.2.9 enable
#
ipv4-family vpnv4
policy vpn-target
peer 2.2.2.9 enable
#
ipv4-family vpn-instance vpn1
peer 10.1.1.1 as-number 65001
#
ospf 1
area 0.0.0.0
network 1.1.1.9 0.0.0.0
network 172.1.1.0 0.0.0.255
#
return
l
Configuration file of ASBR1
#
sysname ASBR1
#
ip vpn-instance vpn1
ipv4-family
route-distinguisher 100:2
Issue 03 (2011-11-27)
Huawei Proprietary and Confidential
Copyright © Huawei Technologies Co., Ltd.
152
Huawei AR1200 Series Enterprise Routers
Configuration Guide - VPN
2 BGP MPLS IP VPN Configuration
vpn-target 1:1 export-extcommunity
vpn-target 1:1 import-extcommunity
#
mpls lsr-id 2.2.2.9
mpls
#
mpls ldp
#
interface GigabitEthernet1/0/0
ip address 172.1.1.1 255.255.255.0
mpls
mpls ldp
#
interface GigabitEthernet2/0/0
ip binding vpn-instance vpn1
ip address 192.1.1.1 255.255.255.0
#
interface LoopBack1
ip address 2.2.2.9 255.255.255.255
#
bgp 100
peer 1.1.1.9 as-number 100
peer 1.1.1.9 connect-interface LoopBack1
#
ipv4-family unicast
undo synchronization
peer 1.1.1.9 enable
#
ipv4-family vpnv4
policy vpn-target
peer 1.1.1.9 enable
#
ipv4-family vpn-instance vpn1
peer 192.1.1.2 as-number 200
import-route direct
#
ospf 1
area 0.0.0.0
network 2.2.2.9 0.0.0.0
network 172.1.1.0 0.0.0.255
#
return
l
Configuration file of ASBR2
#
sysname ASBR2
#
ip vpn-instance vpn1
ipv4-family
route-distinguisher 200:2
vpn-target 2:2 export-extcommunity
vpn-target 2:2 import-extcommunity
#
mpls lsr-id 3.3.3.9
mpls
#
mpls ldp
#
interface GigabitEthernet1/0/0
ip address 162.1.1.1 255.255.255.0
mpls
mpls ldp
#
interface GigabitEthernet2/0/0
ip binding vpn-instance vpn1
ip address 192.1.1.2 255.255.255.0
#
interface LoopBack1
ip address 3.3.3.9 255.255.255.255
#
Issue 03 (2011-11-27)
Huawei Proprietary and Confidential
Copyright © Huawei Technologies Co., Ltd.
153
Huawei AR1200 Series Enterprise Routers
Configuration Guide - VPN
2 BGP MPLS IP VPN Configuration
bgp 200
peer 4.4.4.9 as-number 200
peer 4.4.4.9 connect-interface LoopBack1
#
ipv4-family unicast
undo synchronization
peer 4.4.4.9 enable
#
ipv4-family vpnv4
policy vpn-target
peer 4.4.4.9 enable
#
ipv4-family vpn-instance vpn1
peer 192.1.1.1 as-number 100
import-route direct
#
ospf 1
area 0.0.0.0
network 3.3.3.9 0.0.0.0
network 162.1.1.0 0.0.0.255
#
return
l
Configuration file of PE2
#
sysname PE2
#
ip vpn-instance vpn1
ipv4-family
route-distinguisher 200:1
vpn-target 2:2 export-extcommunity
vpn-target 2:2 import-extcommunity
#
mpls lsr-id 4.4.4.9
mpls
#
mpls ldp
#
interface GigabitEthernet1/0/0
ip address 162.1.1.2 255.255.255.0
mpls
mpls ldp
#
interface GigabitEthernet2/0/0
ip binding vpn-instance vpn1
ip address 10.2.1.2 255.255.255.0
#
interface LoopBack1
ip address 4.4.4.9 255.255.255.255
#
bgp 200
peer 3.3.3.9 as-number 200
peer 3.3.3.9 connect-interface LoopBack1
#
ipv4-family unicast
undo synchronization
peer 3.3.3.9 enable
#
ipv4-family vpnv4
policy vpn-target
peer 3.3.3.9 enable
#
ipv4-family vpn-instance vpn1
peer 10.2.1.1 as-number 65002
#
ospf 1
area 0.0.0.0
network 4.4.4.9 0.0.0.0
network 162.1.1.0 0.0.0.255
#
Issue 03 (2011-11-27)
Huawei Proprietary and Confidential
Copyright © Huawei Technologies Co., Ltd.
154
Huawei AR1200 Series Enterprise Routers
Configuration Guide - VPN
2 BGP MPLS IP VPN Configuration
return
l
Configuration file of CE2
#
sysname CE2
#
interface GigabitEthernet1/0/0
ip address 10.2.1.1 255.255.255.0
#
bgp 65002
peer 10.2.1.2 as-number 200
#
ipv4-family unicast
undo synchronization
import-route direct
peer 10.2.1.2 enable
#
return
2.16.5 Example for Configuring Inter-AS VPN Option B
After establishing the single-hop MP-EBGP peer relationship between ASBRs, you can
implement the inter-AS VPN OptionB solution.
Networking Requirements
As shown in Figure 2-6, the CE1 and the CE2 belong to the same VPN. The CE1 accesses the
network through the PE1 in the AS 100. The CE2 accesses the network through the PE2 in the
AS 200.
The inter-AS BGP/MPLS IP VPN is implemented using Option B:
l
ASBR 1 exchange VPN-IPv4 routes with ASBR 2 by MP-EBGP.
l
ASBR does not perform VPN target filtering on the received VPN-IPv4 routes.
Figure 2-6 Networking diagram of inter-AS VPN
BGP/MPLS Backbone
BGP/MPLS Backbone
AS 200
AS 100
Loopback1
Loopback1
2.2.2.9/32
3.3.3.9/32
GE1/0/0
GE2/0/0
GE2/0/0
GE1/0/0
172.1.1.1/24
192.1.1.1/24 192.1.1.2/24
162.1.1.1/24
Loopback1
Loopback1
ASBR1
ASBR2
1.1.1.9/32
4.4.4.9/32
GE1/0/0
GE1/0/0
172.1.1.2/24
PE1
PE2
162.1.1.2/24
GE2/0/0
10.1.1.2/24
GE1/0/0
10.1.1.1/24
CE1
AS 65001
Issue 03 (2011-11-27)
Huawei Proprietary and Confidential
Copyright © Huawei Technologies Co., Ltd.
GE2/0/0
10.2.1.2/24
GE1/0/0
10.2.1.1/24
CE2
AS 65002
155
Huawei AR1200 Series Enterprise Routers
Configuration Guide - VPN
2 BGP MPLS IP VPN Configuration
Configuration Roadmap
The configuration roadmap is as follows:
1.
Configure IGP on the backbone network to interconnect the ASBR and the PE in the same
AS. Set up MPLS LDP LSP between the ASBR and the PE in the same AS.
2.
Set up the EBGP peer relationship between the PE and the CE. Set up the MP-IBGP peer
relationship between the PE and the ASBR.
3.
Configure the VPN instance on the PE. (There is no need to configure the VPN instance
on the ASBR.)
4.
Enable MPLS on the interface connected ASBRs. Set up the MP-EBGP peer relationship
between ASBRs. Configure no VPN-target filtration on the received VPNv4 routes.
Data Preparation
To complete the configuration, you need the following data:
l
MPLS LSR-ID on the PE and the ASBR
l
Name, RD and the VPN-Target of the VPN instance configured on the PE1 and PE2
Procedure
Step 1 Configure IGP on MPLS backbone of AS 100 and AS 200 respectively to make the PE and the
P reach each other in the same AS.
OSPF is used as the IGP in this example, the configuration procedure is not mentioned here.
NOTE
The 32-bit loopback interface address used as the LSR ID should be advertised by OSPF.
After the configuration, the OSPF neighbor relationship should be established between the
ASBR and the PE of the same AS. Run the display ospf peer command to find that the status
of the OSPF neighbor relationship is "Full".
The ASBR and the PE in the same AS can learn the Loopback addresses of each other and can
ping through each other.
Step 2 Configure MPLS basic capability and MPLS LDP on the MPLS backbone of AS 100 and AS
200 respectively to setup LDP LSP.
For configuration procedures, see Example for Configuring Inter-AS VPN Option A.
Step 3 Configure basic BGP/MPLS IP VPN on the MPLS backbone of AS 100 and AS 200 respectively.
NOTE
The VPN target of the VPN instances of the PE1 and the PE2 should be matched.
For configuration procedures, see the following configuration files.
Step 4 Configure inter-AS VPN Option B mode.
# Configure ASBR 1. Enable MPLS on GigabitEthernet2/0/0 connected with ASBR 2.
<ASBR1> system-view
[ASBR1] interface gigabitethernet 2/0/0
[ASBR1-GigabitEthernet2/0/0] ip address 192.1.1.1 24
[ASBR1-GigabitEthernet2/0/0] mpls
[ASBR1-GigabitEthernet2/0/0] quit
Issue 03 (2011-11-27)
Huawei Proprietary and Confidential
Copyright © Huawei Technologies Co., Ltd.
156
Huawei AR1200 Series Enterprise Routers
Configuration Guide - VPN
2 BGP MPLS IP VPN Configuration
# Configure ASBR 1. Establish MP-EBGP peer with ASBR 2 and perform no VPN target
filtering on the received VPNv4 routes, and then enable ASBR 1 to allocate labels based on the
next hop.
[ASBR1] bgp 100
[ASBR1-bgp] peer 192.1.1.2 as-number 200
[ASBR1-bgp] ipv4-family vpnv4
[ASBR1-bgp-af-vpnv4] peer 192.1.1.2 enable
[ASBR1-bgp-af-vpnv4] undo policy vpn-target
[ASBR1-bgp-af-vpnv4] apply-label per-nexthop
[ASBR1-bgp-af-vpnv4] quit
[ASBR1-bgp] quit
NOTE
The configurations of ASBR 2 are similar to that of ASBR 1 and are not mentioned here.
Step 5 Verify the configuration.
After the above configuration, the CEs can learn the interface routes of each other. CE1 and CE2
can be pinged successfully on each other.
Consider CE1 as an example.
<CE1> display ip routing-table
Route Flags: R - relay, D - download to fib
-----------------------------------------------------------------------------Routing Tables: Public
Destinations : 5
Routes : 5
Destination/Mask
Proto Pre Cost
Flags NextHop
Interface
10.1.1.0/24 Direct 0
0
D 10.1.1.1
GigabitEthernet1/0/0
10.1.1.1/32 Direct 0
0
D 127.0.0.1
InLoopBack0
10.2.1.0/24 EBGP
255 0
D 10.1.1.2
GigabitEthernet1/0/0
127.0.0.0/8
Direct 0
0
D 127.0.0.1
InLoopBack0
127.0.0.1/32 Direct 0
0
D 127.0.0.1
InLoopBack0
<CE1> ping 10.2.1.1
PING 10.2.1.1: 56 data bytes, press CTRL_C to break
Reply from 10.2.1.1: bytes=56 Sequence=1 ttl=252 time=120 ms
Reply from 10.2.1.1: bytes=56 Sequence=2 ttl=252 time=73 ms
Reply from 10.2.1.1: bytes=56 Sequence=3 ttl=252 time=111 ms
Reply from 10.2.1.1: bytes=56 Sequence=4 ttl=252 time=86 ms
Reply from 10.2.1.1: bytes=56 Sequence=5 ttl=252 time=110 ms
--- 10.2.1.1 ping statistics --5 packet(s) transmitted
5 packet(s) received
0.00% packet loss
round-trip min/avg/max = 73/100/120 ms
Run the display bgp vpnv4 all routing-table command on the ASBR, and you can see the
VPNv4 routes on the ASBR.
Consider ASBR 1 for an example.
[ASBR1] display bgp vpnv4 all routing-table
Local AS number : 100
BGP Local router ID is 2.2.2.9
Status codes: * - valid, > - best, d - damped,
h - history, i - internal, s - suppressed, S - Stale
Origin : i - IGP, e - EGP, ? - incomplete
Total number of routes from all PE: 3
Route Distinguisher: 100:1
Network
NextHop
MED
LocPrf
PrefVal Path/Ogn
*>i 10.1.1.0/24
1.1.1.9
0
100
0
?
*>i 10.1.1.1/32
1.1.1.9
0
100
0
?
Route Distinguisher: 200:1
Network
NextHop
MED
LocPrf
PrefVal Path/Ogn
Issue 03 (2011-11-27)
Huawei Proprietary and Confidential
Copyright © Huawei Technologies Co., Ltd.
157
Huawei AR1200 Series Enterprise Routers
Configuration Guide - VPN
*>
10.2.1.0/24
2 BGP MPLS IP VPN Configuration
192.1.1.2
0
200?
----End
Configuration Files
l
Configuration file of CE1
#
sysname CE1
#
interface GigabitEthernet1/0/0
ip address 10.1.1.1 255.255.255.0
#
bgp 65001
peer 10.1.1.2 as-number 100
#
ipv4-family unicast
undo synchronization
import-route direct
peer 10.1.1.2 enable
return
l
Configuration file of PE1
#
sysname PE1
#
ip vpn-instance vpn1
ipv4-family
route-distinguisher 100:1
apply-label per-instance
vpn-target 1:1 export-extcommunity
vpn-target 1:1 import-extcommunity
#
mpls lsr-id 1.1.1.9
mpls
#
mpls ldp
#
interface GigabitEthernet1/0/0
ip address 172.1.1.2 255.255.255.0
mpls
mpls ldp
#
interface GigabitEthernet2/0/0
ip binding vpn-instance vpn1
ip address 10.1.1.2 255.255.255.0
#
interface LoopBack1
ip address 1.1.1.9 255.255.255.255
#
bgp 100
peer 2.2.2.9 as-number 100
peer 2.2.2.9 connect-interface LoopBack1
#
ipv4-family unicast
undo synchronization
peer 2.2.2.9 enable
#
ipv4-family vpnv4
policy vpn-target
peer 2.2.2.9 enable
#
ipv4-family vpn-instance vpn1
peer 10.1.1.1 as-number 65001
import-route direct
#
ospf 1
area 0.0.0.0
Issue 03 (2011-11-27)
Huawei Proprietary and Confidential
Copyright © Huawei Technologies Co., Ltd.
158
Huawei AR1200 Series Enterprise Routers
Configuration Guide - VPN
2 BGP MPLS IP VPN Configuration
network 1.1.1.9 0.0.0.0
network 172.1.1.0 0.0.0.255
#
return
l
Configuration file of ASBR 1
#
sysname ASBR1
#
mpls lsr-id 2.2.2.9
mpls
#
mpls ldp
#
interface GigabitEthernet1/0/0
ip address 172.1.1.1 255.255.255.0
mpls
mpls ldp
#
interface GigabitEthernet2/0/0
ip address 192.1.1.1 255.255.255.0
mpls
#
interface LoopBack1
ip address 2.2.2.9 255.255.255.255
#
bgp 100
peer 192.1.1.2 as-number 200
peer 1.1.1.9 as-number 100
peer 1.1.1.9 connect-interface LoopBack1
#
ipv4-family unicast
undo synchronization
peer 192.1.1.2 enable
peer 1.1.1.9 enable
#
ipv4-family vpnv4
undo policy vpn-target
apply-label per-nexthop
peer 1.1.1.9 enable
peer 192.1.1.2 enable
#
ospf 1
area 0.0.0.0
network 2.2.2.9 0.0.0.0
network 172.1.1.0 0.0.0.255
#
return
l
Configuration file of ASBR 2
#
sysname ASBR2
#
mpls lsr-id 3.3.3.9
mpls
#
mpls ldp
#
interface GigabitEthernet1/0/0
ip address 162.1.1.1 255.255.255.0
mpls
mpls ldp
#
interface GigabitEthernet2/0/0
ip address 192.1.1.2 255.255.255.0
mpls
#
interface LoopBack1
ip address 3.3.3.9 255.255.255.255
#
Issue 03 (2011-11-27)
Huawei Proprietary and Confidential
Copyright © Huawei Technologies Co., Ltd.
159
Huawei AR1200 Series Enterprise Routers
Configuration Guide - VPN
2 BGP MPLS IP VPN Configuration
bgp 200
peer 192.1.1.1 as-number 100
peer 4.4.4.9 as-number 200
peer 4.4.4.9 connect-interface LoopBack1
#
ipv4-family unicast
undo synchronization
peer 192.1.1.1 enable
peer 4.4.4.9 enable
#
ipv4-family vpnv4
undo policy vpn-target
apply-label per-nexthop
peer 4.4.4.9 enable
peer 192.1.1.1 enable
#
ospf 1
area 0.0.0.0
network 3.3.3.9 0.0.0.0
network 162.1.1.0 0.0.0.255
#
return
l
Configuration file of PE2
#
sysname PE2
#
ip vpn-instance vpn1
ipv4-family
route-distinguisher 200:1
apply-label per-instance
vpn-target 1:1 export-extcommunity
vpn-target 1:1 import-extcommunity
#
mpls lsr-id 4.4.4.9
mpls
#
mpls ldp
#
interface GigabitEthernet1/0/0
ip address 162.1.1.2 255.255.255.0
mpls
mpls ldp
#
interface GigabitEthernet2/0/0
ip binding vpn-instance vpn1
ip address 10.2.1.2 255.255.255.0
#
interface LoopBack1
ip address 4.4.4.9 255.255.255.255
#
bgp 200
peer 3.3.3.9 as-number 200
peer 3.3.3.9 connect-interface LoopBack1
#
ipv4-family unicast
undo synchronization
peer 3.3.3.9 enable
#
ipv4-family vpnv4
policy vpn-target
peer 3.3.3.9 enable
#
ipv4-family vpn-instance vpn1
peer 10.2.1.1 as-number 65002
import-route direct
#
ospf 1
area 0.0.0.0
network 4.4.4.9 0.0.0.0
Issue 03 (2011-11-27)
Huawei Proprietary and Confidential
Copyright © Huawei Technologies Co., Ltd.
160
Huawei AR1200 Series Enterprise Routers
Configuration Guide - VPN
2 BGP MPLS IP VPN Configuration
network 162.1.1.0 0.0.0.255
#
return
l
Configuration file of CE2
#
sysname CE2
#
interface GigabitEthernet1/0/0
ip address 10.2.1.1 255.255.255.0
#
bgp 65002
peer 10.2.1.2 as-number 200
#
ipv4-family unicast
undo synchronization
import-route direct
peer 10.2.1.2 enable
#
return
2.16.6 Example for Configuring Inter-AS VPN Option C
After establishing the multi-hop MP-EBGP peer relationship between PEs of different ASs, you
can implement the inter-AS VPN OptionC solution.
Networking Requirements
As shown in Figure 2-7, CE1 and CE2 belong to the same VPN. The CE1 accesses the network
through the PE1 in AS 100 and the CE2 accesses the network through the PE2 in AS 200.
The Inter-AS BGP/MPLS IP VPN is implemented using Option C.
Figure 2-7 Networking diagram of inter-AS VPN
BGP/MPLS Backbone
BGP/MPLS Backbone
AS 200
AS 100
Loopback1
Loopback1
2.2.2.9/32
3.3.3.9/32
GE1/0/0
GE2/0/0
GE2/0/0
GE1/0/0
172.1.1.1/24
192.1.1.1/24 192.1.1.2/24
162.1.1.1/24
Loopback1
Loopback1
ASBR1
ASBR2
1.1.1.9/32
4.4.4.9/32
GE1/0/0
GE1/0/0
172.1.1.2/24
PE1
PE2
162.1.1.2/24
GE2/0/0
10.1.1.2/24
GE1/0/0
10.1.1.1/24
CE1
AS 65001
Issue 03 (2011-11-27)
Huawei Proprietary and Confidential
Copyright © Huawei Technologies Co., Ltd.
GE2/0/0
10.2.1.2/24
GE1/0/0
10.2.1.1/24
CE2
AS 65002
161
Huawei AR1200 Series Enterprise Routers
Configuration Guide - VPN
2 BGP MPLS IP VPN Configuration
Configuration Roadmap
The configuration roadmap is as follows:
1.
Set up the MP-EBGP peer relationship between PEs in different ASs and configure the
maximum hops between PEs.
2.
Configure the routing policy on the ASBR: Assign MPLS labels to the loopback routes
with MPLS tokens received from the PE in the local AS before advertising the routes to
the remote ASBR; Assign new MPLS labels to the routes advertised to the PE in the local
AS if they are labeled IPv4 routes.
3.
Configure the PE and the ASBR of the local AS to exchange the labeled IPv4 route.
4.
Configure the ASBR and the peer ASBR to exchange the labeled IPv4 route.
Data Preparation
To complete the configuration, you need the following data:
l
MPLS LSR-ID of the PE and the ASBR
l
The VPN instance configured on the PE, RD and the VPN-target
l
Routing policies configured on the ASBR
Procedure
Step 1 Configure IGP on the MPLS backbone of AS 100 and AS 200 respectively to make the PE and
the ASBR can reach each other in the same AS.
OSPF is used as IGP in this example, and the configuration procedure is not mentioned here.
NOTE
The 32-bit loopback interface address used as the LSR ID should be advertised by OSPF.
After the configuration, the OSPF neighbor relationship should be established between the
ASBR and the PE of the same AS. Run the display ospf peer command to find the status of the
OSPF neighbor relationship as "Full".
Take PE1 as an example.
<PE1> display ospf peer
OSPF Process 1 with Router ID 1.1.1.9
Neighbors
Area 0.0.0.0 interface 172.1.1.2(GigabitEthernet1/0/0)'s neighbors
Router ID: 2.2.2.9
Address: 172.1.1.1
State: Full Mode:Nbr is Master Priority: 1
DR: None
BDR: None
MTU: 0
Dead timer due in 31 sec
Neighbor is up for 00:28:11
Authentication Sequence: [ 0 ]
The ASBR and the PE in the same AS can learn Loopback addresses of each other and can ping
through each other.
Step 2 Configure MPLS basic capability and MPLS LDP on the MPLS backbone of AS 100 and AS
200 respectively to setup LDP LSP.
For configuration procedures, see Example for Configuring Inter-AS VPN Option A.
Step 3 Set up the IBGP peer relationship between the PEs and the ASBRs in the same AS.
Issue 03 (2011-11-27)
Huawei Proprietary and Confidential
Copyright © Huawei Technologies Co., Ltd.
162
Huawei AR1200 Series Enterprise Routers
Configuration Guide - VPN
2 BGP MPLS IP VPN Configuration
For detailed configurations, see the following configuration files.
Step 4 Configure the VPN instance on the PE and configure the CE to access the PE.
For the detailed configuration, see the following configuration file.
NOTE
The import VPN-taget configured on PE1 must be the same as the export VPN-target configured on PE2;
the export VPN-taget configured on PE1 must be the same as the import VPN-target configured on PE2.
Step 5 Configure exchange of labeled IPv4 routes.
# Configure PE1. Enable to exchange labeled IPv4 routes with ASBR 1.
[PE1] bgp 100
[PE1-bgp] peer 2.2.2.9 label-route-capability
[PE1-bgp] quit
# Configure ASBR 1. Enable MPLS on GigabitEthernet2/0/0 connected to ASBR 2.
[ASBR1] interface gigabitethernet 2/0/0
[ASBR1-GigabitEthernet2/0/0] ip address 192.1.1.1 24
[ASBR1-GigabitEthernet2/0/0] mpls
[ASBR1-GigabitEthernet2/0/0] quit
# Configure ASBR 1. Create route policies.
[ASBR1] route-policy
[ASBR1-route-policy]
[ASBR1-route-policy]
[ASBR1] route-policy
[ASBR1-route-policy]
[ASBR1-route-policy]
[ASBR1-route-policy]
policy1 permit node 1
apply mpls-label
quit
policy2 permit node 1
if-match mpls-label
apply mpls-label
quit
# Configure ASBR 1. Apply route policies to the routes advertised to PE1 and enable to exchange
label IPv4 routes with PE1.
[ASBR1] bgp 100
[ASBR1-bgp] peer 1.1.1.9 route-policy policy2 export
[ASBR1-bgp] peer 1.1.1.9 label-route-capability
# Configure ASBR 1. Apply route policies to the routes advertised to ASBR 2 and enable to
exchange label IPv4 routes with ASBR 2.
[ASBR1-bgp]
[ASBR1-bgp]
[ASBR1-bgp]
[ASBR1-bgp]
peer 192.1.1.2 as-number 200
peer 192.1.1.2 route-policy policy1 export
peer 192.1.1.2 label-route-capability
quit
# Configure ASBR1. Advertise the Loopback routes with MPLS tokens of PE1 to ASBR2, and
then to PE2.
[ASBR1] route-policy policy3 permit node 1
[ASBR1-route-policy] if-match mpls-token
[ASBR1-route-policy] quit
[ASBR1] bgp 100
[ASBR1-bgp] network 1.1.1.9 32 route-policy policy3
[ASBR1-bgp] quit
NOTE
The configurations of PE2 and ASBR 2 are similar to that of PE1 and ASBR 1 and are not mentioned here.
Step 6 Establish MP-EBGP peers between PE1 and PE2
# Configure PE1.
Issue 03 (2011-11-27)
Huawei Proprietary and Confidential
Copyright © Huawei Technologies Co., Ltd.
163
Huawei AR1200 Series Enterprise Routers
Configuration Guide - VPN
2 BGP MPLS IP VPN Configuration
[PE1] bgp 100
[PE1-bgp] peer 4.4.4.9 as-number 200
[PE1-bgp] peer 4.4.4.9 connect-interface LoopBack 1
[PE1-bgp] peer 4.4.4.9 ebgp-max-hop 10
[PE1-bgp] ipv4-family vpnv4
[PE1-bgp-af-vpnv4] peer 4.4.4.9 enable
[PE1-bgp-af-vpnv4] quit
[PE1-bgp] quit
# Configure PE2.
[PE2] bgp 200
[PE2-bgp] peer 1.1.1.9 as-number 100
[PE2-bgp] peer 1.1.1.9 connect-interface LoopBack 1
[PE2-bgp] peer 1.1.1.9 ebgp-max-hop 10
[PE2-bgp] ipv4-family vpnv4
[PE2-bgp-af-vpnv4] peer 1.1.1.9 enable
[PE2-bgp-af-vpnv4] quit
[PE2-bgp] quit
Step 7 Verify the configuration.
After the above configuration, the CEs can learn interface routes of each other. CE1 and CE2
can ping through each other.
Consider CE1 as an example:
[CE1] display ip routing-table
Route Flags: R - relay, D - download to fib
-----------------------------------------------------------------------------Routing Tables: Public
Destinations : 5
Routes : 5
Destination/Mask
Proto Pre Cost
Flags NextHop
Interface
10.1.1.0/24 Direct 0
0
D 10.1.1.1
GigabitEthernet1/0/0
10.1.1.1/32 Direct 0
0
D 127.0.0.1
InLoopBack0
10.2.1.0/24 EBGP
255 0
D 10.1.1.2
GigabitEthernet1/0/0
127.0.0.0/8
Direct 0
0
D 127.0.0.1
InLoopBack0
127.0.0.1/32 Direct 0
0
D 127.0.0.1
InLoopBack0
[CE1] ping 10.2.1.1
PING 10.2.1.1: 56 data bytes, press CTRL_C to break
Reply from 10.2.1.1: bytes=56 Sequence=1 ttl=252 time=102 ms
Reply from 10.2.1.1: bytes=56 Sequence=2 ttl=252 time=89 ms
Reply from 10.2.1.1: bytes=56 Sequence=3 ttl=252 time=106 ms
Reply from 10.2.1.1: bytes=56 Sequence=4 ttl=252 time=104 ms
Reply from 10.2.1.1: bytes=56 Sequence=5 ttl=252 time=56 ms
--- 10.2.1.1 ping statistics --5 packet(s) transmitted
5 packet(s) received
0.00% packet loss
round-trip min/avg/max = 56/91/106 ms
There is no VPNv4 route on the ASBR. Run the display bgp routing-table label command on
the ASBR to see the label information of the routes.
Consider ASBR1 as an example:
[ASBR1] display bgp routing-table label
Total Number of Routes: 2
BGP Local router ID is 2.2.2.9
Status codes: * - valid, > - best, d - damped,
h - history, i - internal, s - suppressed, S - Stale
Origin : i - IGP, e - EGP, ? - incomplete
Network
NextHop
In/Out Label
*>
1.1.1.9
172.1.1.2
15360/NULL
*>
4.4.4.9
192.1.1.2
15361/15361
----End
Issue 03 (2011-11-27)
Huawei Proprietary and Confidential
Copyright © Huawei Technologies Co., Ltd.
164
Huawei AR1200 Series Enterprise Routers
Configuration Guide - VPN
2 BGP MPLS IP VPN Configuration
Configuration Files
l
Configuration file of CE1
#
sysname CE1
#
interface GigabitEthernet1/0/0
ip address 10.1.1.1 255.255.255.0
#
bgp 65001
peer 10.1.1.2 as-number 100
#
ipv4-family unicast
undo synchronization
import-route direct
peer 10.1.1.2 enable
#
return
l
Configuration file of PE1
#
sysname PE1
#
ip vpn-instance vpn1
ipv4-family
route-distinguisher 100:1
vpn-target 1:1 export-extcommunity
vpn-target 1:1 import-extcommunity
#
mpls lsr-id 1.1.1.9
mpls
#
mpls ldp
#
interface GigabitEthernet1/0/0
ip address 172.1.1.2 255.255.255.0
mpls
mpls ldp
#
interface GigabitEthernet2/0/0
ip binding vpn-instance vpn1
ip address 10.1.1.2 255.255.255.0
#
interface LoopBack1
ip address 1.1.1.9 255.255.255.255
#
bgp 100
peer 2.2.2.9 as-number 100
peer 2.2.2.9 connect-interface LoopBack1
peer 4.4.4.9 as-number 200
peer 4.4.4.9 ebgp-max-hop 10
peer 4.4.4.9 connect-interface LoopBack1
#
ipv4-family unicast
undo synchronization
peer 2.2.2.9 enable
peer 2.2.2.9 label-route-capability
peer 4.4.4.9 enable
#
ipv4-family vpnv4
policy vpn-target
peer 4.4.4.9 enable
#
ipv4-family vpn-instance vpn1
peer 10.1.1.1 as-number 65001
import-route direct
#
ospf 1
area 0.0.0.0
Issue 03 (2011-11-27)
Huawei Proprietary and Confidential
Copyright © Huawei Technologies Co., Ltd.
165
Huawei AR1200 Series Enterprise Routers
Configuration Guide - VPN
2 BGP MPLS IP VPN Configuration
network 1.1.1.9 0.0.0.0
network 172.1.1.0 0.0.0.255
#
return
l
Configuration file of ASBR 1
#
sysname ASBR1
#
mpls lsr-id 2.2.2.9
mpls
#
mpls ldp
#
interface GigabitEthernet1/0/0
ip address 172.1.1.1 255.255.255.0
mpls
mpls ldp
#
interface GigabitEthernet2/0/0
ip address 192.1.1.1 255.255.255.0
mpls
#
interface LoopBack1
ip address 2.2.2.9 255.255.255.255
#
bgp 100
peer 192.1.1.2 as-number 200
peer 1.1.1.9 as-number 100
peer 1.1.1.9 connect-interface LoopBack1
#
ipv4-family unicast
undo synchronization
network 1.1.1.9 255.255.255.255 route-policy policy3
peer 192.1.1.2 enable
peer 192.1.1.2 route-policy policy1 export
peer 192.1.1.2 label-route-capability
peer 1.1.1.9 enable
peer 1.1.1.9 route-policy policy2 export
peer 1.1.1.9 label-route-capability
#
ospf 1
area 0.0.0.0
network 2.2.2.9 0.0.0.0
network 172.1.1.0 0.0.0.255
#
route-policy policy1 permit node 1
apply mpls-label
route-policy policy2 permit node 1
if-match mpls-label
route-policy policy3 permit node 1
if-match mpls-token
apply mpls-label
#
return
l
Configuration file of ASBR 2
#
sysname ASBR2
#
mpls lsr-id 3.3.3.9
mpls
#
mpls ldp
#
interface GigabitEthernet1/0/0
ip address 162.1.1.1 255.255.255.0
mpls
mpls ldp
#
Issue 03 (2011-11-27)
Huawei Proprietary and Confidential
Copyright © Huawei Technologies Co., Ltd.
166
Huawei AR1200 Series Enterprise Routers
Configuration Guide - VPN
2 BGP MPLS IP VPN Configuration
interface GigabitEthernet2/0/0
ip address 192.1.1.2 255.255.255.0
mpls
#
interface LoopBack1
ip address 3.3.3.9 255.255.255.255
#
bgp 200
peer 192.1.1.1 as-number 100
peer 4.4.4.9 as-number 200
peer 4.4.4.9 connect-interface LoopBack1
#
ipv4-family unicast
undo synchronization
network 4.4.4.9 255.255.255.255 route-policy policy3
peer 192.1.1.1 enable
peer 192.1.1.1 route-policy policy1 export
peer 192.1.1.1 label-route-capability
peer 4.4.4.9 enable
peer 4.4.4.9 route-policy policy2 export
peer 4.4.4.9 label-route-capability
#
ospf 1
area 0.0.0.0
network 3.3.3.9 0.0.0.0
network 162.1.1.0 0.0.0.255
#
route-policy policy1 permit node 1
apply mpls-label
route-policy policy2 permit node 1
if-match mpls-label
apply mpls-label
route-policy policy3 permit node 1
if-match mpls-token
#
return
l
Configuration file of PE2
#
sysname PE2
#
ip vpn-instance vpn1
ipv4-family
route-distinguisher 200:1
vpn-target 1:1 export-extcommunity
vpn-target 1:1 import-extcommunity
#
mpls lsr-id 4.4.4.9
mpls
#
mpls ldp
#
interface GigabitEthernet1/0/0
ip address 162.1.1.2 255.255.255.0
mpls
mpls ldp
#
interface GigabitEthernet2/0/0
ip binding vpn-instance vpn1
ip address 10.2.1.2 255.255.255.0
#
interface LoopBack1
ip address 4.4.4.9 255.255.255.255
#
bgp 200
peer 1.1.1.9 as-number 100
peer 1.1.1.9 ebgp-max-hop 10
peer 1.1.1.9 connect-interface LoopBack1
peer 3.3.3.9 as-number 200
peer 3.3.3.9 connect-interface LoopBack1
Issue 03 (2011-11-27)
Huawei Proprietary and Confidential
Copyright © Huawei Technologies Co., Ltd.
167
Huawei AR1200 Series Enterprise Routers
Configuration Guide - VPN
2 BGP MPLS IP VPN Configuration
#
ipv4-family unicast
undo synchronization
peer 1.1.1.9 enable
peer 3.3.3.9 enable
peer 3.3.3.9 label-route-capability
#
ipv4-family vpnv4
policy vpn-target
peer 1.1.1.9 enable
#
ipv4-family vpn-instance vpn1
peer 10.2.1.1 as-number 65002
import-route direct
#
ospf 1
area 0.0.0.0
network 4.4.4.9 0.0.0.0
network 162.1.1.0 0.0.0.255
#
return
l
Configuration file of CE2
#
sysname CE2
#
interface GigabitEthernet1/0/0
ip address 10.2.1.1 255.255.255.0
#
bgp 65002
peer 10.2.1.2 as-number 200
#
ipv4-family unicast
undo synchronization
import-route direct
peer 10.2.1.2 enable
#
return
2.16.7 Example for Configuring Inter-AS VPN Option C (Solution
2)
If no MP-IBGP relationships are established between PEs and ASBRs, you can use LDP to
allocate labels for BGP and implement the inter-AS VPN OptionC solution.
Networking Requirements
As shown in Figure 2-8. CE1 and CE2 belong to the same VPN. CE1 accesses AS100 through
PE1, and CE2 accesses AS200 through PE2.
Issue 03 (2011-11-27)
Huawei Proprietary and Confidential
Copyright © Huawei Technologies Co., Ltd.
168
Huawei AR1200 Series Enterprise Routers
Configuration Guide - VPN
2 BGP MPLS IP VPN Configuration
Figure 2-8 Networking diagram of the inter-AS VPN
BGP/MPLS Backbone
AS 100
Loopback1
2.2.2.9/32
GE1/0/0
GE2/0/0
172.1.1.1/24
192.1.1.1/24
Loopback1
1.1.1.9/32
ASBR1
BGP/MPLS Backbone
AS 200
Loopback1
3.3.3.9/32
GE2/0/0
192.1.1.2/24
GE1/0/0
172.1.1.2/24
PE1
GE1/0/0
162.1.1.1/24
Loopback1
4.4.4.9/32
ASBR2
GE1/0/0
162.1.1.2/24
PE2
GE2/0/0
10.1.1.2/24
GE2/0/0
10.2.1.2/24
GE1/0/0
10.1.1.1/24
GE1/0/0
10.2.1.1/24
CE1
AS 65001
CE2
AS 65002
No IBGP peer relationship is needed between a PE and an ASBR. The ASBR learns the labeled
BGP routes of the public network at the remote AS from the peer ASBR. Then these BGP routes
are imported to IGP. In this manner, LDP can distribute labels for these routes and establish an
inter-AS LDP LSP. The inter-AS BGP/MPLS IP VPN Option C can then be realized.
Configuration Roadmap
The configuration roadmap is as follows:
1.
Advertise the routes of the PE within an AS to the remote PE: Advertise the routes of the
PE within an AS to the remote ASBR through BGP, import these BGP routes to IGP on
the remote ASBR, and then advertise the routes of the PE to the remote PE by using IGP.
2.
Configure a routing policy on the ASBR: Allocate MPLS labels to the the routes with MPLS
tokens received by a PE within the local AS and advertised to the remote ASBR. Allocate
new MPLS labels to the labeled IPv4 routes advertised to the PE within the local AS.
3.
Exchange the labeled IPv4 routes between the local ASBR and the remote ASBR.
4.
Configure an LDP LSP for the labeled BGP routes of the public network on ASBRs.
5.
Establish the MP-EBGP peer relationship between PEs of different ASs, and specify the
maximum hops between PEs because the PEs are generally not directly connected.
Data Preparation
To complete the configuration, you need the following data:
l
MPLS LSR ID of the PE and the ASBR
l
VPN instance name, RD, and VPN target created on the PE
l
Routing policy on the ASBR
Issue 03 (2011-11-27)
Huawei Proprietary and Confidential
Copyright © Huawei Technologies Co., Ltd.
169
Huawei AR1200 Series Enterprise Routers
Configuration Guide - VPN
2 BGP MPLS IP VPN Configuration
Procedure
Step 1 Configure IGP on the MPLS backbone networks of AS100 and AS200. In this manner, PEs
within each MPLS backbone network can be interconnected with ASBRs.
In this example, IGP adopts OSPF, and the specific configuration steps are not mentioned here.
NOTE
Advertise the 32-bit IP address of the loopback interface, that is, the LSR ID, by using OSPF.
After the configuration, the OSPF neighbor relationship can be established between the ASBR
and the PE in the same AS. Run the display ospf peercommand to find that the neighboring
state is Full.
Take PE1 as an example:
<PE1> display ospf peer
OSPF Process 1 with Router ID 1.1.1.9
Neighbors
Area 0.0.0.0 interface 172.1.1.2(GigabitEthernet1/0/0)'s neighbors
Router ID: 2.2.2.9
Address: 172.1.1.1
State: Full Mode:Nbr is Master Priority: 1
DR: None
BDR: None
MTU: 0
Dead timer due in 28 sec
Neighbor is up for 00:01:04
Authentication Sequence: [ 0 ]
The ASBR and PE in the same AS can learn the IP address of the loopback1 interface of each
other. They can also ping each other successfully.
Step 2 Establish the EBGP peer relationship between the ASBRs.
# Configure ASBR1.
[ASBR1] bgp 100
[ASBR1-bgp] peer 192.1.1.2 as-number 200
[ASBR1-bgp] quit
# Configure ASBR2.
[ASBR2] bgp 200
[ASBR2-bgp] peer 192.1.1.1 as-number 100
[ASBR2-bgp] quit
After the configuration, run the display bgp peer command on ASBRs to find the adjacency
status is Established.
Take ASBR1 as an example:
[ASBR1] display bgp peer
BGP local router ID : 2.2.2.9
Local AS number : 100
Total number of peers : 1
Peers in established state : 1
Peer
V
AS
MsgRcvd
MsgSent
192.1.1.2
4 200
129
134
OutQ
Up/Down
State
PrefRcv
0 01:39:21 Established
1
Step 3 Advertise the routes of a PE in an AS to the remote PE.
# On ASBR1, advertise the loopback address with MPLS tokens of PE1 to ASBR2.
[ASBR1] route-policy policy0 permit node 1
Issue 03 (2011-11-27)
Huawei Proprietary and Confidential
Copyright © Huawei Technologies Co., Ltd.
170
Huawei AR1200 Series Enterprise Routers
Configuration Guide - VPN
2 BGP MPLS IP VPN Configuration
[ASBR1-route-policy] if-match mpls-token
[ASBR1-route-policy] quit
[ASBR1] bgp 100
[ASBR1-bgp] network 1.1.1.9 32 route-policy policy0
[ASBR1-bgp] quit
# On ASBR2, advertise the loopback address with MPLS tokens of PE2 to ASBR1.
[ASBR2] route-policy policy0 permit node 1
[ASBR2-route-policy] if-match mpls-token
[ASBR2-route-policy] quit
[ASBR2] bgp 200
[ASBR2-bgp] network 4.4.4.9 32 route-policy policy0
[ASBR2-bgp] quit
# On ASBR1, import BGP routes to OSPF, and advertise the routes of PE2 to PE1 through OSPF.
[ASBR1] ospf 1
[ASBR1-ospf-1] import-route bgp
# On ASBR2, import BGP routes to OSPF, and advertise the routes of PE1 to PE2 through OSPF.
[ASBR2] ospf 1
[ASBR2-ospf-1] import-route bgp
After the configuration, run the display ip routing-table command on the PEs to check the
routing table. Take PE1 as an example:
[PE1] display ip routing-table
Route Flags: R - relay, D - download to fib
-----------------------------------------------------------------------------Routing Tables: Public
Destinations : 8
Routes : 8
Destination/Mask
Proto
1.1.1.9/32 Direct
2.2.2.9/32 OSPF
GigabitEthernet1/0/0
4.4.4.9/32 O_ASE
GigabitEthernet1/0/0
127.0.0.0/8
Direct
127.0.0.1/32 Direct
172.1.1.0/24 Direct
GigabitEthernet1/0/0
172.1.1.1/32 Direct
GigabitEthernet1/0/0
172.1.1.2/32 Direct
Pre
Cost
Flags NextHop
0
10
0
1
D
D
127.0.0.1
172.1.1.1
150
1
D
172.1.1.1
0
0
0
0
0
0
D
D
D
127.0.0.1
127.0.0.1
172.1.1.2
0
0
D
172.1.1.1
0
0
D
127.0.0.1
Interface
InLoopBack0
InLoopBack0
InLoopBack0
InLoopBack0
Step 4 Configure basic MPLS functions and MPLS LDP on the MPLS backbone networks of AS100
and AS200 to establish LDP LSP.
# Configure basic MPLS functions on PE1 and enable LDP on the interface connected with
ASBR1.
[PE1] mpls lsr-id 1.1.1.9
[PE1] mpls
[PE1-mpls] quit
[PE1] mpls ldp
[PE1-mpls-ldp] quit
[PE1] interface gigabitethernet 1/0/0
[PE1-GigabitEthernet1/0/0] mpls
[PE1-GigabitEthernet1/0/0] mpls ldp
[PE1-GigabitEthernet1/0/0] quit
# Configure basic MPLS functions on ASBR1 and enable LDP on the interface connected with
PE1.
[ASBR1] mpls lsr-id 2.2.2.9
[ASBR1] mpls
Issue 03 (2011-11-27)
Huawei Proprietary and Confidential
Copyright © Huawei Technologies Co., Ltd.
171
Huawei AR1200 Series Enterprise Routers
Configuration Guide - VPN
2 BGP MPLS IP VPN Configuration
[ASBR1-mpls] quit
[ASBR1] mpls ldp
[ASBR1-mpls-ldp] quit
[ASBR1] interface gigabitethernet 1/0/0
[ASBR1-GigabitEthernet1/0/0] mpls
[ASBR1-GigabitEthernet1/0/0] mpls ldp
[ASBR1-GigabitEthernet1/0/0] quit
# Configure basic MPLS functions on ASBR2 and enable LDP on the interface connected with
PE2.
[ASBR2] mpls lsr-id 3.3.3.9
[ASBR2] mpls
[ASBR2-mpls] quit
[ASBR2] mpls ldp
[ASBR2-mpls-ldp] quit
[ASBR2] interface gigabitethernet 1/0/0
[ASBR2-GigabitEthernet1/0/0] mpls
[ASBR2-GigabitEthernet1/0/0] mpls ldp
[ASBR2-GigabitEthernet1/0/0] quit
# Configure basic MPLS functions on PE2 and enable LDP on the interface connected with
ASBR2.
[PE2] mpls lsr-id 4.4.4.9
[PE2] mpls
[PE2-mpls] quit
[PE2] mpls ldp
[PE2-mpls-ldp] quit
[PE2] interface gigabitethernet 1/0/0
[PE2-GigabitEthernet1/0/0] mpls
[PE2-GigabitEthernet1/0/0] mpls ldp
[PE2-GigabitEthernet1/0/0] quit
After the configuration, the LDP sessions between PE1 and the ASBR1, and between PE2 and
ASBR2 are set up. Run the display mpls ldp session command. You can view that the status is
"Operational". Run the display mpls ldp lsp command, and you can view whether LDP LSPs
are set up.
Take PE1 as an example:
[PE1] display mpls ldp session
LDP Session(s) in Public Network
Codes: LAM(Label Advertisement Mode), SsnAge Unit(DDDD:HH:MM)
A '*' before a session means the session is being deleted.
-----------------------------------------------------------------------------PeerID
Status
LAM SsnRole SsnAge
KASent/Rcv
-----------------------------------------------------------------------------2.2.2.9:0
Operational DU
Passive 0000:00:01 5/5
-----------------------------------------------------------------------------TOTAL: 1 session(s) Found.
<PE1> display mpls ldp lsp
LDP LSP Information
------------------------------------------------------------------------------DestAddress/Mask
In/OutLabel
UpstreamPeer
NextHop
OutInterface
------------------------------------------------------------------------------1.1.1.9/32
3/NULL
2.2.2.9
127.0.0.1
InLoop0
*1.1.1.9/32
Liberal
2.2.2.9/32
NULL/3
172.1.1.1
GigabitEthernet1/0/0
2.2.2.9/32
1024/3
2.2.2.9
172.1.1.1
GigabitEthernet1/0/0
------------------------------------------------------------------------------TOTAL: 3 Normal LSP(s) Found.
TOTAL: 1 Liberal LSP(s) Found.
TOTAL: 0 Frr LSP(s) Found.
Issue 03 (2011-11-27)
Huawei Proprietary and Confidential
Copyright © Huawei Technologies Co., Ltd.
172
Huawei AR1200 Series Enterprise Routers
Configuration Guide - VPN
A
A
A
A
'*'
'*'
'*'
'*'
before
before
before
before
2 BGP MPLS IP VPN Configuration
an LSP means the LSP is not established
a Label means the USCB or DSCB is stale
a UpstreamPeer means the session is in GR state
a NextHop means the LSP is FRR LSP
Step 5 Configure the capability of exchanging labeled IPv4 routes on ASBRs.
# Configure ASBR1: Enable MPLS on GigabitEthernet2/0/0 that connects ASBR2.
[ASBR1] interface gigabitethernet 2/0/0
[ASBR1-GigabitEthernet2/0/0] ip address 192.1.1.1 24
[ASBR1-GigabitEthernet2/0/0] mpls
[ASBR1-GigabitEthernet2/0/0] quit
# On ASBR1, create the routing policy.
[ASBR1] route-policy policy1 permit node 1
[ASBR1-route-policy] apply mpls-label
[ASBR1-route-policy] quit
# On ASBR1, apply a routing policy to the routes advertised to ASBR2, and enable the labeled
IPv4 route exchange with ASBR2.
[ASBR1] bgp
[ASBR1-bgp]
[ASBR1-bgp]
[ASBR1-bgp]
100
peer 192.1.1.2 route-policy policy1 export
peer 192.1.1.2 label-route-capability
quit
NOTE
The configuration on ASBR2 is similar to that on ASBR1 and not mentioned here. Please refer to the
configuration file.
Step 6 Configure LDP LSPs for the labeled BGP routes of the public network on ASBRs.
# Configure ASBR1.
[ASBR1] mpls
[ASBR1-mpls] lsp-trigger bgp-label-route
[ASBR1-mpls] quit
# Configure ASBR2.
[ASBR2] mpls
[ASBR2-mpls] lsp-trigger bgp-label-route
[ASBR2-mpls] quit
Step 7 Configure the VPN instance on the PEs and configure the CEs to access the instances.
# Configure PE1.
[PE1] ip vpn-instance vpn1
[PE1-vpn-instance-vpn1] ipv4-family
[PE1-vpn-instance-vpn1-af-ipv4] route-distinguisher 100:1
[PE1-vpn-instance-vpn1-af-ipv4] vpn-target 1:1 export-extcommunity
[PE1-vpn-instance-vpn1-af-ipv4] vpn-target 1:1 import-extcommunity
[PE1-vpn-instance-vpn1-af-ipv4] quit
[PE1-vpn-instance-vpn1] quit
[PE1] interface gigabitethernet 2/0/0
[PE1-GigabitEthernet2/0/0] ip binding vpn-instance vpn1
[PE1-GigabitEthernet2/0/0] ip address 10.1.1.2 24
[PE1-GigabitEthernet2/0/0] quit
# Configure PE2.
[PE2] ip vpn-instance vpn1
[PE2-vpn-instance-vpn1] ipv4-family
[PE2-vpn-instance-vpn1-af-ipv4] route-distinguisher 200:1
[PE2-vpn-instance-vpn1-af-ipv4] vpn-target 1:1 export-extcommunity
[PE2-vpn-instance-vpn1-af-ipv4] vpn-target 1:1 import-extcommunity
Issue 03 (2011-11-27)
Huawei Proprietary and Confidential
Copyright © Huawei Technologies Co., Ltd.
173
Huawei AR1200 Series Enterprise Routers
Configuration Guide - VPN
2 BGP MPLS IP VPN Configuration
[PE2-vpn-instance-vpn1-af-ipv4] quit
[PE2-vpn-instance-vpn1] quit
[PE2] interface gigabitethernet 2/0/0
[PE2-GigabitEthernet2/0/0] ip binding vpn-instance vpn1
[PE2-GigabitEthernet2/0/0] ip address 10.2.1.2 24
[PE2-GigabitEthernet2/0/0] quit
After the configuration, run the display ip vpn-instance verbose command on PEs to view the
configurations of VPN instances. Each PE can ping its connected CE successfully.
Take PE1 and CE1 as examples:
[PE1] display ip vpn-instance verbose
Total VPN-Instances configured : 1
VPN-Instance Name and ID : vpn1, 1
Interfaces : GigabitEthernet2/0/0
Address family ipv4
Create date : 2008/02/27 09:53:47
Up time : 0 days, 00 hours, 35 minutes and 43 seconds
Route Distinguisher : 100:1
Export VPN Targets : 1:1
Import VPN Targets : 1:1
Label Policy : label per route
Log Interval : 5
[PE1] ping -vpn-instance vpn1 10.1.1.1
PING 10.1.1.1: 56 data bytes, press CTRL_C to break
Request time out
Reply from 10.1.1.1: bytes=56 Sequence=2 ttl=255 time=50
Reply from 10.1.1.1: bytes=56 Sequence=3 ttl=255 time=40
Reply from 10.1.1.1: bytes=56 Sequence=4 ttl=255 time=30
Reply from 10.1.1.1: bytes=56 Sequence=5 ttl=255 time=10
ms
ms
ms
ms
--- 10.1.1.1 ping statistics --5 packet(s) transmitted
4 packet(s) received
20.00% packet loss
round-trip min/avg/max = 10/32/50 ms
Step 8 Establish the MP-EBGP peer relationship between PE1 and PE2.
# Configure PE1.
[PE1] bgp 100
[PE1-bgp] peer 4.4.4.9 as-number 200
[PE1-bgp] peer 4.4.4.9 connect-interface LoopBack 1
[PE1-bgp] peer 4.4.4.9 ebgp-max-hop 10
[PE1-bgp] ipv4-family vpnv4
[PE1-bgp-af-vpnv4] peer 4.4.4.9 enable
[PE1-bgp-af-vpnv4] quit
[PE1-bgp] quit
# Configure PE2.
[PE2] bgp 200
[PE2-bgp] peer 1.1.1.9 as-number 100
[PE2-bgp] peer 1.1.1.9 connect-interface LoopBack 1
[PE2-bgp] peer 1.1.1.9 ebgp-max-hop 10
[PE2-bgp] ipv4-family vpnv4
[PE2-bgp-af-vpnv4] peer 1.1.1.9 enable
[PE2-bgp-af-vpnv4] quit
[PE2-bgp] quit
Step 9 Set up the EBGP peer relationship between PEs and CEs to import VPN routes.
# Configure CE1.
[CE1] bgp 65001
[CE1-bgp] peer 10.1.1.2 as-number 100
Issue 03 (2011-11-27)
Huawei Proprietary and Confidential
Copyright © Huawei Technologies Co., Ltd.
174
Huawei AR1200 Series Enterprise Routers
Configuration Guide - VPN
2 BGP MPLS IP VPN Configuration
[CE1-bgp] import-route direct
[CE1-bgp] quit
# Configure CE2.
[CE2] bgp
[CE2-bgp]
[CE2-bgp]
[CE2-bgp]
65002
peer 10.2.1.2 as-number 200
import-route direct
quit
# Configure PE1.
[PE1] bgp 100
[PE1-bgp] ipv4-family vpn-instance vpn1
[PE1-bgp-vpn1] peer 10.1.1.1 as-number 65001
[PE1-bgp-vpn1] import-route direct
[PE1-bgp-vpn1] quit
# Configure PE2.
[PE2] bgp 200
[PE2-bgp] ipv4-family vpn-instance vpn1
[PE2-bgp-vpn1] peer 10.2.1.1 as-number 65002
[PE2-bgp-vpn1] import-route direct
[PE2-bgp-vpn1] quit
After the configuration, run the display bgp vpnv4 vpn-instance peer command on a PE to
find that the BGP peer relationship between the PE and CE is in the Established state.
Take the peer relationship between PE 1 and CE 1 as an example:
[PE1] display bgp vpnv4 vpn-instance vpn1 peer
BGP local router ID : 1.1.1.9
Local AS number : 100
VPN-Instance vpn1, router ID 1.1.1.9:
Total number of peers : 1
Peer
10.1.1.1
V
AS
4 65001
MsgRcvd
3
MsgSent
3
Peers in established state : 1
OutQ Up/Down
State PrefRcv
0 00:00:52 Established
1
Step 10 Varify the configuration.
After the preceding configuration, CEs can learn routes of interfaces on each other, and CE1
and CE2 can ping each other successfully.
Take CE1 as an example:
[CE1] display ip routing-table
Route Flags: R - relay, D - download to fib
-----------------------------------------------------------------------------Routing Tables: Public
Destinations : 5
Routes : 5
Destination/Mask
Proto Pre Cost
Flags NextHop
Interface
10.1.1.0/24
Direct 0
0
D 10.1.1.1
GigabitEthernet1/0/0
10.1.1.1/32
Direct 0
0
D 127.0.0.1
InLoopBack0
10.2.1.0/24
EBGP
255 0
D 10.1.1.2
GigabitEthernet1/0/0
127.0.0.0/8
Direct 0
0
D 127.0.0.1
InLoopBack0
127.0.0.1/32
Direct 0
0
D 127.0.0.1
InLoopBack0
[CE1] ping 10.2.1.1
PING 10.2.1.1: 56 data bytes, press CTRL_C to break
Reply from 10.2.1.1: bytes=56 Sequence=1 ttl=252 time=102 ms
Reply from 10.2.1.1: bytes=56 Sequence=2 ttl=252 time=89 ms
Reply from 10.2.1.1: bytes=56 Sequence=3 ttl=252 time=106 ms
Reply from 10.2.1.1: bytes=56 Sequence=4 ttl=252 time=104 ms
Issue 03 (2011-11-27)
Huawei Proprietary and Confidential
Copyright © Huawei Technologies Co., Ltd.
175
Huawei AR1200 Series Enterprise Routers
Configuration Guide - VPN
2 BGP MPLS IP VPN Configuration
Reply from 10.2.1.1: bytes=56 Sequence=5 ttl=252 time=56 ms
--- 10.2.1.1 ping statistics --5 packet(s) transmitted
5 packet(s) received
0.00% packet loss
round-trip min/avg/max = 56/91/106 ms
After the configuration, run the display ip routing-table dest-ip-address verbose command on
ASBR1, you can find that the routes from ASBR1 to PE2 are labeled BGP routes of the public
network. The routing table is "Public", the protocol type is "BGP", and the label has a non-zero
value.
Take ASBR1 as an example:
[ASBR1] display ip routing-table 4.4.4.9 verbose
Route Flags: R - relay, D - download to fib
-----------------------------------------------------------------------------Routing Table : Public
Summary Count : 1
Destination
Protocol
Preference
NextHop
State
Tag
Label
IndirectID
RelayNextHop
TunnelID
:
:
:
:
:
:
:
:
:
:
4.4.4.9/32
BGP
255
192.1.1.2
Active Adv
0
15360
0x0
0.0.0.0
0x6002006
Process ID
Cost
Neighbour
Age
Priority
QoSInfo
Interface
Flags
:
:
:
:
:
:
0
1
192.1.1.2
00h12m53s
0
0x0
: GigabitEthernet2/0/0
: D
Run the display mpls lsp protocol ldp include dest-ip-address verbose on ASBR1 and PE2
respectively, you can find that an LDP LSP is established between ASBR1 and PE2. Besides,
you can find an LDP Ingress LSP on a PE to the remote PE.
[ASBR1] display mpls lsp protocol ldp include 4.4.4.9 32 verbose
---------------------------------------------------------------------LSP Information: LDP LSP
---------------------------------------------------------------------No
: 1
VrfIndex
:
Fec
: 4.4.4.9/32
Nexthop
: 192.1.1.2
In-Label
: 1024
Out-Label
: NULL
In-Interface
: ---------Out-Interface
: ---------LspIndex
: 13313
Token
: 0x0
FrrToken
: 0x0
LsrType
: Egress
Outgoing token
: 0x6002006
Label Operation
: POPGO
Mpls-Mtu
: -----TimeStamp
: 15829sec
Bfd-State
: ---
----End
Configuration Files
l
Configuration file of CE1
#
sysname CE1
#
Issue 03 (2011-11-27)
Huawei Proprietary and Confidential
Copyright © Huawei Technologies Co., Ltd.
176
Huawei AR1200 Series Enterprise Routers
Configuration Guide - VPN
2 BGP MPLS IP VPN Configuration
interface GigabitEthernet1/0/0
ip address 10.1.1.1 255.255.255.0
#
bgp 65001
peer 10.1.1.2 as-number 100
#
ipv4-family unicast
undo synchronization
import-route direct
peer 10.1.1.2 enable
#
return
l
Configuration file of PE1
#
sysname PE1
#
ip vpn-instance vpn1
ipv4-family
route-distinguisher 100:1
vpn-target 1:1 export-extcommunity
vpn-target 1:1 import-extcommunity
#
mpls lsr-id 1.1.1.9
mpls
#
mpls ldp
#
interface GigabitEthernet1/0/0
ip address 172.1.1.2 255.255.255.0
mpls
mpls ldp
#
interface GigabitEthernet2/0/0
ip binding vpn-instance vpn1
ip address 10.1.1.2 255.255.255.0
#
interface LoopBack1
ip address 1.1.1.9 255.255.255.255
#
bgp 100
peer 4.4.4.9 as-number 200
peer 4.4.4.9 ebgp-max-hop 10
peer 4.4.4.9 connect-interface LoopBack1
#
ipv4-family unicast
undo synchronization
peer 4.4.4.9 enable
#
ipv4-family vpnv4
policy vpn-target
peer 4.4.4.9 enable
#
ipv4-family vpn-instance vpn1
import-route direct
peer 10.1.1.1 as-number 65001
#
ospf 1
area 0.0.0.0
network 1.1.1.9 0.0.0.0
network 172.1.1.0 0.0.0.255
#
return
l
Configuration file of ASBR1
#
sysname ASBR1
#
mpls lsr-id 2.2.2.9
mpls
Issue 03 (2011-11-27)
Huawei Proprietary and Confidential
Copyright © Huawei Technologies Co., Ltd.
177
Huawei AR1200 Series Enterprise Routers
Configuration Guide - VPN
2 BGP MPLS IP VPN Configuration
lsp-trigger bgp-label-route
#
mpls ldp
#
interface GigabitEthernet1/0/0
ip address 172.1.1.1 255.255.255.0
mpls
mpls ldp
#
interface GigabitEthernet2/0/0
ip address 192.1.1.1 255.255.255.0
mpls
#
interface LoopBack1
ip address 2.2.2.9 255.255.255.255
#
bgp 100
peer 192.1.1.2 as-number 200
#
ipv4-family unicast
undo synchronization
network 1.1.1.9 255.255.255.255 route-policy policy0
peer 192.1.1.2 enable
peer 192.1.1.2 route-policy policy1 export
peer 192.1.1.2 label-route-capability
#
ospf 1
import-route bgp
area 0.0.0.0
network 2.2.2.9 0.0.0.0
network 172.1.1.0 0.0.0.255
#
route-policy policy0 permit node 1
if-match mpls-token
route-policy policy1 permit node 1
apply mpls-label
#
return
l
Configuration file of ASBR2
#
sysname ASBR2
#
mpls lsr-id 3.3.3.9
mpls
lsp-trigger bgp-label-route
#
mpls ldp
#
interface GigabitEthernet1/0/0
ip address 162.1.1.1 255.255.255.0
mpls
mpls ldp
#
interface GigabitEthernet2/0/0
ip address 192.1.1.2 255.255.255.0
mpls
#
interface LoopBack1
ip address 3.3.3.9 255.255.255.255
#
bgp 200
peer 192.1.1.1 as-number 100
#
ipv4-family unicast
undo synchronization
network 4.4.4.9 255.255.255.255 route-policy policy0
peer 192.1.1.1 enable
peer 192.1.1.1 route-policy policy1 export
peer 192.1.1.1 label-route-capability
Issue 03 (2011-11-27)
Huawei Proprietary and Confidential
Copyright © Huawei Technologies Co., Ltd.
178
Huawei AR1200 Series Enterprise Routers
Configuration Guide - VPN
2 BGP MPLS IP VPN Configuration
#
ospf 1
import-route bgp
area 0.0.0.0
network 3.3.3.9 0.0.0.0
network 162.1.1.0 0.0.0.255
#
route-policy policy0 permit node 1
if-match mpls-token
route-policy policy1 permit node 1
apply mpls-label
#
return
l
Configuration file of PE2
#
sysname PE2
#
ip vpn-instance vpn1
ipv4-family
route-distinguisher 200:1
vpn-target 1:1 export-extcommunity
vpn-target 1:1 import-extcommunity
#
mpls lsr-id 4.4.4.9
mpls
#
mpls ldp
#
interface GigabitEthernet1/0/0
ip address 162.1.1.2 255.255.255.0
mpls
mpls ldp
#
interface GigabitEthernet2/0/0
ip binding vpn-instance vpn1
ip address 10.2.1.2 255.255.255.0
#
interface LoopBack1
ip address 4.4.4.9 255.255.255.255
#
bgp 200
peer 1.1.1.9 as-number 100
peer 1.1.1.9 ebgp-max-hop 10
peer 1.1.1.9 connect-interface LoopBack1
#
ipv4-family unicast
undo synchronization
peer 1.1.1.9 enable
#
ipv4-family vpnv4
policy vpn-target
peer 1.1.1.9 enable
#
ipv4-family vpn-instance vpn1
import-route direct
peer 10.2.1.1 as-number 65002
#
ospf 1
area 0.0.0.0
network 4.4.4.9 0.0.0.0
network 162.1.1.0 0.0.0.255
#
return
l
Configuration file of CE2
#
sysname CE2
#
interface GigabitEthernet1/0/0
Issue 03 (2011-11-27)
Huawei Proprietary and Confidential
Copyright © Huawei Technologies Co., Ltd.
179
Huawei AR1200 Series Enterprise Routers
Configuration Guide - VPN
2 BGP MPLS IP VPN Configuration
ip address 10.2.1.1 255.255.255.0
#
bgp 65002
peer 10.2.1.2 as-number 200
#
ipv4-family unicast
undo synchronization
import-route direct
peer 10.2.1.2 enable
#
Return
2.16.8 Example for Configuring HoVPN
After configuring HoVPN, you can enable multiple PEs to play different roles to form a
hierarchical structure. In this manner, these PEs function as one PE, and the performance
requirement for PEs are lowered.
Networking Requirements
As shown in Figure 2-9:
l
CE1 and CE2 belong to VPN-A and the VPN target is 1:1.
l
CE1 accesses the backbone network through the UPE and CE2 accesses the network
through the PE.
l
The UPE, the SPE and the PE are interconnected through OSPF.
Figure 2-9 Networking diagram of HoVPN
Loopback1
Loopback1
3.3.3.9/32
2.2.2.9/32
GE2/0/0
172.2.1.1/24
GE1/0/0
PE
Loopback1 172.1.1.2/24
GE2/0/0
1.1.1.9/32
172.2.1.2/24
SPE
GE2/0/0
172.1.1.1/24
UPE GE1/0/0
10.1.1.2/24
GE1/0/0
10.2.1.2/24
AS: 100
GE1/0/0
10.2.1.1/24
GE1/0/0
10.1.1.1/24
CE1
VPN-A
CE2
AS: 65410
AS: 65420
VPN-A
Configuration Roadmap
The configuration roadmap is as follows:
Issue 03 (2011-11-27)
Huawei Proprietary and Confidential
Copyright © Huawei Technologies Co., Ltd.
180
Huawei AR1200 Series Enterprise Routers
Configuration Guide - VPN
2 BGP MPLS IP VPN Configuration
1.
Configure IGP in the backbone network and ensure the PEs can learn the loopback address
from each other.
2.
Configure MPLS LSP between PEs.
3.
Create the VPN instance on the UPE and set up the EBGP peer relationship between the
UPE and the CE1.
4.
Create the VPN instance on the PE and set up the EBGP peer relationship between the PE
and the CE2.
5.
Set up the MP-IBGP peer relationship between the UPE and the SPE, the PE and the SPE.
6.
Create the VPN instance on the SPE. Specify the UPE as the underlayer PE, that is, the
user layer PE. Advertise the default route of the VPN instance to the UPE.
Data Preparation
To complete the configuration, you need the following data:
l
MPLS LSR-ID of the UPE, SPE and PE
l
VPN instance name, RD and VPN target created on the UPE, SPE and PE
Procedure
Step 1 Configure OSPF on the MPLS backbone network to implement internetworking.
After the configuration, OSPF neighbors are established among UPE, SPE and PE. Run the
display ospf peer command to see the status of the OSPF neighbor relationship is "Full". Run
the display ip routing-table command to see that PEs know loopback routes from each other.
The specific configuration procedures are not mentioned here.
Step 2 Configure basic MPLS capability and MPLS LDP on MPLS backbone networks and establish
LDP LSP.
After the configuration, LDP session can be established among UPE, SPE and PE. Run the
display mpls ldp session command to see that the session state is "Operational". Run the display
mpls ldp lsp command to see LDP LSP is established.
The specific configuration procedures are not mentioned here.
Step 3 Configure PEs and CEs.
# Configure UPE.
<UPE> system-view
[UPE] ip vpn-instance vpna
[UPE-vpn-instance-vpna] ipv4-family
[UPE-vpn-instance-vpna-af-ipv4] route-distinguisher 100:1
[UPE-vpn-instance-vpna-af-ipv4] vpn-target 1:1
[UPE-vpn-instance-vpna-af-ipv4] quit
[UPE-vpn-instance-vpna] quit
[UPE] interface gigabitethernet 1/0/0
[UPE-GigabitEthernet1/0/0] ip binding vpn-instance vpna
[UPE-GigabitEthernet1/0/0] ip address 10.1.1.2 24
[UPE-GigabitEthernet1/0/0] quit
[UPE] bgp 100
[UPE-bgp] ipv4-family vpn-instance vpna
[UPE-bgp-vpna] peer 10.1.1.1 as-number 65410
[UPE-bgp-vpna] import-route direct
[UPE-bgp-vpna] quit
[UPE-bgp] quit
Issue 03 (2011-11-27)
Huawei Proprietary and Confidential
Copyright © Huawei Technologies Co., Ltd.
181
Huawei AR1200 Series Enterprise Routers
Configuration Guide - VPN
2 BGP MPLS IP VPN Configuration
# Configure CE1.
<Huawei> system-view
[Huawei] sysname CE1
[CE1] interface gigabitethernet 1/0/0
[CE1-GigabitEthernet1/0/0] ip address 10.1.1.1 24
[CE1-GigabitEthernet1/0/0] quit
[CE1] bgp 65410
[CE1-bgp] peer 10.1.1.2 as-number 100
[CE1-bgp] import-route direct
[CE1-bgp] quit
# Configure PE.
<PE> system-view
[PE] ip vpn-instance vpna
[PE-vpn-instance-vpna] ipv4-family
[PE-vpn-instance-vpna-af-ipv4] route-distinguisher 100:2
[PE-vpn-instance-vpna-af-ipv4] vpn-target 1:1
[PE-vpn-instance-vpna-af-ipv4] quit
[PE-vpn-instance-vpna] quit
[PE] interface gigabitethernet 1/0/0
[PE-GigabitEthernet1/0/0] ip binding vpn-instance vpna
[PE-GigabitEthernet1/0/0] ip address 10.2.1.2 24
[PE-GigabitEthernet1/0/0] quit
[PE] bgp 100
[PE-bgp] ipv4-family vpn-instance vpna
[PE-bgp-vpna] peer 10.2.1.1 as-number 65420
[PE-bgp-vpna] import-route direct
[PE-bgp-vpna] quit
[PE-bgp] quit
# Configure CE2.
<Huawei> system-view
[Huawei] sysname CE2
[CE2] interface gigabitethernet 1/0/0
[CE2-GigabitEthernet1/0/0] ip address 10.2.1.1 24
[CE2-GigabitEthernet1/0/0] quit
[CE2] bgp 65420
[CE2-bgp] peer 10.2.1.2 as-number 100
[CE2-bgp] import-route direct
[CE2-bgp] quit
After the configuration, run the display ip vpn-instance verbose command on the PE or UPE
to see the configurations of VPN instances. By running the command ping -vpn-instance, the
PE and UPE can ping the CEs attached to themselves successfully.
NOTE
When the interfaces on a PE are bound to the same VPN, you need to specify the source IP address when
you use the ping -vpn-instance command to ping the CE connected with the peer PE. That is, you need
to specify -a source-ip-address in the ping -a source-ip-address -vpn-instance vpn-instance-name destip-address command; otherwise, the ping fails.
Step 4 Configure MP-IBGP peer relationship between UPE and SPE, and between PE and SPE.
# Configure UPE.
<UPE> system-view
[UPE] bgp 100
[UPE-bgp] peer 2.2.2.9 as-number 100
[UPE-bgp] peer 2.2.2.9 connect-interface loopback 1
[UPE-bgp] ipv4-family vpnv4
[UPE-bgp-af-vpnv4] peer 2.2.2.9 enable
[UPE-bgp-af-vpnv4] quit
[UPE-bgp] quit
# Configure SPE.
Issue 03 (2011-11-27)
Huawei Proprietary and Confidential
Copyright © Huawei Technologies Co., Ltd.
182
Huawei AR1200 Series Enterprise Routers
Configuration Guide - VPN
2 BGP MPLS IP VPN Configuration
<SPE> system-view
[SPE] bgp 100
[SPE-bgp] peer 1.1.1.9 as-number 100
[SPE-bgp] peer 1.1.1.9 connect-interface loopback 1
[SPE-bgp] peer 3.3.3.9 as-number 100
[SPE-bgp] peer 3.3.3.9 connect-interface loopback 1
[SPE-bgp] ipv4-family vpnv4
[SPE-bgp-af-vpnv4] peer 1.1.1.9 enable
[SPE-bgp-af-vpnv4] peer 3.3.3.9 enable
[SPE-bgp-af-vpnv4] quit
[SPE-bgp] quit
# Configure PE.
<PE> system-view
[PE] bgp 100
[PE-bgp] peer 2.2.2.9 as-number 100
[PE-bgp] peer 2.2.2.9 connect-interface loopback 1
[PE-bgp] ipv4-family vpnv4
[PE-bgp-af-vpnv4] peer 2.2.2.9 enable
[PE-bgp-af-vpnv4] quit
[PE-bgp] quit
Step 5 Configure SPE.
# Configure VPN instances.
[SPE] ip vpn-instance vpna
[SPE-vpn-instance-vpna] ipv4-family
[SPE-vpn-instance-vpna-af-ipv4] route-distinguisher 200:1
[SPE-vpn-instance-vpna-af-ipv4] vpn-target 1:1
[SPE-vpn-instance-vpna-af-ipv4] quit
[SPE-vpn-instance-vpna] quit
# Specify a UPE for the SPE.
[SPE] bgp 100
[SPE-bgp] ipv4-family vpnv4
[SPE-bgp-af-vpnv4] peer 1.1.1.9 upe
# Advertise the default route of VPN instances to UPE.
[SPE-bgp-af-vpnv4] peer 1.1.1.9 default-originate vpn-instance vpna
[SPE-bgp-af-vpnv4] quit
Step 6 Verify the configuration.
After the configuration, CE1 does not have a route to the network segment of the interface on
CE2, but has a default route with the next hop to UPE. The CE2 has the route to the network
segment of the interface on CE1. Therefore, CE1 and CE2 can ping through each other using
the ping ip-address command.
<CE1> display ip routing-table
Route Flags: R - relay, D - download to fib
-----------------------------------------------------------------------------Routing Tables: Public
Destinations : 5
Routes : 5
Destination/Mask Proto Pre Cost
Flags NextHop
Interface
0.0.0.0/0
EBGP
255 0
D 10.1.1.2
GigabitEthernet1/0/0
10.1.1.0/24 Direct 0
0
D 10.1.1.1
GigabitEthernet1/0/0
10.1.1.1/32 Direct 0
0
D 127.0.0.1
InLoopBack0
127.0.0.0/8
Direct 0
0
D 127.0.0.1
InLoopBack0
127.0.0.1/32 Direct 0
0
D 127.0.0.1
InLoopBack0
[CE1] ping 10.2.1.1
PING 10.2.1.1: 56 data bytes, press CTRL_C to break
Reply from 10.2.1.1: bytes=56 Sequence=1 ttl=253 time=85 ms
Reply from 10.2.1.1: bytes=56 Sequence=2 ttl=253 time=70 ms
Issue 03 (2011-11-27)
Huawei Proprietary and Confidential
Copyright © Huawei Technologies Co., Ltd.
183
Huawei AR1200 Series Enterprise Routers
Configuration Guide - VPN
2 BGP MPLS IP VPN Configuration
Reply from 10.2.1.1: bytes=56 Sequence=3 ttl=253 time=57 ms
Reply from 10.2.1.1: bytes=56 Sequence=4 ttl=253 time=66 ms
Reply from 10.2.1.1: bytes=56 Sequence=5 ttl=253 time=55 ms
--- 10.2.1.1 ping statistics --5 packet(s) transmitted
5 packet(s) received
0.00% packet loss
round-trip min/avg/max = 55/66/85 ms
[CE2] display ip routing-table
Route Flags: R - relay, D - download to fib
-----------------------------------------------------------------------------Routing Tables: Public
Destinations : 5
Routes : 5
Destination/Mask Proto Pre Cost
Flags NextHop
Interface
10.1.1.0/24 EBGP
255 0
D 10.2.1.2
GigabitEthernet1/0/0
10.2.1.0/24 Direct 0
0
D 10.2.1.1
GigabitEthernet1/0/0
10.2.1.1/32 Direct 0
0
D 127.0.0.1
InLoopBack0
127.0.0.0/8
Direct 0
0
D 127.0.0.1
InLoopBack0
127.0.0.1/32 Direct 0
0
D 127.0.0.1
InLoopBack0
Run the display bgp vpnv4 all routing-table command on UPE to see a default route of VPN
instances vpna with the next hop to SPE.
[UPE] display bgp vpnv4 all routing-table
BGP Local router ID is 1.1.1.9
Status codes: * - valid, > - best, d - damped,
h - history, i - internal, s - suppressed, S - Stale
Origin : i - IGP, e - EGP, ? - incomplete
Total number of routes from all PE: 3
Route Distinguisher: 100:1
*>
*
Network
NextHop
10.1.1.0/24
0.0.0.0
10.1.1.1
MED
LocPrf
0
0
PrefVal Path/Ogn
0
0
?
65410?
Route Distinguisher: 200:1
*>i
*>i
*>
*
Network
NextHop
MED
LocPrf
0.0.0.0
2.2.2.9
0
100
Network
NextHop
MED
LocPrf
0.0.0.0
10.1.1.0/24
2.2.2.9
0.0.0.0
10.1.1.1
0
0
0
100
PrefVal Path/Ogn
0
i
PrefVal Path/Ogn
0
0
0
i
?
65410?
----End
Configuration Files
l
Configuration file of CE1
#
sysname CE1
#
interface GigabitEthernet1/0/0
ip address 10.1.1.1 255.255.255.0
#
bgp 65410
peer 10.1.1.2 as-number 100
#
ipv4-family unicast
Issue 03 (2011-11-27)
Huawei Proprietary and Confidential
Copyright © Huawei Technologies Co., Ltd.
184
Huawei AR1200 Series Enterprise Routers
Configuration Guide - VPN
2 BGP MPLS IP VPN Configuration
undo synchronization
import-route direct
peer 10.1.1.2 enable
#
return
l
Configuration file of UPE
#
sysname UPE
#
ip vpn-instance vpna
ipv4-family
route-distinguisher 100:1
vpn-target 1:1 export-extcommunity
vpn-target 1:1 import-extcommunity
#
mpls lsr-id 1.1.1.9
mpls
#
mpls ldp
#
interface GigabitEthernet1/0/0
ip binding vpn-instance vpna
ip address 10.1.1.2 255.255.255.0
#
interface GigabitEthernet2/0/0
ip address 172.1.1.1 255.255.255.0
mpls
mpls ldp
#
interface LoopBack1
ip address 1.1.1.9 255.255.255.255
#
bgp 100
peer 2.2.2.9 as-number 100
peer 2.2.2.9 connect-interface LoopBack1
#
ipv4-family unicast
undo synchronization
peer 2.2.2.9 enable
#
ipv4-family vpnv4
policy vpn-target
peer 2.2.2.9 enable
#
ipv4-family vpn-instance vpna
peer 10.1.1.1 as-number 65410
import-route direct
#
ospf 1
area 0.0.0.0
network 1.1.1.9 0.0.0.0
network 172.1.1.0 0.0.0.255
#
return
l
Configuration file of SPE
#
sysname SPE
#
ip vpn-instance vpna
ipv4-family
route-distinguisher 200:1
vpn-target 1:1 export-extcommunity
vpn-target 1:1 import-extcommunity
#
mpls lsr-id 2.2.2.9
mpls
#
mpls ldp
Issue 03 (2011-11-27)
Huawei Proprietary and Confidential
Copyright © Huawei Technologies Co., Ltd.
185
Huawei AR1200 Series Enterprise Routers
Configuration Guide - VPN
2 BGP MPLS IP VPN Configuration
#
interface GigabitEthernet1/0/0
ip address 172.1.1.2 255.255.255.0
mpls
mpls ldp
#
interface GigabitEthernet2/0/0
ip address 172.2.1.1 255.255.255.0
mpls
mpls ldp
#
interface LoopBack1
ip address 2.2.2.9 255.255.255.255
#
bgp 100
peer 1.1.1.9 as-number 100
peer 1.1.1.9 connect-interface LoopBack1
peer 3.3.3.9 as-number 100
peer 3.3.3.9 connect-interface LoopBack1
#
ipv4-family unicast
undo synchronization
peer 1.1.1.9 enable
peer 3.3.3.9 enable
#
ipv4-family vpnv4
policy vpn-target
peer 1.1.1.9 enable
peer 1.1.1.9 upe
peer 1.1.1.9 default-originate vpn-instance vpna
peer 3.3.3.9 enable
#
ospf 1
area 0.0.0.0
network 2.2.2.9 0.0.0.0
network 172.1.1.0 0.0.0.255
network 172.2.1.0 0.0.0.255
#
return
l
Configuration file of PE
#
sysname PE
#
ip vpn-instance vpna
ipv4-family
route-distinguisher 100:2
vpn-target 1:1 export-extcommunity
vpn-target 1:1 import-extcommunity
#
mpls lsr-id 3.3.3.9
mpls
#
mpls ldp
#
interface GigabitEthernet1/0/0
ip binding vpn-instance vpna
ip address 10.2.1.2 255.255.255.0
#
interface GigabitEthernet2/0/0
ip address 172.2.1.2 255.255.255.0
mpls
mpls ldp
#
interface LoopBack1
ip address 3.3.3.9 255.255.255.255
#
bgp 100
peer 2.2.2.9 as-number 100
peer 2.2.2.9 connect-interface LoopBack1
Issue 03 (2011-11-27)
Huawei Proprietary and Confidential
Copyright © Huawei Technologies Co., Ltd.
186
Huawei AR1200 Series Enterprise Routers
Configuration Guide - VPN
2 BGP MPLS IP VPN Configuration
#
ipv4-family unicast
undo synchronization
peer 2.2.2.9 enable
#
ipv4-family vpnv4
policy vpn-target
peer 2.2.2.9 enable
#
ipv4-family vpn-instance vpna
peer 10.2.1.1 as-number 65420
import-route direct
#
ospf 1
area 0.0.0.0
network 3.3.3.9 0.0.0.0
network 172.2.1.0 0.0.0.255
#
return
l
Configuration file of CE2
#
sysname CE2
#
interface GigabitEthernet1/0/0
ip address 10.2.1.1 255.255.255.0
#
bgp 65420
peer 10.2.1.2 as-number 100
#
ipv4-family unicast
undo synchronization
import-route direct
peer 10.2.1.2 enable
#
return
2.16.9 Example for Configuring Multi-VPN-Instance CE
By using OSPF multi-instance on CEs, you can implement service isolation on the LAN.
Networking Requirements
As shown in Figure 2-10, the networking requirements are as follows:
l
CE1 and CE2 belong to the same LAN, and MCE, CE3, and CE4 belong to the same LAN.
l
An MCE is used by the client to exchange routes between multiple VPN instances.
l
CE1 and CE3 belong to vpna, while CE2 and CE4 belong to vpnb.
l
vpna and vpnb use different VPN targets.
The users residing in the same VPN can mutually access, but those in different VPNs cannot
mutually access. So, the services of different VPNs in LAN are isolated from each other.
Issue 03 (2011-11-27)
Huawei Proprietary and Confidential
Copyright © Huawei Technologies Co., Ltd.
187
Huawei AR1200 Series Enterprise Routers
Configuration Guide - VPN
2 BGP MPLS IP VPN Configuration
Figure 2-10 Networking diagram of example for Multi-VPN-Instance CE
vpna
vpna
CE1
Eth1/0/0
10.1.1.1/24
Eth1/0/0
10.3.1.1/24
Loopback1
2.2.2.9/32
Eth1/0/0
Eth2/0/0
192.1.1.1/24 192.1.1.2/24
Eth2/0/1
10.3.1.2/24
vpna
Eth1/0/0
Eth2/0/1
Eth2/0/0
Eth2/0/0 PE1 172.1.1.2/24 PE2 192.2.1.1/24 192.2.1.2/24
10.2.1.2/24
MCE
vpnb
Eth1/0/1
10.4.1.2/24
Eth1/0/0
10.2.1.1/24
Eth1/0/0
10.4.1.1/24
Eth1/0/0
10.1.1.2/24
Loopback1
1.1.1.9/32
CE3
Eth2/0/1
172.1.1.1/24
CE2
CE4
vpnb
vpnb
Configuration Roadmap
The configuration roadmap is as follows:
1.
Configure OSPF between the PEs. Configure the MP-IBGP for PEs to distribute VPN
routes learnt from CEs to each other.
2.
Set up EBGP peer relationship between the PE and the connected CE to import the VPN
routes to the VPN routing table of the PE.
3.
Configure the OSPF multi-instance between MCE and PE2 to exchange VPN routes.
Configure RIPv2 between MCE and CE3 to exchange VPN routes. Configure RIPv2
between MCE and CE4 to exchange VPN routes.
NOTE
When configuring OSPF multi-instance between MCE and PE2, configure as follows:
l In the OSPF view of the PE2, (This OSPF process refers to the process used for the configuration of
OSPF multi-instance) import the BGP route. Therefore, the MCE obtains the VPN routes that PE1 has
learned from CE1 or CE2.
l Import the OSPF routes (This OSPF process refers to the process used by the configuration of OSPF
multi-instance) in the BGP view of PE2. In this way, PE1 obtains the VPN route from the MCE.
Data Preparation
To complete this configuration, prepare the following data:
l
A VPN instance for each isolated service is created on PE1, PE2 and MCE. Set the name,
the RD and the VPN target for these VPN instances. Note that, VPN targets of different
VPN instances differ from each other. The VPN targets of the same VPN instance are
matched.
l
For different OSPF multi-instances, the OSPF process numbers must be different.
Issue 03 (2011-11-27)
Huawei Proprietary and Confidential
Copyright © Huawei Technologies Co., Ltd.
188
Huawei AR1200 Series Enterprise Routers
Configuration Guide - VPN
l
2 BGP MPLS IP VPN Configuration
On the MCE, the RIP process numbers used for importing the VPN routes of the CE3 should
differ from that of the CE4.
Procedure
Step 1 Run OSPF on routers of the backbone network to implement internetworking.
The detailed configuration procedure is not mentioned here.
After this configuration, the PEs can learn the loopback1 address of each other.
Consider PE2 as an example:
<PE2> display ip routing-table
Route Flags: R - relay, D - download to fib
-----------------------------------------------------------------------------Routing Tables: Public
Destinations : 7
Routes : 7
Destination/Mask Proto Pre Cost
Flags NextHop
Interface
1.1.1.9/32 OSPF
10
2
D 172.1.1.1
Ethernet1/0/0
2.2.2.9/32 Direct 0
0
D 127.0.0.1
InLoopBack0
127.0.0.0/8
Direct 0
0
D 127.0.0.1
InLoopBack0
127.0.0.1/32 Direct 0
0
D 127.0.0.1
InLoopBack0
172.1.1.0/24 Direct 0
0
D 172.1.1.2
Ethernet1/0/0
172.1.1.1/32 Direct 0
0
D 172.1.1.1
Ethernet1/0/0
172.1.1.2/32 Direct 0
0
D 127.0.0.1
InLoopBack0
Step 2 Enable MPLS and MPLS LDP for PEs to set up an LSP between PEs.
The detailed configuration procedure is not mentioned here. After this configuration, run the
display mpls ldp session command on the PE. You can find that the session status of the MPLS
LDP between the PEs is "operational".
Consider PE2 as an example:
<PE2> display mpls ldp session
LDP Session(s) in Public Network
Codes: LAM(Label Advertisement Mode), SsnAge Unit(DDDD:HH:MM)
A '*' before a session means the session is being deleted.
-------------------------------------------------------------------------PeerID
Status
LAM SsnRole SsnAge
KASent/Rcv
-------------------------------------------------------------------------1.1.1.9:0
Operational DU
Active
0000:00:04 17/17
-------------------------------------------------------------------------TOTAL: 1 session(s) Found.
Step 3 Configure VPN instances for PEs, and connect CE1 and CE2 to PE1, and MCE to PE2.
# Configure PE1.
<PE1> system-view
[PE1] ip vpn-instance vpna
[PE1-vpn-instance-vpna] ipv4-family
[PE1-vpn-instance-vpna-af-ipv4] route-distinguisher 100:1
[PE1-vpn-instance-vpna-af-ipv4] vpn-target 111:1 both
[PE1-vpn-instance-vpna-af-ipv4] quit
[PE1-vpn-instance-vpna] quit
[PE1] ip vpn-instance vpnb
[PE1-vpn-instance-vpnb] ipv4-family
[PE1-vpn-instance-vpnb-af-ipv4] route-distinguisher 100:2
[PE1-vpn-instance-vpnb-af-ipv4] vpn-target 222:2 both
[PE1-vpn-instance-vpnb-af-ipv4] quit
[PE1-vpn-instance-vpnb] quit
[PE1] interface ethernet1/0/0
[PE1-Ethernet1/0/0] ip binding vpn-instance vpna
[PE1-Ethernet1/0/0] ip address 10.1.1.2 24
[PE1-Ethernet1/0/0] quit
Issue 03 (2011-11-27)
Huawei Proprietary and Confidential
Copyright © Huawei Technologies Co., Ltd.
189
Huawei AR1200 Series Enterprise Routers
Configuration Guide - VPN
2 BGP MPLS IP VPN Configuration
[PE1] interface ethernet2/0/0
[PE1-Ethernet2/0/0] ip binding vpn-instance vpnb
[PE1-Ethernet2/0/0] ip address 10.2.1.2 24
[PE1-Ethernet2/0/0] quit
# Configure PE2.
<PE2> system-view
[PE2] ip vpn-instance vpna
[PE2-vpn-instance-vpna] ipv4-family
[PE2-vpn-instance-vpna-af-ipv4] route-distinguisher 200:1
[PE2-vpn-instance-vpna-af-ipv4] vpn-target 111:1 both
[PE2-vpn-instance-vpna-af-ipv4] quit
[PE2-vpn-instance-vpna] quit
[PE2] ip vpn-instance vpnb
[PE2-vpn-instance-vpnb] ipv4-family
[PE2-vpn-instance-vpnb-af-ipv4] route-distinguisher 200:2
[PE2-vpn-instance-vpnb-af-ipv4] vpn-target 222:2 both
[PE2-vpn-instance-vpnb-af-ipv4] quit
[PE2-vpn-instance-vpnb] quit
[PE2] interface ethernet2/0/0
[PE2-Ethernet2/0/0] ip binding vpn-instance vpna
[PE2-Ethernet2/0/0] ip address 192.1.1.1 24
[PE2-Ethernet2/0/0] quit
[PE2]interface ethernet2/0/1
[PE2-Ethernet2/0/1] ip binding vpn-instance vpnb
[PE2-Ethernet2/0/1] ip address 192.2.1.1 24
[PE2-Ethernet2/0/1] quit
Step 4 Configure the VPN instance for MCE, and connect CE3,CE4 and PE2 to MCE.
<Huawei> system-view
[Huawei] sysname MCE
[MCE] ip vpn-instance vpna
[MCE-vpn-instance-vpna] ipv4-family
[MCE-vpn-instance-vpna-af-ipv4] route-distinguisher 300:1
[MCE-vpn-instance-vpna-af-ipv4] vpn-target 111:1 both
[MCE-vpn-instance-vpna-af-ipv4] quit
[MCE-vpn-instance-vpna] quit
[MCE] ip vpn-instance vpnb
[MCE-vpn-instance-vpnb] ipv4-family
[MCE-vpn-instance-vpnb-af-ipv4] route-distinguisher 300:2
[MCE-vpn-instance-vpnb-af-ipv4] vpn-target 222:2 both
[MCE-vpn-instance-vpnb-af-ipv4] quit
[MCE-vpn-instance-vpnb] quit
[MCE] interface ethernet2/0/1
[MCE-Ethernet2/0/1] ip binding vpn-instance vpna
[MCE-Ethernet2/0/1] ip address 10.3.1.2 24
[MCE-Ethernet2/0/1] quit
[MCE] interface ethernet1/0/1
[MCE-Ethernet1/0/1] ip binding vpn-instance vpnb
[MCE-Ethernet1/0/1] ip address 10.4.1.2 24
[MCE-Ethernet1/0/1] quit
[MCE] interface ethernet1/0/0
[MCE-Ethernet1/0/0] ip binding vpn-instance vpna
[MCE-Ethernet1/0/0] ip address 192.1.1.2 24
[MCE-Ethernet1/0/0] quit
[MCE] interface ethernet2/0/0
[MCE-Ethernet2/0/0] ip binding vpn-instance vpnb
[MCE-Ethernet2/0/0] ip address 192.2.1.2 24
[MCE-Ethernet2/0/0] quit
Step 5 Set up MP-IBGP peer relationship between PE1 and PE2, and set up EBGP peer relationship
between PE1 and CE1, and between PE1 and CE2.
The detailed configuration procedure is not mentioned here. After this configuration, run the
display bgp vpnv4 all peer command on PE1. You can find the status of IBGP peer relationship
between PE1 and PE2 is "established". The state of EBGP peer relationship between PE1 and
CE1, and between PE1 and CE2 are "established".
Issue 03 (2011-11-27)
Huawei Proprietary and Confidential
Copyright © Huawei Technologies Co., Ltd.
190
Huawei AR1200 Series Enterprise Routers
Configuration Guide - VPN
2 BGP MPLS IP VPN Configuration
[PE1] display bgp vpnv4 all peer
BGP local router ID : 1.1.1.9
Local AS number : 100
Total number of peers : 3
Peers in established state : 3
Peer
V
AS MsgRcvd MsgSent
OutQ Up/Down
State PrefRcv
2.2.2.9
4
100
13
10
0 00:03:45 Established
6
Peer of IPv4-family for vpn instance :
VPN-Instance vpna, router ID 1.1.1.9:
10.1.1.1
4 65410
9
VPN-Instance vpnb, router ID 1.1.1.9:
10.2.1.1
4 65420
9
11
0 00:04:14 Established
2
12
0 00:04:09 Established
2
Step 6 Configure OSPF multi-instance between PE2 and MCE.
# Configure PE2.
<PE2> system-view
[PE2] ospf 100 vpn-instance vpna
[PE2-ospf-100] area 0
[PE2-ospf-100-area-0.0.0.0] network 192.1.1.0 0.0.0.255
[PE2-ospf-100-area-0.0.0.0] quit
[PE2-ospf-100] import-route bgp
[PE2-ospf-100] quit
[PE2] ospf 200 vpn-instance vpnb
[PE2-ospf-200] area 0
[PE2-ospf-200-area-0.0.0.0] network 192.2.1.0 0.0.0.255
[PE2-ospf-200-area-0.0.0.0] quit
[PE2-ospf-200] import-route bgp
[PE2-ospf-200] quit
[PE2] bgp 100
[PE2-bgp] ipv4-family vpn-instance vpna
[PE2-bgp-vpna] import-route ospf 100
[PE2-bgp-vpna] quit
[PE2-bgp] ipv4-family vpn-instance vpnb
[PE2-bgp-vpnb] import-route ospf 200
[PE2-bgp-vpnb] quit
# Configure MCE.
<MCE> system-view
[MCE] ospf 100 vpn-instance
[MCE-ospf-100] area 0
[MCE-ospf-100-area-0.0.0.0]
[MCE-ospf-100-area-0.0.0.0]
[MCE-ospf-100] quit
[MCE] ospf 200 vpn-instance
[MCE-ospf-200] area 0
[MCE-ospf-200-area-0.0.0.0]
[MCE-ospf-200-area-0.0.0.0]
[MCE-ospf-200] quit
vpna
network 192.1.1.0 0.0.0.255
quit
vpnb
network 192.2.1.0 0.0.0.255
quit
Step 7 Configure RIPv2 between MCE and CE3, and between MCE and CE4.
# Configure MCE.
[MCE] rip 100
[MCE-rip-100]
[MCE-rip-100]
[MCE-rip-100]
[MCE-rip-100]
[MCE] rip 200
[MCE-rip-200]
[MCE-rip-200]
[MCE-rip-200]
vpn-instance vpna
version 2
network 10.0.0.0
import-route ospf 100
quit
vpn-instance vpnb
version 2
network 10.0.0.0
import-route ospf 200
# Configure CE3.
<Huawei> system-view
[Huawei] sysname CE3
Issue 03 (2011-11-27)
Huawei Proprietary and Confidential
Copyright © Huawei Technologies Co., Ltd.
191
Huawei AR1200 Series Enterprise Routers
Configuration Guide - VPN
2 BGP MPLS IP VPN Configuration
[CE3] rip 100
[CE3-rip-100] version 2
[CE3-rip-100] network 10.0.0.0
[CE3-rip-100] import-route direct
# Configure CE4.
<Huawei> system-view
[Huawei] sysname CE4
[CE4] rip 200
[CE4-rip-200] version 2
[CE4-rip-200] network 10.0.0.0
[CE4-rip-200] import-route direct
Step 8 Skip the test for loop on MCE, and import RIP routes.
<MCE> system-view
[MCE] ospf 100 vpn-instance vpna
[MCE-ospf-100] vpn-instance-capability simple
[MCE-ospf-100] import-route rip 100
[MCE] ospf 200 vpn-instance vpnb
[MCE-ospf-200] vpn-instance-capability simple
[MCE-ospf-200] import-route rip 200
Step 9 Verify the configuration.
After the configuration given above, run the display ip routing-table vpn-instance command
on MCE. You can find MCE has a route to each peer CE.
Consider vpna as an example:
[MCE] display ip routing-table vpn-instance vpna
Route Flags: R - relay, D - download to fib
-----------------------------------------------------------------------------Routing Tables: vpna
Destinations : 8
Routes : 8
Destination/Mask Proto Pre Cost
Flags NextHop
Interface
10.1.1.0/24 O_ASE 150 1
D 192.1.1.1
Ethernet1/0/0
10.1.1.1/32 O_ASE 150 1
D 192.1.1.1
Ethernet1/0/0
10.3.1.0/24 Direct 0
0
D 10.3.1.2
Ethernet2/0/1
10.3.1.1/32 Direct 0
0
D 10.3.1.1
Ethernet2/0/1
10.3.1.2/32 Direct 0
0
D 127.0.0.1
InLoopBack0
192.1.1.0/24 Direct 0
0
D 192.1.1.2
Ethernet1/0/0
192.1.1.1/32 Direct 0
0
D 192.1.1.1
Ethernet1/0/0
192.1.1.2/32 Direct 0
0
D 127.0.0.1
InLoopBack0
Run the display ip routing-table vpn-instance command on the PE. You can find PE has a
route to each peer CE.
Consider vpna on PE1 as an example:
[PE1] display ip routing-table vpn-instance vpna
Route Flags: R - relay, D - download to fib
-----------------------------------------------------------------------------Routing Tables: vpna
Destinations : 5
Routes : 5
Destination/Mask Proto Pre Cost
Flags NextHop
Interface
10.1.1.0/24 Direct 0
0
D 10.1.1.2
Ethernet1/0/0
10.1.1.1/32 Direct 0
0
D 10.1.1.1
Ethernet1/0/0
10.1.1.2/32 Direct 0
0
D 127.0.0.1
InLoopBack0
10.3.1.0/24 EBGP
255 2
RD 2.2.2.9
Ethernet2/0/1
192.1.1.0/24 EBGP
255 0
RD 2.2.2.9
Ethernet2/0/1
CE1 and CE3 can ping through each other. Also, CE2 and CE4 can ping through each other.
Consider CE1 as an example:
[CE1] ping 10.3.1.1
PING 10.3.1.1: 56
Issue 03 (2011-11-27)
data bytes, press CTRL_C to break
Huawei Proprietary and Confidential
Copyright © Huawei Technologies Co., Ltd.
192
Huawei AR1200 Series Enterprise Routers
Configuration Guide - VPN
Reply from 10.3.1.1: bytes=56 Sequence=1
Reply from 10.3.1.1: bytes=56 Sequence=2
Reply from 10.3.1.1: bytes=56 Sequence=3
Reply from 10.3.1.1: bytes=56 Sequence=4
Reply from 10.3.1.1: bytes=56 Sequence=5
--- 10.3.1.1 ping statistics --5 packet(s) transmitted
5 packet(s) received
0.00% packet loss
round-trip min/avg/max = 125/125/125 ms
2 BGP MPLS IP VPN Configuration
ttl=252
ttl=252
ttl=252
ttl=252
ttl=252
time=125
time=125
time=125
time=125
time=125
ms
ms
ms
ms
ms
The CE1 and CE3 can not ping through CE2 and CE4.
Consider the display of ping CE4 on CE1 as an example:
[CE1] ping 10.4.1.1
PING 10.4.1.1: 56 data bytes, press CTRL_C to break
Request time out
Request time out
Request time out
Request time out
Request time out
--- 10.4.1.1 ping statistics --5 packet(s) transmitted
0 packet(s) received
100.00% packet loss
----End
Configuration Files
l
Configuration file of CE1
#
sysname CE1
#
interface Ethernet1/0/0
ip address 10.1.1.1 255.255.255.0
#
bgp 65410
peer 10.1.1.2 as-number 100
#
ipv4-family unicast
undo synchronization
import-route direct
peer 10.1.1.2 enable
#
return
l
Configuration file of CE2
#
sysname CE2
#
interface Ethernet1/0/0
ip address 10.2.1.1 255.255.255.0
#
bgp 65420
peer 10.2.1.2 as-number 100
#
ipv4-family unicast
undo synchronization
import-route direct
peer 10.2.1.2 enable
#
return
l
Configuration file of PE1
#
sysname PE1
Issue 03 (2011-11-27)
Huawei Proprietary and Confidential
Copyright © Huawei Technologies Co., Ltd.
193
Huawei AR1200 Series Enterprise Routers
Configuration Guide - VPN
2 BGP MPLS IP VPN Configuration
#
ip vpn-instance vpna
ipv4-family
route-distinguisher 100:1
vpn-target 111:1 export-extcommunity
vpn-target 111:1 import-extcommunity
#
ip vpn-instance vpnb
ipv4-family
route-distinguisher 100:2
vpn-target 222:2 export-extcommunity
vpn-target 222:2 import-extcommunity
#
mpls lsr-id 1.1.1.9
mpls
#
mpls ldp
#
interface Ethernet1/0/0
ip binding vpn-instance vpna
ip address 10.1.1.2 255.255.255.0
#
interface Ethernet2/0/0
ip binding vpn-instance vpnb
ip address 10.2.1.2 255.255.255.0
#
interface Ethernet2/0/1
ip address 172.1.1.1 255.255.255.0
mpls
mpls ldp
#
interface LoopBack1
ip address 1.1.1.9 255.255.255.255
#
bgp 100
peer 2.2.2.9 as-number 100
peer 2.2.2.9 connect-interface LoopBack1
#
ipv4-family unicast
undo synchronization
peer 2.2.2.9 enable
#
ipv4-family vpnv4
policy vpn-target
peer 2.2.2.9 enable
#
ipv4-family vpn-instance vpna
peer 10.1.1.1 as-number 65410
import-route direct
#
ipv4-family vpn-instance vpnb
peer 10.2.1.1 as-number 65420
import-route direct
#
ospf 1
area 0.0.0.0
network 1.1.1.9 0.0.0.0
network 172.1.1.0 0.0.0.255
#
return
l
Configuration file of PE2
#
sysname PE2
#
ip vpn-instance vpna
ipv4-family
route-distinguisher 200:1
vpn-target 111:1 export-extcommunity
vpn-target 111:1 import-extcommunity
Issue 03 (2011-11-27)
Huawei Proprietary and Confidential
Copyright © Huawei Technologies Co., Ltd.
194
Huawei AR1200 Series Enterprise Routers
Configuration Guide - VPN
2 BGP MPLS IP VPN Configuration
#
ip vpn-instance vpnb
ipv4-family
route-distinguisher 200:2
vpn-target 222:2 export-extcommunity
vpn-target 222:2 import-extcommunity
#
mpls lsr-id 2.2.2.9
mpls
#
mpls ldp
#
interface Ethernet1/0/0
ip address 172.1.1.2 255.255.255.0
mpls
mpls ldp
#
interface Ethernet2/0/0
ip binding vpn-instance vpna
ip address 192.1.1.1 255.255.255.0
#
interface Ethernet2/0/1
ip binding vpn-instance vpnb
ip address 192.2.1.1 255.255.255.0
#
interface LoopBack1
ip address 2.2.2.9 255.255.255.255
#
bgp 100
peer 1.1.1.9 as-number 100
peer 1.1.1.9 connect-interface LoopBack1
#
ipv4-family unicast
undo synchronization
peer 1.1.1.9 enable
#
ipv4-family vpnv4
policy vpn-target
peer 1.1.1.9 enable
#
ipv4-family vpn-instance vpna
import-route ospf 100
#
ipv4-family vpn-instance vpnb
import-route ospf 200
#
ospf 1
area 0.0.0.0
network 2.2.2.9 0.0.0.0
network 172.1.1.0 0.0.0.255
#
ospf 100 vpn-instance vpna
import-route bgp
area 0.0.0.0
network 192.1.1.0 0.0.0.255
#
ospf 200 vpn-instance vpnb
import-route bgp
area 0.0.0.0
network 192.2.1.0 0.0.0.255
#
return
l
Configuration file of MCE
#
sysname MCE
#
ip vpn-instance vpna
ipv4-family
route-distinguisher 300:1
Issue 03 (2011-11-27)
Huawei Proprietary and Confidential
Copyright © Huawei Technologies Co., Ltd.
195
Huawei AR1200 Series Enterprise Routers
Configuration Guide - VPN
2 BGP MPLS IP VPN Configuration
vpn-target 111:1 export-extcommunity
vpn-target 111:1 import-extcommunity
#
ip vpn-instance vpnb
ipv4-family
route-distinguisher 300:2
vpn-target 222:2 export-extcommunity
vpn-target 222:2 import-extcommunity
#
interface Ethernet1/0/0
ip binding vpn-instance vpna
ip address 192.1.1.2 255.255.255.0
#
interface Ethernet2/0/0
ip binding vpn-instance vpnb
ip address 192.2.1.2 255.255.255.0
#
interface Ethernet2/0/1
ip binding vpn-instance vpna
ip address 10.3.1.2 255.255.255.0
#
interface Ethernet1/0/1
ip binding vpn-instance vpnb
ip address 10.4.1.2 255.255.255.0
#
ospf 100 vpn-instance vpna
import-route rip 100
vpn-instance-capability simple
area 0.0.0.0
network 192.1.1.0 0.0.0.255
#
ospf 200 vpn-instance vpnb
import-route rip 200
vpn-instance-capability simple
area 0.0.0.0
network 192.2.1.0 0.0.0.255
#
rip 100 vpn-instance vpna
version 2
network 10.0.0.0
import-route ospf 100
#
rip 200 vpn-instance vpnb
version 2
network 10.0.0.0
import-route ospf 200
#
return
l
Configuration file of CE3
#
sysname CE3
#
interface Ethernet1/0/0
ip address 10.3.1.1 255.255.255.0
#
rip 100
version 2
network 10.0.0.0
import-route direct
#
return
l
Configuration file of CE4
#
sysname CE4
#
interface Ethernet1/0/0
ip address 10.4.1.1 255.255.255.0
#
Issue 03 (2011-11-27)
Huawei Proprietary and Confidential
Copyright © Huawei Technologies Co., Ltd.
196
Huawei AR1200 Series Enterprise Routers
Configuration Guide - VPN
2 BGP MPLS IP VPN Configuration
rip 200
version 2
network 10.0.0.0
import-route direct
#
return
2.16.10 Example for Connecting VPN and Internet
By configuring a proxy service in the VPN, you can enable the VPN to interconnect with the
Internet.
Networking Requirements
As shown in Figure 2-11, CE1 and CE2 on the private network can mutually access. Meanwhile
a proxy server with the public network address is attached with CE1. Thus, users of CE1 can
access Internet through this proxy server. In this example, the P device serves as a substitute for
the Internet.
Figure 2-11 Example of enabling VPN users to access the public network
Loopback1
1.1.1.1/32
PE1
GE1/0/0
10.1.1.2/24
GE1/0/0
100.1.1.2/24
GE2/0/0
100.1.1.1/24
P
GE1/0/0
100.2.1.2/24
GE2/0/0
100.2.1.1/24
Internet
GE1/0/0
10.1.1.1/24
GE2/0/0
100.3.1.2/24
CE1
Loopback1
2.2.2.2/32
vpn1
AS100
Agent Server
100.3.1.1/24
AS 65410
Loopback1
3.3.3.3/32
PE2
GE2/0/0
10.2.1.2/24
GE1/0/0
10.2.1.1/24
CE2
vpn1
AS 65420
Configuration Roadmap
In this configuration, configure the L3VPN first. It needs the following static routes:
1.
Add a default route on CE1. The next hop is PE1.
2.
Add a default route from the VPN device to the Internet on PE1. The next hop is P. Thus,
the traffic of the proxy server can reaches the Internet.
3.
Add a static route from the Internet to the proxy server on PE1 and the next hop is CE1.
Use IGP to advertise this route to the Internet, Thus, the traffic of Internet can reaches the
server attached with CE1.
Issue 03 (2011-11-27)
Huawei Proprietary and Confidential
Copyright © Huawei Technologies Co., Ltd.
197
Huawei AR1200 Series Enterprise Routers
Configuration Guide - VPN
2 BGP MPLS IP VPN Configuration
Data Preparation
To complete the configuration, you need the following data:
l
MPLS LSR ID on the PEs and the Ps
l
RD of VPN
l
VPN-Target of VPN
Procedure
Step 1 Configure IGP.
Assign IP addresses for physical interfaces and loopback interfaces on the backbone network.
Run IGP on each router of the backbone so that PE1, P and PE2 can ping through each other,
and know the loopback address of each other. The detailed configuration procedure is not
mentioned here.
Step 2 Set up an MPLS LDP LSP and MP-IBGP peer relationship.
Set up an MPLS LSP and MP-IBGP peer relationship between the PEs. The detailed
configuration procedure is not mentioned here.
After the configuration given above, run the display mpls ldp session command on P. You can
find the LDP session "Status" between PE1 and P, and that between PE2 and P is "Operational".
The display on P is as follows:
<P> display mpls ldp session
LDP Session(s) in Public Network
Codes: LAM(Label Advertisement Mode), SsnAge Unit(DDDD:HH:MM)
A '*' before a session means the session is being deleted.
-------------------------------------------------------------------------PeerID
Status
LAM SsnRole SsnAge
KASent/Rcv
------------------------------------------------------------------------1.1.1.1:0
Operational DU
Active
0000:00:05 23/23
3.3.3.3:0
Operational DU
Passive 0000:00:04 18/18
-------------------------------------------------------------------------TOTAL: 2 session(s) Found.
Run the display bgp vpnv4 all peer command on PE. You can find that the MP-IBGP peer
relationship state is "Established".
Consider PE1 as an example:
<PE1> display bgp vpnv4 all peer
BGP local router ID : 1.1.1.1
Local AS number : 100
Total number of peers : 1
Peer
V
AS MsgRcvd
3.3.3.3
4
100
6
Peers in established state : 1
OutQ Up/Down
State PrefRcv
0 00:03:48 Established
MsgSent
8
Step 3 Create VPN instances and establishing EBGP.
Create the VPN instance named vpn1 on PE and bind it with the interface attached with the CE.
Establish the EBGP peer relationship between PE1 and CE1, and that between PE2 and CE2.
In this manner, the routes on the CE can be imported to the PE. The detailed configuration
procedure is not mentioned.
After the configuration given above, run the display ip vpn-instance command on PE. You can
find the "VPN instance names" contains vpn1.
Consider PE1 as an example:
Issue 03 (2011-11-27)
Huawei Proprietary and Confidential
Copyright © Huawei Technologies Co., Ltd.
198
Huawei AR1200 Series Enterprise Routers
Configuration Guide - VPN
2 BGP MPLS IP VPN Configuration
[PE1] display ip vpn-instance
Total VPN-Instances configured : 1
VPN-Instance Name
Address-family
vpn1
ipv4
Run the command display bgp vpnv4 all peer on PE and you can see that the IBGP peer and
the EBGP peer are "Estabished".
Consider PE1 as an example:
<PE1> display bgp vpnv4 all peer
BGP local router ID : 1.1.1.1
Local AS number : 100
Total number of peers : 2
Peers in established state : 2
Peer
V
AS MsgRcvd MsgSent OutQ Up/Down
State
3.3.3.3
4
100
127
134
0 01:39:44
Established
Peer of IPv4-family for vpn instance :
VPN-Instance vpn1, router ID 1.1.1.1:
10.1.1.1
4 65410
107
110
PrefRcv
2
0 01:26:33 Established
3
Step 4 Configure the static route to enable VPN to access the public network.
# Configure a default route on CE1 and the next hop is PE1.
<CE1> system-view
[CE1] ip route-static 0.0.0.0 0 10.1.1.2
# Configure PE1.
# Configure a default route from the proxy server of the VPN site to Internet. The next hop is
P. Specify the address of the next hop as public network address. That is, add a keyword public
after the next hop address in the command.
<PE1> system-view
[PE1] ip route-static vpn-instance vpn1 0.0.0.0 0 100.1.1.2 public
# Configure a static route back to the proxy server. The next hop is CE1.
[PE1] ip route-static 100.3.1.0 24 vpn-instance vpn1 10.1.1.1
# Use IGP to advertise the static route back to the proxy server on PE1 to the Internet.
[PE1] ospf 1
[PE1-ospf-1] import-route static
# Configure the proxy server. Set the IP address of the proxy server as 100.3.1.1/24. Set its
default gateway as CE1, that is, 100.3.1.2/24. A proxy software should also be run on the proxy
server.
Step 5 Verify the configuration.
Run the display ip routing-table vpn-instance command on PE1. You can find a default route,
with next hop being 100.1.1.2 and the out-interface being GigabitEthernet2/0/0, exists in the
VPN routing table.
[PE1] display ip routing-table vpn-instance vpn1
Route Flags: R - relay, D - download to fib
-----------------------------------------------------------------------------Routing Tables: vpn1
Destinations : 7
Routes : 7
Destination/Mask Proto Pre Cost
Flags NextHop
Interface
0.0.0.0/0
Static 60
0
RD 100.1.1.2
GigabitEthernet2/0/0
10.1.1.0/24 Direct 0
0
D 10.1.1.2
GigabitEthernet1/0/0
10.1.1.1/32 Direct 0
0
D 10.1.1.1
GigabitEthernet1/0/0
Issue 03 (2011-11-27)
Huawei Proprietary and Confidential
Copyright © Huawei Technologies Co., Ltd.
199
Huawei AR1200 Series Enterprise Routers
Configuration Guide - VPN
10.1.1.2/32 Direct 0
0
10.2.1.0/24 IBGP
255 0
GigabitEthernet2/0/0
10.2.1.1/32 IBGP
255 0
GigabitEthernet2/0/0
10.2.1.2/32 IBGP
255 0
GigabitEthernet2/0/0
100.3.1.1/32 EBGP
255 0
GigabitEthernet1/0/0
2 BGP MPLS IP VPN Configuration
D 127.0.0.1
RD 3.3.3.3
RD
3.3.3.3
RD
3.3.3.3
D
InLoopBack0
10.1.1.1
Run the display ip routing-table command on PE1 to display that the route to the proxy server
exists in the public network routing table, and the IP address of next hop is 10.1.1.1.
[PE1] display ip routing-table
Route Flags: R - relay, D - download to fib
-----------------------------------------------------------------------------Routing Tables: Public
Destinations : 10
Routes : 10
Destination/Mask Proto Pre Cost
Flags NextHop
Interface
1.1.1.1/32 Direct 0
0
D 127.0.0.1
InLoopBack0
2.2.2.2/32 OSPF
10
2
D 100.1.1.2
GigabitEthernet2/0/0
3.3.3.3/32 OSPF
10
3
D 100.1.1.2
GigabitEthernet2/0/0
100.1.1.0/24 Direct 0
0
D 100.1.1.1
GigabitEthernet2/0/0
100.1.1.1/32 Direct 0
0
D 127.0.0.1
InLoopBack0
100.1.1.2/32 Direct 0
0
D 100.1.1.2
GigabitEthernet2/0/0
100.2.1.0/24 OSPF
10
2
D 100.1.1.2
GigabitEthernet2/0/0
100.3.1.0/24 Static 60
0
D 10.1.1.1
GigabitEthernet1/0/0
127.0.0.0/8
Direct 0
0
D 127.0.0.1
InLoopBack0
127.0.0.1/32 Direct 0
0
D 127.0.0.1
InLoopBack0
P can ping through the proxy server.
[P] ping 100.3.1.1
PING 100.3.1.1: 56 data bytes, press CTRL_C to break
Reply from 100.3.1.1: bytes=56 Sequence=1 ttl=254 time=62
Reply from 100.3.1.1: bytes=56 Sequence=2 ttl=254 time=62
Reply from 100.3.1.1: bytes=56 Sequence=3 ttl=254 time=62
Reply from 100.3.1.1: bytes=56 Sequence=4 ttl=254 time=62
Reply from 100.3.1.1: bytes=56 Sequence=5 ttl=254 time=62
--- 100.3.1.1 ping statistics --5 packet(s) transmitted
5 packet(s) received
0.00% packet loss
round-trip min/avg/max = 62/62/62 ms
ms
ms
ms
ms
ms
Also, the proxy server can access P.
----End
Configuration Files
l
Configuration file of CE1
#
sysname CE1
#
interface GigabitEthernet1/0/0
ip address 10.1.1.1 255.255.255.0
#
interface GigabitEthernet2/0/0
ip address 100.3.1.1 255.255.255.0
#
bgp 65410
Issue 03 (2011-11-27)
Huawei Proprietary and Confidential
Copyright © Huawei Technologies Co., Ltd.
200
Huawei AR1200 Series Enterprise Routers
Configuration Guide - VPN
2 BGP MPLS IP VPN Configuration
peer 10.1.1.2 as-number 100
#
ipv4-family unicast
undo synchronization
import-route direct
peer 10.1.1.2 enable
#
ip route-static 0.0.0.0 0.0.0.0 10.1.1.2
#
return
l
Configuration file of PE1
#
sysname PE1
#
ip vpn-instance vpn1
ipv4-family
route-distinguisher 100:1
vpn-target 1:1 export-extcommunity
vpn-target 1:1 import-extcommunity
#
mpls lsr-id 1.1.1.1
mpls
#
mpls ldp
#
interface GigabitEthernet1/0/0
ip binding vpn-instance vpn1
ip address 10.1.1.2 255.255.255.0
#
interface GigabitEthernet2/0/0
ip address 100.1.1.1 255.255.255.0
mpls
mpls ldp
#
interface LoopBack1
ip address 1.1.1.1 255.255.255.255
#
bgp 100
peer 3.3.3.3 as-number 100
peer 3.3.3.3 connect-interface LoopBack1
#
ipv4-family unicast
undo synchronization
peer 3.3.3.3 enable
#
ipv4-family vpnv4
policy vpn-target
peer 3.3.3.3 enable
#
ipv4-family vpn-instance vpn1
peer 10.1.1.1 as-number 65410
import-route static
import-route direct
#
ospf 1
import-route static
area 0.0.0.0
network 1.1.1.1 0.0.0.0
network 100.1.1.0 0.0.0.255
#
ip route-static 100.3.1.0 24 vpn-instance vpn1 10.1.1.1
ip route-static vpn-instance vpn1 0.0.0.0 0.0.0.0 100.1.1.2 public
#
return
l
Configuration file of P
#
sysname P
#
Issue 03 (2011-11-27)
Huawei Proprietary and Confidential
Copyright © Huawei Technologies Co., Ltd.
201
Huawei AR1200 Series Enterprise Routers
Configuration Guide - VPN
2 BGP MPLS IP VPN Configuration
mpls lsr-id 2.2.2.2
mpls
#
mpls ldp
#
interface GigabitEthernet1/0/0
ip address 100.1.1.2 255.255.255.0
mpls
mpls ldp
#
interface GigabitEthernet2/0/0
ip address 100.2.1.1 255.255.255.0
mpls
mpls ldp
#
interface LoopBack1
ip address 2.2.2.2 255.255.255.255
#
ospf 1
area 0.0.0.0
network 2.2.2.2 0.0.0.0
network 100.1.1.0 0.0.0.255
network 100.2.1.0 0.0.0.255
#
return
l
Configuration file of PE2
#
sysname PE2
#
ip vpn-instance vpn1
ipv4-family
route-distinguisher 100:2
vpn-target 1:1 export-extcommunity
vpn-target 1:1 import-extcommunity
#
mpls lsr-id 3.3.3.3
mpls
#
mpls ldp
#
interface GigabitEthernet1/0/0
ip address 100.2.1.2 255.255.255.0
mpls
mpls ldp
#
interface GigabitEthernet2/0/0
ip binding vpn-instance vpn1
ip address 10.2.1.2 255.255.255.0
#
interface LoopBack1
ip address 3.3.3.3 255.255.255.255
#
bgp 100
peer 1.1.1.1 as-number 100
peer 1.1.1.1 connect-interface LoopBack1
#
ipv4-family unicast
undo synchronization
peer 1.1.1.1 enable
#
ipv4-family vpnv4
policy vpn-target
peer 1.1.1.1 enable
#
ipv4-family vpn-instance vpn1
peer 10.2.1.1 as-number 65420
import-route direct
#
ospf 1
Issue 03 (2011-11-27)
Huawei Proprietary and Confidential
Copyright © Huawei Technologies Co., Ltd.
202
Huawei AR1200 Series Enterprise Routers
Configuration Guide - VPN
2 BGP MPLS IP VPN Configuration
area 0.0.0.0
network 3.3.3.3 0.0.0.0
network 100.2.1.0 0.0.0.255
#
return
l
Configuration file of CE2
#
sysname CE2
#
interface GigabitEthernet1/0/0
ip address 10.2.1.1 255.255.255.0
#
bgp 65420
peer 10.2.1.2 as-number 100
#
ipv4-family unicast
undo synchronization
import-route direct
peer 10.2.1.2 enable
#
return
Issue 03 (2011-11-27)
Huawei Proprietary and Confidential
Copyright © Huawei Technologies Co., Ltd.
203
Huawei AR1200 Series Enterprise Routers
Configuration Guide - VPN
3 IPSec Configuration
3
IPSec Configuration
About This Chapter
IP Security (IPSec) uses data encryption and data source authentication at the IP layer to ensure
data confidentiality and integrity and prevent replay of data packets. Internet Key Exchange
(IKE) enables key negotiation and security associations (SAs) establishment to simplify use and
management of IPSec. This chapter describes how to configure IPSec and IKE.
3.1 IPSec Overview
The IP Security (IPSec) protocol family is a series of protocols defined by the Internet
Engineering Task Force (IETF). This protocol family provides high quality, interoperable, and
cryptology-based security for IP packets. Communicating parties encrypt data and authenticate
the data source at the IP layer to ensure data confidentiality and integrity and prevent replay of
data packets.
3.2 IPSec Features Supported by the AR1200
The AR1200 supports IPSec tunnel established in manual mode or IKE negotiation mode.
3.3 Establishing an IPSec Tunnel Manually
You can establish IPSec tunnels manually when the network topology is simple.
3.4 Establishing an IPSec Tunnel Through IKE Negotiation
IKE provides an automatic protection mechanism to distribute keys, authenticate the identity,
and set up SAs on an insecure network.
3.5 Maintaining IPSec
This section describes how to display the IPSec configuration and clear the IPSec statistics.
3.6 Configuration Examples
This section provides several configuration examples of IPSec.
Issue 03 (2011-11-27)
Huawei Proprietary and Confidential
Copyright © Huawei Technologies Co., Ltd.
204
Huawei AR1200 Series Enterprise Routers
Configuration Guide - VPN
3 IPSec Configuration
3.1 IPSec Overview
The IP Security (IPSec) protocol family is a series of protocols defined by the Internet
Engineering Task Force (IETF). This protocol family provides high quality, interoperable, and
cryptology-based security for IP packets. Communicating parties encrypt data and authenticate
the data source at the IP layer to ensure data confidentiality and integrity and prevent replay of
data packets.
IPSec uses two security protocols: Authentication Header (AH) protocol and Encapsulating
Security Payload (ESP). Key exchange and SA establishment in IPSec is implemented by the
Internet Key Exchange (IKE) protocol, which simplifies use and management of IPSec.
IPSec involves the following terms:
l
Security association (SA)
– An SA is a set of conventions adopted by the communicating parties. For example, it
determines the security protocol (AH, ESP, or both), encapsulation mode (transport
mode or tunnel mode), key algorithm (DES, 3DES, or AES), shared key to protect
certain flow, and the lifetime of the shared key.
– An SA is unidirectional, at least two SAs are required to protect data flows in
bidirectional communication. If two peers need to communicate using both AH and
ESP, each peer needs to establish two SAs for the two protocols.
– An SA is identified by three parameters: Security Parameter Index (SPI), destination IP
address, and security protocol ID (AH or ESP).
l
Encapsulation mode
– Transport mode: AH or ESP is inserted behind the IP header but before all transportlayer protocols or all other IPSec protocols, as shown in Figure 3-1.
– Tunnel mode: AH or ESP is inserted before the original IP header but behind a new IP
header, as shown in Figure 3-2.
Figure 3-1 Packet format in transport mode
Mode
transport
Protocol
AH
IP Header AH TCP Header
ESP
IP Header ESP TCP Header data
AH-ESP
Issue 03 (2011-11-27)
data
ESP
Tail
ESP Auth data
IP Header AH ESP TCP Header data ESP Tail ESP Auth data
Huawei Proprietary and Confidential
Copyright © Huawei Technologies Co., Ltd.
205
Huawei AR1200 Series Enterprise Routers
Configuration Guide - VPN
3 IPSec Configuration
Figure 3-2 Packet format in tunnel mode
Mode
tunnel
Protocol
AH
ESP
new IP Header AH raw IP Header TCP Header data
new IP
Header
ESP
raw IP
Header
TCP Header dataESP Tail ESP Auth data
AH-ESP new IP Header AH ESPraw IP Header TCP Header data ESP TailESP Auth data
l
Authentication algorithm and encryption algorithm
– IPSec uses the Message Digest 5 (MD5) algorithm or Secure Hash Algorithm (SHA-1)
for authentication. The MD5 algorithm computes faster than the SHA-1 algorithm, but
the SHA-1 algorithm is more secure than the MD5 algorithm.
– IPSec uses the DES, Triple Data Encryption Standard (3DES), or Advanced Encryption
Standard (AES) algorithm for encryption. The ASE algorithm encrypts plain text by
using a key of 128 bits, 192 bits, or 256 bits.
l
Negotiation mode
IPSec uses two negotiation modes to establish SAs: manual mode (manual) and IKE
negotiation mode (isakmp).
3.2 IPSec Features Supported by the AR1200
The AR1200 supports IPSec tunnel established in manual mode or IKE negotiation mode.
The AR1200 implements the IPSec functions described in 3.1 IPSec Overview.
IPSec peers adopt various security protection measures (authentication, encryption, or both) on
different data flows.
The IPSec configuration roadmap is as follows:
1.
Define data flows to be protected by using an ACL.
2.
Configure an IPSec proposal to specify the security protocol, authentication algorithm,
encryption algorithm, and encapsulation mode.
3.
Configure an IPSec policy or an IPSec policy group to specify the association between data
flows and the IPSec proposal (protection measures for the data flows), SA negotiation
mode, peer IP address (start and end points of the protection path), required key, and SA
lifetime.
4.
Apply the IPSec policy on an interface of the router.
In addition, IPSec supports MPLS VPN access. You can implement this function by:
l Associating a VPN instance with an SA
l Configuring the router as a PE and associating the VPN instance with the PE interface
connected to the CE
Issue 03 (2011-11-27)
Huawei Proprietary and Confidential
Copyright © Huawei Technologies Co., Ltd.
206
Huawei AR1200 Series Enterprise Routers
Configuration Guide - VPN
3 IPSec Configuration
3.3 Establishing an IPSec Tunnel Manually
You can establish IPSec tunnels manually when the network topology is simple.
3.3.1 Establishing the Configuration Task
Before manually establishing an IPSec tunnel, familiarize yourself with the applicable
environment, complete the pre-configuration tasks, and obtain the required data.
Applicable Environment
Data flows must be authenticated to ensure data transmission security. In a high security scenario,
data flows must be authenticated and encrypted. In such a scenario, configure IPSec on the device
that initiates the IPSec service and the device that terminates the IPSec service.
Pre-configuration Tasks
Before establishing an IPSec tunnel manually, complete the following tasks:
l
Setting parameters of the link-layer protocol and IP addresses for the interfaces to ensure
that the link-layer protocol on the interfaces is Up
l
Configuring routes between the source and the destination
Data Preparation
To establish an IPSec tunnel manually, you need the following data.
No.
Data
1
Parameters of an advanced ACL
2
IPSec proposal name, security protocol, authentication algorithm of AH,
authentication algorithm and encryption algorithm of ESP, and packet
encapsulation mode
3
IPSec policy settings, including:
l Name and sequence number of the IPSec policy
l Local and peer IP addresses of the tunnel
l Inbound and outbound SPIs for AH or ESP
l Inbound and outbound authentication keys (character string or hexadecimal
number) for AH or ESP
l (optional) VPN instance name
Type and number of the interface to which the IPSec policy is applied
4
NOTE
Use the AH or ESP protocol based on requirements on your network.
Issue 03 (2011-11-27)
Huawei Proprietary and Confidential
Copyright © Huawei Technologies Co., Ltd.
207
Huawei AR1200 Series Enterprise Routers
Configuration Guide - VPN
3 IPSec Configuration
3.3.2 Defining Protected Data Flows
IPSec can protect different data flows. In real-world applications, configure an ACL to define
the protected data flows and apply the ACL to a security policy.
Procedure
Step 1 Run:
system-view
The system view is displayed.
Step 2 Run:
acl [ number ] acl-number [ match-order { config | auto } ]
An advanced ACL is created and the ACL view is displayed.
Step 3 Run:
rule
An ACL rule is configured.
NOTE
l The ACL must be configured to match the data flows accurately. It is recommended that you set the
action of the ACL rule to permit for the data flows that need to be protected.
l Create different ACLs and IPSec policies for the data flows with different security requirements.
----End
3.3.3 Configuring an IPSec Proposal
An IPSec proposal defines the security protocol, authentication algorithm, encryption algorithm,
and packet encapsulation mode. Both ends of a tunnel must use the same IPSec proposal
configuration.
Procedure
Step 1 Run:
system-view
The system view is displayed.
Step 2 Run:
ipsec proposal proposal-name
An IPSec proposal is created and the IPSec proposal view is displayed.
Step 3 (Optional) Run:
transform { ah | esp | ah-esp }
The security protocol is specified.
By default, the ESP protocol defined in RFC 2406 is used.
Step 4 (Optional) Run:
ah authentication-algorithm { md5 | sha1 }
Issue 03 (2011-11-27)
Huawei Proprietary and Confidential
Copyright © Huawei Technologies Co., Ltd.
208
Huawei AR1200 Series Enterprise Routers
Configuration Guide - VPN
3 IPSec Configuration
The authentication algorithm used by AH is specified.
Step 5 (Optional) Run:
esp authentication-algorithm [ md5 | sha1 ]
The authentication algorithm used by ESP is specified.
By default, both ESP and AH use the MD5 authentication algorithm.
You can configure the authentication and encryption algorithms only after selecting a security
protocol using the transform command.
Step 6 (Optional) Run:
esp encryption-algorithm [ 3des | des | aes-128 | aes-192 | aes-256 ]
The encryption algorithm used by ESP is specified.
By default, ESP uses the DES encryption algorithm.
Step 7 (Optional) Run:
encapsulation-mode { transport | tunnel }
The packet encapsulation mode is configured.
By default, the tunnel mode is used.
----End
3.3.4 Configuring an IPSec Policy
After establishing an IPSec tunnel manually, configure an IPSec policy for the tunnel.
Context
CAUTION
When configuring SPI, string authentication key (string-key), hexadecimal authentication key
(authentication-hex), and hexadecimal encryption key (encryption-hex) on two ends of an
IPSec tunnel, ensure that the inbound parameters on the local end are the same as the outbound
parameters on the remote end, and the outbound parameters on the local end are the same as the
inbound parameters on the remote end.
Procedure
Step 1 Run:
system-view
The system view is displayed.
Step 2 Run:
ipsec policy policy-name seq-number manual
An IPSec policy is created.
Issue 03 (2011-11-27)
Huawei Proprietary and Confidential
Copyright © Huawei Technologies Co., Ltd.
209
Huawei AR1200 Series Enterprise Routers
Configuration Guide - VPN
3 IPSec Configuration
An IPSec policy group can contain up to 10000 IPSec policies. By default, no IPSec policy
exists.
Step 3 Run:
security acl acl-number
An ACL is applied to the IPSec policy.
An IPSec policy can use only one ACL. If more than one ACL is applied to the IPSec policy,
the last configured ACL takes effect.
Step 4 Run:
proposal proposal-name
An IPSec proposal is applied to the IPSec policy.
If the manual mode is used, an IPSec policy can use only one proposal. If an IPSec proposal has
been applied to the IPSec policy, cancel the existing proposal before applying a new one to the
IPSec policy. In addition, the IPSec proposals applied on the two ends of a tunnel must have the
same security protocol, algorithm, and packet encapsulation mode.
Step 5 Run:
tunnel local ip-address
The IP address of the local end is configured.
Step 6 Run:
tunnel remote ip-address
The IP address of the remote end is configured.
Step 7 Run:
sa spi { inbound | outbound } { ah | esp } spi-number
The SPI of the SA is configured.
When configuring an SA, set both inbound and outbound parameters.
To manually create an IPSec tunnel, use the sa spi command together with the sa string-key,
sa authentication-hex, or sa encryption-hex command.
The SA parameters on two ends of a tunnel must match each other. The inbound SPI of the local
end must be the same as the outbound SPI of the remote end, and the outbound SPI of the local
end must be the same as the inbound SPI of the remote end.
Step 8 (Optional) Run:
sa authentication-hex { inbound | outbound } { ah | esp } hex-key
The authentication key (a hexadecimal number) of the security protocol is configured.
Step 9 (Optional) Run:
sa string-key { inbound | outbound } { ah | esp } string-key
The authentication key (a character string) of the security protocol is configured.
Issue 03 (2011-11-27)
Huawei Proprietary and Confidential
Copyright © Huawei Technologies Co., Ltd.
210
Huawei AR1200 Series Enterprise Routers
Configuration Guide - VPN
3 IPSec Configuration
CAUTION
Use the same key format on the two ends. For example, if the key on one end is a character string
but the key on the other end is a hexadecimal number, the IPSec tunnel cannot be established.
If you configure the keys in different formats, the last configured key takes effect.
Step 10 (Optional) Run:
sa encryption-hex { inbound | outbound } esp hex-key
The encryption key (a hexadecimal number) is configured for ESP.
Step 11 (Optional) Run:
sa binding vpn-instance vpn-instance-name
A VPN instance is associated with the SA.
----End
3.3.5 Applying an IPSec Policy to an Interface
A manually configured IPSec policy can be applied to only one interface.
Context
An interface can use only one IPSec policy. An IPSec policy group that establishes an SA through
IKE negotiation can be applied to multiple interfaces, whereas an IPSec policy group that is used
to establish an SA manually can be applied only to one interface. If the applied IPSec policy
establishes an SA in manual mode, the SA is generated immediately.
Procedure
Step 1 Run:
system-view
The system view is displayed.
Step 2 Run:
interface interface-type interface-number
The interface view is displayed.
Step 3 Run:
ipsec policy policy-name
An IPSec policy is applied to the interface.
----End
3.3.6 Checking the Configuration
After an IPSec tunnel is manually established, you can check information about the SA, IPSec
proposal, and IPSec policy.
Issue 03 (2011-11-27)
Huawei Proprietary and Confidential
Copyright © Huawei Technologies Co., Ltd.
211
Huawei AR1200 Series Enterprise Routers
Configuration Guide - VPN
3 IPSec Configuration
Prerequisite
The configurations required for establishing an IPSec tunnel manually are complete.
Procedure
l
Run the display ipsec sa command to view information about the SA.
l
Run the display ipsec proposal [ name proposal-name ] command to view information
about the IPSec proposal.
l
Run the display ipsec policy [ brief | name policy-name [ seq-number ] ] command to view
information about the IPSec policy.
----End
3.4 Establishing an IPSec Tunnel Through IKE Negotiation
IKE provides an automatic protection mechanism to distribute keys, authenticate the identity,
and set up SAs on an insecure network.
3.4.1 Establishing the Configuration Task
Before establishing an IPSec tunnel through IKE negotiation, familiarize yourself with the
applicable environment, complete the pre-configuration tasks, and obtain the required data.
Application Environment
Data flows must be authenticated to ensure data transmission security. In a high security scenario,
data flows must be authenticated and encrypted. In such a scenario, configure IPSec on the device
that initiates the IPSec service and the device that terminates the IPSec service.
When the network topology is complex, you can establish IPSec tunnels through IKE
negotiation.
Pre-configuration Tasks
Before establishing an IPSec tunnel through IKE negotiation, complete the following tasks:
l
Setting parameters of the link-layer protocol and IP addresses for the interfaces to ensure
that the link-layer protocol on the interfaces is Up
l
Configuring routes between the source and the destination
Data Preparation
To establish an IPSec tunnel through IKE negotiation, you need to the following data.
Issue 03 (2011-11-27)
No.
Data
1
Parameters of an advanced ACL
2
Priority of the IKE proposal, encryption algorithm, authentication algorithm, and
authentication method used in IKE negotiation, identifier of the Diffie-Hellman
group, and SA lifetime
Huawei Proprietary and Confidential
Copyright © Huawei Technologies Co., Ltd.
212
Huawei AR1200 Series Enterprise Routers
Configuration Guide - VPN
3 IPSec Configuration
No.
Data
3
IKE peer name, negotiation mode, IKE proposal name, IKE peer ID type, preshared key, remote address, (optional) VPN instance bound to the IPSec tunnel,
and remote host name
4
IPSec proposal name, security protocol, authentication algorithm of AH,
authentication algorithm and encryption algorithm of ESP, and packet
encapsulation mode
5
Name and sequence number of the IPSec policy, (optional) Perfect Forward
Secrecy (PFS) feature used in IKE negotiation
6
(Optional) Name of the IPSec policy template
7
(Optional) Local address of the IPSec policy group, time-based global SA
lifetime, traffic-based global SA lifetime, interval for sending keepalive packets,
timeout inertial of keepalive packets, and interval for sending NAT update packets
8
Type and number of the interface to which the IPSec policy is applied
NOTE
Use the AH or ESP protocol based on requirements on your network.
3.4.2 Defining Protected Data Flows
IPSec can protect different data flows. In real-world applications, configure an ACL to define
the protected data flows and apply the ACL to a security policy.
Procedure
Step 1 Run:
system-view
The system view is displayed.
Step 2 Run:
acl [ number ] acl-number [ match-order { config | auto }]
An advanced ACL is created and the ACL view is displayed.
Step 3 Run:
rule
An ACL rule is configured.
----End
3.4.3 Configuring an IKE Proposal
You can create multiple IKE proposals with different priority levels. The two ends must have
at least one matching IKE proposal for IKE negotiation.
Issue 03 (2011-11-27)
Huawei Proprietary and Confidential
Copyright © Huawei Technologies Co., Ltd.
213
Huawei AR1200 Series Enterprise Routers
Configuration Guide - VPN
3 IPSec Configuration
Procedure
Step 1 Run:
system-view
The system view is displayed.
Step 2 Run:
ike proposal proposal-number
An IKE proposal is created and the IKE proposal view is displayed.
The IKE negotiation succeeds only when the two ends use the IKE proposals with the same
settings.
Step 3 (Optional) Run:
encryption-algorithm { des-cbc |3des-cbc | aes-cbc-128 | aes-cbc-192 | aescbc-256 }
The encryption algorithm is configured.
By default, an IKE proposal uses the DES-CBC encryption algorithm.
Step 4 (Optional) Run:
authentication-algorithm { md5 | sha1 }
The authentication algorithm is configured.
By default, an IKE proposal uses the SHA-1 algorithm.
Step 5 (Optional) Run:
dh { group1 | group2 }
The Diffie-Hellman group is specified.
Step 6 (Optional) Run:
prf { hmac-md5 | hmac-sha1
}
The algorithm used to generate the pseudo random number is specified.
Step 7 (Optional) Run:
sa duration interval
The SA lifetime is set.
If the lifetime expires, the IKE SA is automatically updated.
You can set the lifetime only for the SAs established through IKE negotiation. The lifetime of
manually created SAs is not limited. That is, the manually created SAs are always effective.
----End
3.4.4 Configuring an IKE Peer
Procedure
Step 1 Run:
system-view
Issue 03 (2011-11-27)
Huawei Proprietary and Confidential
Copyright © Huawei Technologies Co., Ltd.
214
Huawei AR1200 Series Enterprise Routers
Configuration Guide - VPN
3 IPSec Configuration
The system view is displayed.
Step 2 Run:
ike peer peer-name [ v1 | v2 ]
An IKE peer is created and the IKE peer view is displayed.
Step 3 (Optional) Run:
exchange-mode { main | aggressive }
The IKE negotiation mode is configured.
In aggressive mode, the local ID type must be set to ip or name in step 5. In main mode, the
local ID type must be set to ip.
Step 4 (Optional) Run:
ike-proposal proposal-number
An IKE proposal is configured.
Step 5 (Optional) Run:
local-id-type { ip | name }
The local ID type is configured.
By default, the IP address of the local end is used as the local ID.
Step 6 (Optional) Run:
local-address address
The IP address of the local end is configured.
By default, the local end address is the IP address of the interface bound to the IPSec policy.
Step 7 (Optional) Run:
peer-id-type { ip | name }
The peer ID type is configured.
By default, the IP address of the local end is used as the local ID.
The peer-id-type command is valid only when IKEv2 is used.
Step 8 (Optional) Run:
nat traversal
NAT traversal is enabled.
When NAT traversal is enabled, local-id-type must be set to name.
Step 9 (Optional) Run:
pre-shared-key key-string
The pre-shared key used by the local end and remote peer is configured.
If pre-shared key authentication is configured, configure a pre-shared key for each remote peer.
The two ends of an IPSec tunnel must use the same pre-shared key.
When pre-shared key authentication is configured, an authenticator must be configured.
Step 10 (Optional) Run:
remote-address [ vpn-instance vpn-instance-name ] ip-address
Issue 03 (2011-11-27)
Huawei Proprietary and Confidential
Copyright © Huawei Technologies Co., Ltd.
215
Huawei AR1200 Series Enterprise Routers
Configuration Guide - VPN
3 IPSec Configuration
The IP address or the domain name of the remote peer is configured.
Step 11 (Optional) Run:
sa binding vpn-instance vpn-instance-name
A VPN instance is associated with the SA.
By specifying the VPN instance that the remote end of the IPSec tunnel belongs to, you can
implement multi-instance IPSec connections. The configuration takes effect only on the initiator
of the IPSec tunnel. The initiator needs to obtain the outbound interface when sending packets.
This command specifies the VPN that the remote end belongs to. According to the VPN, the
tunnel initiator can obtain the outbound interface and send packets through the outbound
interface. The packets received by the remote peer contain the VPN attribute, so you do not need
to specify the VPN on the remote peer.
Step 12 (Optional) Run:
remote-name name
The remote host name is configured. Perform this step only when name authentication is used
in aggressive mode.
If IKEv2 is used, set local-id-type to ip and peer-id-type to name, and configure remotename.
Step 13 Run:
quit
Return to the system view.
Step 14 (Optional) Run:
ike local-name local-name
The local host name used in the IKE negotiation is configured.
Perform this step when the local-id-type is set to name.
----End
3.4.5 Configuring an IPSec Proposal
Both ends of the tunnel must be configured with the same security protocol, authentication
algorithm, encryption algorithm, and packet encapsulation mode.
Procedure
Step 1 Run:
system-view
The system view is displayed.
Step 2 Run:
ipsec proposal proposal-name
An IPSec proposal is created and the IPSec proposal view is displayed.
Step 3 (Optional) Run:
transform { ah | esp | ah-esp }
The security protocol is configured.
Issue 03 (2011-11-27)
Huawei Proprietary and Confidential
Copyright © Huawei Technologies Co., Ltd.
216
Huawei AR1200 Series Enterprise Routers
Configuration Guide - VPN
3 IPSec Configuration
By default, the ESP protocol defined in RFC 2406 is used.
Step 4 (Optional) Run:
ah authentication-algorithm { md5 | sha1 }
The authentication algorithm used by AH is configured.
By default, AH uses the MD5 authentication algorithm.
Step 5 (Optional) Run:
esp authentication-algorithm [ md5 | sha1 ]
The authentication algorithm used by ESP is configured.
By default, ESP uses the MD5 authentication algorithm.
Step 6 (Optional) Run:
esp encryption-algorithm { 3des | des | aes-128 | aes-192 | aes-256 }
The encryption algorithm used by ESP is configured.
By default, ESP uses the DES encryption algorithm.
Step 7 (Optional) Run:
encapsulation-mode { transport | tunnel }
The packet encapsulation mode is configured.
By default, the security protocol uses the tunnel mode to encapsulate IP packets.
----End
3.4.6 Configuring an IPSec Policy
After configuring an IKE peer, apply it to an IPSec policy. Then the two ends can start IKE
negotiation.
Procedure
Step 1 Run:
system-view
The system view is displayed.
Step 2 Run:
ipsec policy policy-name seq-number isakmp [ template template-name ]
An IPSec policy is created.
Step 3 Run:
proposal proposal-name
An IPSec proposal is applied to the IPSec policy.
An IPSec policy that uses IKE negotiation can reference a maximum of six IPSec proposals.
During IKE negotiation, the two ends of the IPSec tunnel use the IPSec proposals with the same
parameter settings first.
Step 4 Run:
security acl acl-number
Issue 03 (2011-11-27)
Huawei Proprietary and Confidential
Copyright © Huawei Technologies Co., Ltd.
217
Huawei AR1200 Series Enterprise Routers
Configuration Guide - VPN
3 IPSec Configuration
An ACL is applied to the IPSec policy.
Step 5 (Optional) Run:
sa trigger-mode { auto | traffic-based }
The SA triggering mode is configured.
After IKE negotiation phase 1 succeeds, the IPSec SA is established in the specified triggering
mode. In automatic triggering mode, the IPSec SA is established immediately after IKE
negotiation phase 1 succeeds. In traffic-based triggering mode, the IPSec SA is established only
after packets are received.
By default, the automatic triggering mode is used.
Step 6 (Optional) Run:
sa duration { traffic-based kilobytes | time-based interval }
The SA lifetime is set.
l In IKEv1, the IKE peers compare the lifetime set in their IPSec proposals and use the smaller
value as the IPSec SA lifetime.
l In IKEv2, the IKE peers do not negotiate the SA lifetime. Instead, they use the locally set
SA lifetime.
l The default IPSec SA lifetime is 3600 seconds, and the default traffic volume is 1843200
kilobytes.
Step 7 Run:
ike-peer peer-name
An IKE peer is applied to the IPSec policy.
Step 8 (Optional) Run:
pfs { dh-group1 | dh-group2 }
The Perfect Forward Secrecy (PFS) feature used in the negotiation is configured.
If PFS is specified on the local end, you also need to specify PFS on the remote peer. The DiffieHellman group specified on the two ends must be the same; otherwise, the negotiation fails. If
the remote end uses the template mode, the Diffie-Hellman groups can be different.
----End
3.4.7 (Optional) Configuring an IPSec Policy Template
An IPSec policy template can be used to configure multiple IPSec policies, reducing the
workload of establishing multiple IPSec tunnels.
Procedure
Step 1 Run:
system-view
The system view is displayed.
Step 2 Run:
ipsec policy-template policy-template-name seq-number
An IPSec policy template is created.
Issue 03 (2011-11-27)
Huawei Proprietary and Confidential
Copyright © Huawei Technologies Co., Ltd.
218
Huawei AR1200 Series Enterprise Routers
Configuration Guide - VPN
3 IPSec Configuration
Step 3 (Optional) Run:
security acl acl-number
An ACL is applied to the IPSec policy template.
Step 4 Run:
proposal proposal-name
An IPSec proposal is applied to the IPSec policy template.
An IPSec policy that uses IKE negotiation can reference a maximum of six IPSec proposals.
During IKE negotiation, the two ends of the IPSec tunnel use the IPSec proposals with the same
parameter settings first.
Step 5 (Optional) Run:
sa duration { traffic-based kilobytes | time-based interval }
The IPSec SA lifetime is set.
Step 6 Run:
ike-peer peer-name
An IKE peer is applied to the IPSec policy template.
Step 7 (Optional) Run:
pfs { dh-group1 | dh-group2 }
The Perfect Forward Secrecy (PFS) feature used in the negotiation is configured.
By default, the PFS feature is not used in IKE negotiation.
----End
3.4.8 (Optional) Setting Optional Parameters
This section describes how to set optional parameters for IKE negotiation.
Procedure
Step 1 Run:
system-view
The system view is displayed.
Step 2 Run:
ipsec sa global-duration { time-based interval | traffic-based kilobytes }
The global SA lifetime is set.
You can set the lifetime only for the SAs established through IKE negotiation. The lifetime of
manually created SAs is not limited. That is, the manually created SAs are always effective.
If the SA lifetime is not set in an IPSec policy, the global lifetime is used.
The new global lifetime does not affect the IPSec policies that have their own lifetime or the
SAs that have been established. The new global lifetime will be used to establish new SAs during
IKE negotiation.
Step 3 Run:
ike heartbeat-timer interval interval
Issue 03 (2011-11-27)
Huawei Proprietary and Confidential
Copyright © Huawei Technologies Co., Ltd.
219
Huawei AR1200 Series Enterprise Routers
Configuration Guide - VPN
3 IPSec Configuration
The interval for sending heartbeat packets is set.
Step 4 Run:
ike heartbeat-timer timeout interval
The timeout interval of heartbeat packets is set.
If the interval for sending heartbeat packets is set on one end, the timeout interval of heartbeat
packets must be set on the other end.
On a network, packet loss rarely occurs consecutively more than three times. Therefore, the
timeout interval of heartbeat packets on one end can be set to three times the interval for sending
heartbeat packets on the other end.
Step 5 Run:
ike nat-keepalive-timer interval interval
The interval for sending NAT keepalive packets is set.
Step 6 Run:
ipsec anti-replay { enable | disable }
The anti-replay function is set.
Step 7 Run:
ike peer
The IKE peer view is displayed.
Step 8 Run:
local-address address
The IP address of the local end is configured.
Step 9 Run following commands to configure the dead peer detection (DPD) function.
l
Run:
dpd { idle-time seconds | retransmit-interval seconds | retry-limit times }
The idle time for DPD, retransmission interval of DPD packets, and maximum number of
retransmissions are set.
l
Run:
dpd msg { seq-hash-notify | seq-notify-hash }
The sequence of payload in DPD packets is configured.
l
Run:
dpd type { on-demand | periodic }
The DPD mode is configured.
----End
3.4.9 Applying an IPSec policy to an interface
An interface can use only one IPSec policy. An IPSec policy for IKE negotiation can be applied
to multiple interfaces.
Procedure
Step 1 Run:
Issue 03 (2011-11-27)
Huawei Proprietary and Confidential
Copyright © Huawei Technologies Co., Ltd.
220
Huawei AR1200 Series Enterprise Routers
Configuration Guide - VPN
3 IPSec Configuration
system-view
The system view is displayed.
Step 2 Run:
interface interface-type interface-number
The interface view is displayed.
Step 3 Run:
ipsec policy policy-name
An IPSec policy is applied to the interface.
Only one IPSec policy can be applied to an interface. An IPSec policy can be applied to multiple
interfaces.
After the configuration is complete, the packets transmitted between two ends of the IPSec tunnel
trigger SA establishment through IKE negotiation. In automatic triggering mode, the SA is
established immediately after the IKE negotiation succeeds. In traffic-based triggering mode,
the SA is established only after data flows matching the IPSec policy are sent from the interface.
After IKE negotiation succeeds and the SA is established, the data flows are encrypted and then
transmitted between two ends.
----End
3.4.10 Checking the Configuration
After an IPSec tunnel is established through IKE negotiation, you can view information about
the SA, configuration of the IKE peer, and configuration of the IKE proposal.
Prerequisite
The configurations required to establish an IPSec tunnel through IKE negotiation are complete.
Procedure
l
Run the display ike sa command to view information about the SAs established through
IKE negotiation.
l
Run the display ike peer [ name peer-name ] [ verbose ] command to view the
configuration of a specified IKE peer or all IKE peers.
l
Run the display ike proposal command to view the configuration of a specified IKE
proposal or all IKE proposals.
l
Run the display ipsec sa [ brief | duration | policy policy-name [ seq-number ] | peerip
peer-ip-address ] command to view the configuration of a specified SA or all SAs.
l
Run the display ipsec policy [ brief | name policy-name [ seq-number ] ] command to view
information about a specified IPSec policy or all IPSec policies.
l
Run the display ipsec proposal [ name proposal-name ] command to view information
about a specified IPSec proposal or all IPSec proposals.
----End
3.5 Maintaining IPSec
This section describes how to display the IPSec configuration and clear the IPSec statistics.
Issue 03 (2011-11-27)
Huawei Proprietary and Confidential
Copyright © Huawei Technologies Co., Ltd.
221
Huawei AR1200 Series Enterprise Routers
Configuration Guide - VPN
3 IPSec Configuration
3.5.1 Displaying the IPSec Configuration
You can run the following display commands to view information about the SA, established
IPSec tunnel, and statistics about IPSec packets.
Prerequisite
The configurations of IPSec are complete.
Procedure
l
Run the display ipsec sa brief duration policy policy-name seq-number peerip peer-ipaddress command to check information about the IPSec SA.
l
Run the display ike sa v2 conn-id connid peer-name peername phase phase-number
verbose command to check information about the IPSec tunnel that is established.
l
Run the display ipsec statistics ah esp command to check the statistics about IPSec
packets.
l
Run the display ike statistics all msg v2 command to check the statistics about IKE
packets.
----End
3.5.2 Clearing IPSec Information
This section describes how to clear the statistics about IPSec and IKE packets, information about
SAs, and information about the IPSec tunnels established through IKE negotiation.
Context
CAUTION
The statistics cannot be restored after being cleared.
Procedure
l
Run the reset ipsec statistics { ah | esp } command in the user view to clear the statistics
about IPSec packets.
l
Run the reset ike statistics { all | msg } command in the user view to clear the statistics
about IKE packets.
l
Run the reset ipsec sa [ remote ip-address | policy policy-name [ seq-number ] |
parameters dest-address { ah | esp } spi ] command in the user view to clear an SA.
l
Run the reset ike sa { all | conn-id connection-id } command in the user view to delete a
specified IPSec tunnel or all established IPSec tunnels.
----End
Issue 03 (2011-11-27)
Huawei Proprietary and Confidential
Copyright © Huawei Technologies Co., Ltd.
222
Huawei AR1200 Series Enterprise Routers
Configuration Guide - VPN
3 IPSec Configuration
3.6 Configuration Examples
This section provides several configuration examples of IPSec.
3.6.1 Example for Establishing an SA Manually
You can establish security associations (SAs) manually when the network topology is simple.
When there are a large number of devices on the network, it is difficult to establish SAs manually,
and network security cannot be ensured.
Networking Requirements
As shown in Figure 3-3, an IPSec tunnel is established between RouterA and RouterB to protect
data flows between the subnet of PC A (10.1.1.x) and subnet of PC B (10.1.2.x). The IPSec
tunnel uses the ESP protocol, DES encryption algorithm, and SHA-1 authentication algorithm.
Figure 3-3 Network diagram for configuring IPSec
Eth 1/0/0
Eth 1/0/0
202.138.163.1/24
RouterA
202.138.162.1/24
RouterB
Internet
IPSec Tunnel
PC A
10.1.1.2/24
10.1.2.2/24
PC B
Configuration Roadmap
The configuration roadmap is as follows:
1.
Configure IP addresses for interfaces.
2.
Configure Access Control Lists (ACLs) and define the data flows to be protected.
3.
Configure static routes to peers.
4.
Configure an IPSec proposal.
5.
Configure IPSec policies and apply the ACLs and IPSec proposal to the IPSec policies.
6.
Apply IPSec policies to interfaces.
Issue 03 (2011-11-27)
Huawei Proprietary and Confidential
Copyright © Huawei Technologies Co., Ltd.
223
Huawei AR1200 Series Enterprise Routers
Configuration Guide - VPN
3 IPSec Configuration
Procedure
Step 1 Configure IP addresses for the interfaces on RouterA and RouterB.
# Assign an IP address to the interface of RouterA.
<Huawei> system-view
[Huawei] interface ethernet 1/0/0
[Huawei-Ethernet1/0/0] ip address 202.138.163.1 255.255.255.0
[Huawei-Ethernet1/0/0] quit
# Assign an IP address to the interface of RouterB.
<Huawei> system-view
[Huawei] interface ethernet 1/0/0
[Huawei-Ethernet1/0/0] ip address 202.138.162.1 255.255.255.0
[Huawei-Ethernet1/0/0] quit
Step 2 Configure ACLs on RouterA and RouterB to define the data flows to be protected.
# Configure an ACL on RouterA.
[Huawei] acl number 3101
[Huawei-acl-adv-3101] rule permit ip source 10.1.1.0 0.0.0.255 destination 10.1.2.0
0.0.0.255
[Huawei-acl-adv-3101] quit
# Configure an ACL on RouterB.
[Huawei] acl number 3101
[Huawei-acl-adv-3101] rule permit ip source 10.1.2.0 0.0.0.255 destination 10.1.1.0
0.0.0.255
[Huawei-acl-adv-3101] quit
Step 3 Configure static routes to the peers on RouterA and RouterB.
# Configure a static route to the peer on RouterA. In this example, the next hop to PCB is
202.138.163.2.
[Huawei] ip route-static 10.1.2.0 255.255.255.0 202.138.163.2
# Configure a static route to the peer on RouterB. In this example, the next hop to PCA is
202.138.162.2.
[Huawei] ip route-static 10.1.1.0 255.255.255.0 202.138.162.2
Step 4 Create an IPSec proposal on RouterA and RouterB.
# Create the IPSec proposal on RouterA.
[Huawei] ipsec proposal tran1
[Huawei-ipsec-proposal-tran1]
[Huawei-ipsec-proposal-tran1]
[Huawei-ipsec-proposal-tran1]
[Huawei-ipsec-proposal-tran1]
[Huawei-ipsec-proposal-tran1]
encapsulation-mode tunnel
transform esp
esp encryption-algorithm des
esp authentication-algorithm sha1
quit
# Create the IPSec proposal on RouterB.
[Huawei] ipsec proposal tran1
[Huawei-ipsec-proposal-tran1]
[Huawei-ipsec-proposal-tran1]
[Huawei-ipsec-proposal-tran1]
[Huawei-ipsec-proposal-tran1]
[Huawei-ipsec-proposal-tran1]
encapsulation-mode tunnel
transform esp
esp encryption-algorithm des
esp authentication-algorithm sha1
quit
Run the display ipsec proposal command on RouterA and RouterB to view the configuration
of the IPSec proposal. Take the display on RouterA as an example.
Issue 03 (2011-11-27)
Huawei Proprietary and Confidential
Copyright © Huawei Technologies Co., Ltd.
224
Huawei AR1200 Series Enterprise Routers
Configuration Guide - VPN
3 IPSec Configuration
[Huawei] display ipsec proposal
Number of Proposals: 1
IPsec proposal name: tran1
Encapsulation mode: Tunnel
Transform
: esp-new
ESP protocol
: Authentication SHA1-HMAC-96
Encryption
DES
Step 5 Create IPSec policies on RouterA and RouterB.
# Create an IPSec policy on RouterA.
[Huawei] ipsec policy map1 10 manual
[Huawei-ipsec-policy-manual-map1-10]
[Huawei-ipsec-policy-manual-map1-10]
[Huawei-ipsec-policy-manual-map1-10]
[Huawei-ipsec-policy-manual-map1-10]
[Huawei-ipsec-policy-manual-map1-10]
[Huawei-ipsec-policy-manual-map1-10]
[Huawei-ipsec-policy-manual-map1-10]
[Huawei-ipsec-policy-manual-map1-10]
[Huawei-ipsec-policy-manual-map1-10]
security acl 3101
proposal tran1
tunnel remote 202.138.162.1
tunnel local 202.138.163.1
sa spi outbound esp 12345
sa spi inbound esp 54321
sa string-key outbound esp abcdefg
sa string-key inbound esp gfedcba
quit
# Create an IPSec policy on RouterB.
[Huawei] ipsec policy use1 10 manual
[Huawei-ipsec-policyl-manual-use1-10]
[Huawei-ipsec-policyl-manual-use1-10]
[Huawei-ipsec-policyl-manual-use1-10]
[Huawei-ipsec-policyl-manual-use1-10]
[Huawei-ipsec-policyl-manual-use1-10]
[Huawei-ipsec-policyl-manual-use1-10]
[Huawei-ipsec-policyl-manual-use1-10]
[Huawei-ipsec-policyl-manual-use1-10]
[Huawei-ipsec-policyl-manual-use1-10]
security acl 3101
proposal tran1
tunnel remote 202.138.163.1
tunnel local 202.138.162.1
sa spi outbound esp 54321
sa spi inbound esp 12345
sa string-key outbound esp gfedcba
sa string-key inbound esp abcdefg
quit
Run the display ipsec policy command on RouterA and RouterB to view the configurations of
the IPSec policies. Take the display on RouterA as an example.
[Huawei] display ipsec policy
===========================================
IPsec Policy Group: "map1"
Using interface: {}
===========================================
Sequence number: 10
Security data flow: 3101
Tunnel local address: 202.138.163.1
Tunnel remote address: 202.138.162.1
Proposal name:tran1
Inbound AH setting:
AH SPI:
AH string-key:
AH authentication hex key:
Inbound ESP setting:
ESP SPI: 54321 (0xd431)
ESP string-key: gfedcba
ESP encryption hex key:
ESP authentication hex key:
Outbound AH setting:
AH SPI:
AH string-key:
AH authentication hex key:
Outbound ESP setting:
ESP SPI: 12345 (0x3039)
ESP string-key: abcdefg
ESP encryption hex key:
ESP authentication hex key:
Issue 03 (2011-11-27)
Huawei Proprietary and Confidential
Copyright © Huawei Technologies Co., Ltd.
225
Huawei AR1200 Series Enterprise Routers
Configuration Guide - VPN
3 IPSec Configuration
Step 6 Apply the IPSec policies to the interfaces of RouterA and RouterB.
# Apply the IPSec policy to the interface of RouterA.
[Huawei] interface ethernet 1/0/0
[Huawei-Ethernet1/0/0] ipsec policy map1
[Huawei-Ethernet1/0/0] quit
# Apply the IPSec policy to the interface of RouterB.
[Huawei] interface ethernet 1/0/0
[Huawei-Ethernet1/0/0] ipsec policy use1
[Huawei-Ethernet1/0/0] quit
Run the display ipsec sa command on RouterA and RouterB to view the configuration of the
IPSec SAs. Take the display on RouterA as an example.
[Huawei] display ipsec sa
===============================
Interface: Ethernet 1/0/0
Path MTU: 1500
===============================
----------------------------IPsec policy name: "map1"
Sequence number: 10
Mode: Manual
----------------------------Encapsulation mode: Tunnel
Tunnel local : 202.138.163.1
Tunnel remote: 202.138.162.1
[Outbound ESP SAs]
SPI: 12345 (0x3039)
Proposal: ESP-ENCRYPT-DES-64 ESP-AUTH-SHA1
No duration limit for this SA
[Inbound ESP SAs]
SPI: 54321 (0xd431)
Proposal: ESP-ENCRYPT-DES-64 ESP-AUTH-SHA1
No duration limit for this SA
Step 7 Verify the configurations.
After the configurations are complete, PC A can ping PC B successfully. You can run the display
ipsec statistics esp command to view packet statistics.
----End
Configuration Files
l
Configuration file of RouterA
#
acl number
3101
rule 5 permit ip source 10.1.1.0 0.0.0.255 destination 10.1.2.0
0.0.0.255
#
ipsec proposal
tran1
esp authentication-algorithm
sha1
#
ipsec policy map1 10
manual
Issue 03 (2011-11-27)
Huawei Proprietary and Confidential
Copyright © Huawei Technologies Co., Ltd.
226
Huawei AR1200 Series Enterprise Routers
Configuration Guide - VPN
3 IPSec Configuration
security acl
3101
proposal
tran1
tunnel local
202.138.163.1
tunnel remote
202.138.162.1
sa spi inbound esp
54321
sa string-key inbound esp
gfedcba
sa spi outbound esp
12345
sa string-key outbound esp
abcdefg
#
ip route-static 10.1.2.0 255.255.255.0
202.138.163.2
#
interface Ethernet1/0/0
ip address 202.138.163.1 255.255.255.0
ipsec policy map1
#
return
l
Configuration file of RouterB
#
acl number
3101
rule 5 permit ip source 10.1.2.0 0.0.0.255 destination 10.1.1.0
0.0.0.255
#
ipsec proposal
tran1
esp authentication-algorithm
sha1
#
ipsec policy use1 10
manual
security acl
3101
proposal tran1
tunnel local
202.138.162.1
tunnel remote
202.138.163.1
sa spi inbound esp
12345
sa string-key inbound esp
abcdefg
sa spi outbound esp
54321
sa string-key outbound esp
gfedcba
#
ip route-static 10.1.1.0 255.255.255.0
202.138.162.2
#
interface Ethernet1/0/0
ip address 202.138.162.1 255.255.255.0
ipsec policy use1
#
return
Issue 03 (2011-11-27)
Huawei Proprietary and Confidential
Copyright © Huawei Technologies Co., Ltd.
227
Huawei AR1200 Series Enterprise Routers
Configuration Guide - VPN
3 IPSec Configuration
3.6.2 Example for Configuring IKE Negotiation
IKE automatically establishes an SA and performs key exchange to improve efficiency of SA
establishment and ensure network security.
Networking Requirements
As shown in Figure 3-4, an IPSec tunnel is established between RouterA and RouterB. This
IPSec tunnel protects data flows between the subnet of PC A (10.1.1.x) and subnet of PC B
(10.1.2.x). The IPSec tunnel uses the ESP protocol, DES encryption algorithm, and SHA-1
authentication algorithm.
Figure 3-4 Network diagram for configuring IKE negotiation
Eth 1/0/0
Eth 1/0/0
202.138.163.1/24
RouterA
202.138.162.1/24
RouterB
Internet
IPSec Tunnel
PC A
10.1.1.2/24
10.1.2.2/24
PC B
Configuration Roadmap
The configuration roadmap is as follows:
1.
Configure IP addresses for interfaces.
2.
Configure an IKE proposal.
3.
Specify the local host ID and IKE peer for IKE negotiation.
4.
Configure Access Control Lists (ACLs) and define the data flows to be protected.
5.
Configure static routes to peers.
6.
Configure an IPSec proposal.
7.
Configure IPSec policies and apply the ACLs and IPSec proposal to the IPSec policies.
8.
Apply IPSec policies to interfaces.
Procedure
Step 1 Configure IP addresses for the interfaces on RouterA and RouterB.
# Assign an IP address to the interface of RouterA.
<Huawei> system-view
[Huawei] interface ethernet 1/0/0
Issue 03 (2011-11-27)
Huawei Proprietary and Confidential
Copyright © Huawei Technologies Co., Ltd.
228
Huawei AR1200 Series Enterprise Routers
Configuration Guide - VPN
3 IPSec Configuration
[Huawei-Ethernet1/0/0] ip address 202.138.163.1 255.255.255.0
[Huawei-Ethernet1/0/0] quit
# Assign an IP address to the interface of RouterB.
<Huawei> system-view
[Huawei] interface ethernet 1/0/0
[Huawei-Ethernet1/0/0] ip address 202.138.162.1 255.255.255.0
[Huawei-Ethernet1/0/0] quit
Step 2 Create an IKE proposal on RouterA and RouterB.
# Create the IKE proposal on RouterA.
[Huawei] ike proposal 1
[Huawei-ike-proposal-1] encryption-algorithm aes-cbc-128
[Huawei-ike-proposal-1] authentication-algorithm md5
[Huawei-ike-proposal-1] quit
# Create the IKE proposal on RouterB.
[Huawei] ike proposal 1
[Huawei-ike-proposal-1] encryption-algorithm aes-cbc-128
[Huawei-ike-proposal-1] authentication-algorithm md5
[Huawei-ike-proposal-1] quit
Step 3 Configure local IDs and IKE peers on RouterA and RouterB.
# Configure the local ID and IKE peer on RouterA.
[Huawei] ike local-name huawei01
[Huawei] ike peer spub v1
[Huawei-ike-peer-spub] exchange-mode aggressive
[Huawei-ike-peer-spub] ike-proposal 1
[Huawei-ike-peer-spub] local-id-type name
[Huawei-ike-peer-spub] pre-shared-key huawei
[Huawei-ike-peer-spub] remote-name huawei02
[Huawei-ike-peer-spub] remote-address 202.138.162.1
[Huawei-ike-peer-spub] local-address 202.138.163.1
[Huawei-ike-peer-spub] quit
NOTE
In aggressive mode, if the value of local-id-type is name, configure the IP address of the remote peer
(remote-address x.x.x.x) on the local end.
# Configure the local ID and IKE peer on RouterB.
[Huawei] ike local-name huawei02
[Huawei] ike peer spua v1
[Huawei-ike-peer-spua] exchange-mode aggressive
[Huawei-ike-peer-spua] ike-proposal 1
[Huawei-ike-peer-spua] local-id-type name
[Huawei-ike-peer-spua] pre-shared-key huawei
[Huawei-ike-peer-spua] remote-name huawei01
[Huawei-ike-peer-spua] remote-address 202.138.163.1
[Huawei-ike-peer-spua] local-address 202.138.162.1
[Huawei-ike-peer-spua] quit
Run the display ike peer command on RouterA and RouterB to view the configuration of the
IKE peer. Take the display on RouterA as an example.
[Huawei] display ike peer name spub verbose
---------------------------------------Peer name
: spub
Exchange mode
: aggressive on phase 1
Pre-shared-key
: huawei
Proposal
: 1
Local ID type
: Name
DPD
: Disable
DPD mode
: Periodic
Issue 03 (2011-11-27)
Huawei Proprietary and Confidential
Copyright © Huawei Technologies Co., Ltd.
229
Huawei AR1200 Series Enterprise Routers
Configuration Guide - VPN
3 IPSec Configuration
DPD idle time
DPD retransmit interval
DPD retry limit
: 30
: 15
: 3
Peer Ip address
VPN name
Local IP address
Remote name
Nat-traversal
Configured IKE version
:
:
:
:
:
:
202.138.162.1
202.138.163.1
huawei02
Disable
Version one
----------------------------------------
Step 4 Configure ACLs on RouterA and RouterB to define the data flows to be protected.
# Configure an ACL on RouterA.
[Huawei] acl number 3101
[Huawei-acl-adv-3101] rule permit ip source 10.1.1.0 0.0.0.255 destination 10.1.2.0
0.0.0.255
[Huawei-acl-adv-3101] quit
# Configure an ACL on RouterB.
[Huawei] acl number 3101
[Huawei-acl-adv-3101] rule permit ip source 10.1.2.0 0.0.0.255 destination 10.1.1.0
0.0.0.255
[Huawei-acl-adv-3101] quit
Step 5 Configure static routes to the peers on RouterA and RouterB.
# Configure a static route to the peer on RouterA. In this example, the next hop to PCB is
202.138.163.2.
[Huawei] ip route-static 10.1.2.0 255.255.255.0 202.138.163.2
# Configure a static route to the peer on RouterB. In this example, the next hop to PCA is
202.138.162.2.
[Huawei] ip route-static 10.1.1.0 255.255.255.0 202.138.162.2
Step 6 Create an IPSec proposal on RouterA and RouterB.
# Create the IPSec proposal on RouterA.
[Huawei] ipsec proposal tran1
[Huawei-ipsec-proposal-tran1]
[Huawei-ipsec-proposal-tran1]
[Huawei-ipsec-proposal-tran1]
[Huawei-ipsec-proposal-tran1]
[Huawei-ipsec-proposal-tran1]
encapsulation-mode tunnel
transform esp
esp encryption-algorithm des
esp authentication-algorithm sha1
quit
# Create the IPSec proposal on RouterB.
[Huawei] ipsec proposal tran1
[Huawei-ipsec-proposal-tran1]
[Huawei-ipsec-proposal-tran1]
[Huawei-ipsec-proposal-tran1]
[Huawei-ipsec-proposal-tran1]
[Huawei-ipsec-proposal-tran1]
encapsulation-mode tunnel
transform esp
esp encryption-algorithm des
esp authentication-algorithm sha1
quit
Run the display ipsec proposal command on RouterA and RouterB to view the configuration
of the IPSec proposal. Take the display on RouterA as an example.
[Huawei] display ipsec proposal
Number of Proposals: 1
Issue 03 (2011-11-27)
Huawei Proprietary and Confidential
Copyright © Huawei Technologies Co., Ltd.
230
Huawei AR1200 Series Enterprise Routers
Configuration Guide - VPN
3 IPSec Configuration
IPsec proposal name: tran1
Encapsulation mode: Tunnel
Transform
: esp-new
ESP protocol
: Authentication SHA1-HMAC-96
Encryption
DES
Step 7 Create IPSec policies on RouterA and RouterB.
# Create an IPSec policy on RouterA.
[Huawei] ipsec policy map1 10 isakmp
[Huawei-ipsec-policy-isakmp-map1-10]
[Huawei-ipsec-policy-isakmp-map1-10]
[Huawei-ipsec-policy-isakmp-map1-10]
[Huawei-ipsec-policy-isakmp-map1-10]
ike-peer spub
proposal tran1
security acl 3101
quit
# Create an IPSec policy on RouterB.
[Huawei] ipsec policy use1 10 isakmp
[Huawei-ipsec-policy-isakmp-use1-10]
[Huawei-ipsec-policy-isakmp-use1-10]
[Huawei-ipsec-policy-isakmp-use1-10]
[Huawei-ipsec-policy-isakmp-use1-10]
ike-peer spua
proposal tran1
security acl 3101
quit
Run the display ipsec policy command on RouterA and RouterB to view the configurations of
the IPSec policies. Take the display on RouterA as an example.
[Huawei] display ipsec policy
===========================================
IPsec policy group: "map1"
Using interface: {}
===========================================
Sequence number: 10
Security data flow: 3101
Peer name: spub
Perfect forward secrecy: None
Proposal name: tran1
IPsec SA local duration(time based): 3600 seconds
IPsec SA local duration(traffic based): 1843200 kilobytes
SA trigger mode: Automatic
Step 8 Apply the IPSec policies to the interfaces of RouterA and RouterB.
# Apply the IPSec policy to the interface of RouterA.
[Huawei] interface ethernet 1/0/0
[Huawei-Ethernet1/0/0] ipsec policy map1
[Huawei-Ethernet1/0/0] quit
# Apply the IPSec policy to the interface of RouterB.
[Huawei] interface ethernet 1/0/0
[Huawei-Ethernet1/0/0] ipsec policy use1
[Huawei-Ethernet1/0/0] quit
Run the display ipsec sa command on RouterA and RouterB to view the configuration of the
IPSec SAs. Take the display on RouterA as an example.
[Huawei] display ipsec sa
===============================
Interface: Ethernet 1/0/0
path MTU: 1500
===============================
----------------------------IPsec policy name: "map1"
sequence number: 10
mode: isakmp
Issue 03 (2011-11-27)
Huawei Proprietary and Confidential
Copyright © Huawei Technologies Co., Ltd.
231
Huawei AR1200 Series Enterprise Routers
Configuration Guide - VPN
3 IPSec Configuration
----------------------------Connection id: 3
encapsulation mode: tunnel
tunnel local : 202.138.163.1
tunnel remote: 202.138.162.1
[inbound ESP SAs]
spi: 1406123142 (0x53cfbc86)
proposal: ESP-ENCRYPT-DES ESP-AUTH-SHA1
sa remaining key duration (bytes/sec): 1887436528/3575
max received sequence-number: 4
udp encapsulation used for nat traversal: N
[outbound ESP SAs]
spi: 3835455224 (0xe49c66f8)
proposal: ESP-ENCRYPT-DES ESP-AUTH-SHA1
sa remaining key duration (bytes/sec): 1887436464/3575
max sent sequence-number: 5
udp encapsulation used for nat traversal: N
Step 9 Verify the configurations.
After the configurations are complete, PC A can ping PC B successfully. The data transmitted
between PC A and PC B is encrypted.
Run the display ike sa command on RouterA, and the following information is displayed:
[Huawei] display ike sa
Conn-ID
Peer
VPN
Flag(s)
Phase
--------------------------------------------------------14
202.138.162.1
0
RD|ST
1
16
202.138.162.1
0
RD|ST
2
Flag Description:
RD--READY
ST--STAYALIVE
RL--REPLACED
FD--FADING
TO--TIMEOUT
HRT--HEARTBEAT
LKG--LAST KNOWN GOOD SEQ NO.
BCK--BACKED UP
----End
Configuration Files
l
Configuration file of RouterA
#
acl number
3101
rule 5 permit ip source 10.1.1.0 0.0.0.255 destination 10.1.2.0
0.0.0.255
#
ipsec proposal
tran1
esp authentication-algorithm sha1
#
ike proposal
1
encryption-algorithm aescbc-128
authentication-algorithm md5
#
ike local-name huawei01
#
ike peer spub
v1
exchange-mode
aggressive
pre-shared-key
huawei
ike-proposal
1
local-id-type
name
remote-name
huawei02
Issue 03 (2011-11-27)
Huawei Proprietary and Confidential
Copyright © Huawei Technologies Co., Ltd.
232
Huawei AR1200 Series Enterprise Routers
Configuration Guide - VPN
3 IPSec Configuration
local-address
202.138.163.1
remote-address
202.138.162.1
#
ipsec policy map1 10
isakmp
security acl
3101
ike-peer
spub
proposal
tran1
#
ip route-static 10.1.2.0 255.255.255.0 202.138.163.2
#
interface Ethernet1/0/0
ip address 202.138.163.1 255.255.255.0
ipsec policy map1
#
return
l
Configuration file of RouterB
#
acl number
3101
rule 5 permit ip source 10.1.2.0 0.0.0.255 destination 10.1.1.0
0.0.0.255
#
ipsec proposal
tran1
esp authentication-algorithm sha1
#
ike proposal
1
encryption-algorithm aescbc-128
authentication-algorithm md5
#
ike local-name huawei02
#
ike peer spua
v1
exchange-mode
aggressive
pre-shared-key
huawei
ike-proposal
1
local-id-type
name
remote-name
huawei01
local-address
202.138.162.1
remote-address
202.138.163.1
#
ipsec policy use1 10
isakmp
security acl
3101
ike-peer
spua
proposal
tran1
#
ip route-static 10.1.1.0 255.255.255.0 202.138.162.2
Issue 03 (2011-11-27)
Huawei Proprietary and Confidential
Copyright © Huawei Technologies Co., Ltd.
233
Huawei AR1200 Series Enterprise Routers
Configuration Guide - VPN
3 IPSec Configuration
#
interface Ethernet1/0/0
ip address 202.138.162.1 255.255.255.0
ipsec policy use1
#
return
Issue 03 (2011-11-27)
Huawei Proprietary and Confidential
Copyright © Huawei Technologies Co., Ltd.
234
Was this manual useful for you? yes no
Thank you for your participation!

* Your assessment is very important for improving the work of artificial intelligence, which forms the content of this project

Download PDF

advertisement