Home
/
Huawei
/
AR1200 Series
/
Configuration Manual

Huawei AR1200 Series, Configuration Manual, Page: 345 / 392

Share

Page: 345 / 392

Huawei AR1200 Series Configuration Manual Download Page 345

[Huawei-ipsec-profile-profile1]

quit

Step 7

Apply the IPSec profiles to the interfaces of RouterA and RouterB.

# Apply the IPSec profile to the interface of RouterA.

[Huawei]

interface tunnel 0/0/0

[Huawei-Tunnel0/0/0]

ip address 192.168.1.1 24

[Huawei-Tunnel0/0/0]

tunnel-protocol gre

[Huawei-Tunnel0/0/0]

source 202.138.163.1

[Huawei-Tunnel0/0/0]

destination 202.138.162.1

[Huawei-Tunnel0/0/0]

ipsec profile profile1

[Huawei-Tunnel0/0/0]

quit

# Apply the IPSec profile to the interface of RouterB.

[Huawei]

interface tunnel 0/0/0

[Huawei-Tunnel0/0/0]

ip address 192.168.1.2 24

[Huawei-Tunnel0/0/0]

tunnel-protocol gre

[Huawei-Tunnel0/0/0]

source 202.138.162.1

[Huawei-Tunnel0/0/0]

destination 202.138.163.1

[Huawei-Tunnel0/0/0]

ipsec profile profile2

Step 8

Verify the configuration.

Run the

display ipsec profile

command on RouterA and RouterB to view the configurations of

the IPSec profiles. Take the display on RouterA as an example.

[Huawei]

display ipsec profile

===========================================
IPSec profile : profile1
Using interface: Tunnel0/0/0
===========================================
IPSec Profile Name :profile1
Peer Name :spub
PFS Group :0 (0:Disable 1:Group1 2:Group2 5:Group5 14:Group14)
SecondsFlag :0 (0:Global 1:Local)
SA Life Time Seconds :3600
KilobytesFlag :0 (0:Global 1:Local)
SA Life Kilobytes :1843200
Number of IPSec Proposals :1
IPSec Proposals Name :tran1

----End

Configuration Files

l

Configuration file of RouterA

#
ipsec proposal tran1
transform ah-esp
ah authentication-algorithm sha1
esp authentication-algorithm sha1
esp encryption-algorithm 3des
#

ip route-static 10.1.2.0 255.255.255.0 202.138.163.2
#
ike proposal 1
dh group5
authentication-algorithm aes_xcbc_mac_96
prf aes_xcbc_128

#
ike peer spub v2
pre-shared-key huawei
ike-proposal 1
#

Huawei AR1200 Series Enterprise Routers
Configuration Guide - VPN

5 IPSec Configuration

Issue 01 (2012-04-20)

Huawei Proprietary and Confidential

Copyright © Huawei Technologies Co., Ltd.

334

«
...
343
344
345
346
347
...
»

Summary of Contents for AR1200 Series

Page 1: ...Huawei AR1200 Series Enterprise Routers V200R002C01 Configuration Guide VPN Issue 01 Date 2012 04 20 HUAWEI TECHNOLOGIES CO LTD ...

Page 2: ...be within the purchase scope or the usage scope Unless otherwise specified in the contract all statements information and recommendations in this document are provided AS IS without warranties guarantees or representations of any kind either express or implied The information in this document is subject to change without notice Every effort has been made in the preparation of this document to ensu...

Page 3: ...tes a hazard with a high level of risk which if not avoided will result in death or serious injury WARNING Indicates a hazard with a medium or low level of risk which if not avoided could result in minor or moderate injury CAUTION Indicates a potentially hazardous situation which if not avoided could result in equipment damage data loss performance degradation or unexpected results TIP Indicates a...

Page 4: ...um of all items can be selected x y Optional items are grouped in brackets and separated by vertical bars Several items or no item can be selected 1 n The parameter before the sign can be repeated 1 to n times A line starting with the sign is comments Interface Numbering Conventions Interface numbers used in this manual are examples In device configuration use the existing interface numbers on dev...

Page 5: ... 5 1 Establishing the Configuration Task 13 1 5 2 Enabling the Keepalive Function 14 1 5 3 Checking the Configuration 15 1 6 Maintaining GRE 16 1 6 1 Resetting the Statistics of a Tunnel Interface 16 1 6 2 Monitoring the Running Status of GRE 16 1 6 3 Debugging GRE 17 1 7 Configuration Examples 17 1 7 1 Example for Configuring a Static Route for GRE 17 1 7 2 Example for Configuring a Dynamic Routi...

Page 6: ... an MCE and a PE 53 2 4 6 Checking the Configuration 53 2 5 MCE Configuration Examples 54 2 5 1 Example for Configuring MCE 54 3 BGP MPLS IP VPN Configuration 61 3 1 Introduction to BGP MPLS IP VPN 63 3 2 BGP MPLS IP VPN Features Supported by the AR1200 63 3 3 Configuring a VPN Instance Enabled with the IPv4 Address Family 64 3 3 1 Establishing the Configuration Task 65 3 3 2 Creating a VPN Instan...

Page 7: ... 105 3 8 1 Establishing the Configuration Task 105 3 8 2 Enabling the Labeled IPv4 Route Exchange 106 3 8 3 Configuring a Routing Policy to Control Label Distribution 108 3 8 4 Establishing the MP EBGP Peer Relationship Between PEs 109 3 8 5 Configuring the Route Exchange Between CE and PE 111 3 8 6 Checking the Configuration 111 3 9 Configuring Inter AS VPN Option C Solution 2 112 3 9 1 Establish...

Page 8: ...136 3 15 3 Configuring the RR to Establish MP IBGP Connections with the Client PEs 137 3 15 4 Configuring Route Reflection for BGP IPv4 VPN routes 138 3 15 5 Checking the Configuration 139 3 16 Configuring Route Reflection to Optimize the VPN Access Layer 141 3 16 1 Establishing the Configuration Task 141 3 16 2 Configuring All Client CEs to Establish IBGP Connections with the RR 142 3 16 3 Config...

Page 9: ...g RADIUS Authentication on LAC Side 255 4 3 6 Checking the Configuration 257 4 4 Configuring LNS 258 4 4 1 Establishing the Configuration Task 258 4 4 2 Configuring an L2TP Connection on LNS 260 4 4 3 Optional Configuring User Authentication on LNS 260 4 4 4 Allocating Addresses to Access Users 261 4 4 5 Checking the Configuration 262 4 5 Adjusting L2TP Connection 263 4 5 1 Establishing the Config...

Page 10: ...Tunnel Interface 302 5 5 1 Establishing the Configuration Task 302 5 5 2 Configuring an IPSec Profile 303 5 5 3 Configuring an IPSec Tunnel Interface 304 5 5 4 Checking the Configuration 306 5 6 Establishing an IPSec Tunnel Using the Efficient VPN Policy 306 5 6 1 Establishing the Configuration Task 306 5 6 2 Configuring Client Mode 307 5 6 3 Configuring Network Mode 310 5 6 4 Verifying the Config...

Page 11: ... 364 7 2 SSL VPN Features Supported by the AR1200 365 7 3 Configuring Basic SSL VPN Functions 366 7 3 1 Establishing the Configuration Task 366 7 3 2 Creating a Virtual Gateway 367 7 3 3 Configuring Intranet and Extranet Interfaces 367 7 3 4 Binding an AAA Domain to the Virtual Gateway 368 7 3 5 Enabling Basic SSL VPN Functions 369 7 3 6 Checking the Configuration 370 7 4 Managing SSL VPN Users 37...

Page 12: ...data protection 1 3 Configuring GRE You can configure GRE only after a GRE tunnel is configured 1 4 Configuring a GRE Tunnel Between CE and PE Configuring a GRE tunnel between a CE and a PE enables the CE to access the public network through the GRE tunnel 1 5 Configuring the Keepalive Function Before configuring a tunnel policy and a GRE tunnel for the VPN enable the GRE tunnel Keepalive function...

Page 13: ...1200 GRE features supported by the AR1200 include the following enlargement of the operation scope of the network running a hop limited protocol and working in conjunction with the IP Security Protocol IPSec to compensate for the IPSec flaw in multicast data protection Enlarging the Operation Scope of the Network Running a Hop Limited Protocol If the hop count between two terminals in Figure 1 1 i...

Page 14: ...onment complete the pre configuration tasks and obtain the data required for the configuration Applicable Environment To set up a GRE tunnel create a tunnel interface first and configure the GRE functions on the tunnel interface If the tunnel interface is deleted all the configurations on the interface are deleted Pre configuration Tasks Before configuring an ordinary GRE tunnel complete the follo...

Page 15: ... gre The tunnel is encapsulated with GRE Step 4 Run source source ip address interface type interface number The source address or source interface of the tunnel is configured NOTE l The virtual IP address of the VRRP backup group can be configured as the source address of the GRE tunnel l The bridge if interface can not be configured as the source interface of the GRE tunnel The source interface ...

Page 16: ...tep 1 Run system view The system view is displayed Step 2 Choose one of the following methods to configure routes passing through the tunnel interface l Run the ip route static ip address mask mask length tunnel interface number description text command to configure a static route The static route must be configured on both ends of the tunnel In this command the destination address is neither the ...

Page 17: ... as an outbound interface for packets destined for the destination of the tunnel In addition a physical interface is prevented from forwarding user packets that should be forwarded through the tunnel Figure 1 3 Diagram of configuring the GRE dynamic routing protocol RouterA RouterC Tunnel0 0 1 Tunnel0 0 2 PC2 PC1 GE1 0 0 GE2 0 0 Backbone GE2 0 0 GE1 0 0 Tunnel End 1 3 4 Optional Configuring GRE Se...

Page 18: ...y interface tunnel interface number command to check tunnel interface information l Run the display ip routing table command to check the IPv4 routing table l Run the ping a source ip address host command to check whether the two ends of the tunnel can successfully ping each other End Example Run the display interface tunnel command If the tunnel interface is Up the configuration succeeds For exam...

Page 19: ...the destination tunnel succeeds Huawei ping a 40 1 1 1 40 1 1 2 PING 40 1 1 2 56 data bytes press CTRL_C to break Reply from 40 1 1 2 bytes 56 Sequence 1 ttl 255 time 24 ms Reply from 40 1 1 2 bytes 56 Sequence 2 ttl 255 time 33 ms Reply from 40 1 1 2 bytes 56 Sequence 3 ttl 255 time 48 ms Reply from 40 1 1 2 bytes 56 Sequence 4 ttl 255 time 33 ms Reply from 40 1 1 2 bytes 56 Sequence 5 ttl 255 ti...

Page 20: ...mber of the GRE tunnel interface specified on the PE 4 Source address or source interface and destination address of the GRE tunnel interface specified on the PE 5 Name of the VPN provided that it is also passed through by the GRE tunnel between the CE and PE 1 4 2 Configuring the GRE Tunnel Interface on CE After creating a tunnel interface on a CE specify GRE as the encapsulation type set the tun...

Page 21: ...is configured Step 6 Optional Run mtu mtu The interface MTU can be modified The new MTU takes effect only after you run the shutdown and the undo shutdown commands in succession on the interface Step 7 Choose one of the following commands to configure the IP address of the tunnel interface l Run the ip address ip address mask mask length sub command to configure the IP address of the tunnel interf...

Page 22: ...cal with the destination address of the tunnel specified on the CE The destination address of the tunnel specified on the PE is identical with the source address of the tunnel specified on the CE Step 5 Run destination ip address The destination address of the tunnel interface is configured Step 6 Optional Run mtu mtu The interface MTU is modified The new MTU takes effect only after you run the sh...

Page 23: ...not be bound to any VPN instance that is not enabled with an address family Disabling a VPN instance address family deletes the Layer 3 attributes such as the IP address and routing protocol of the tunnel interface bound to the VPN instance Disabling all VPN instance address families unbinds all the bound tunnel interfaces from the VPN instance Step 4 Choose one of the following commands to config...

Page 24: ...me 2008 03 04 19 17 30 300 seconds input rate 0 bits sec 0 packets sec 300 seconds output rate 0 bits sec 0 packets sec 0 seconds input rate 0 bits sec 0 packets sec 0 seconds output rate 0 bits sec 0 packets sec 0 packets input 0 bytes 0 input error 0 packets output 0 bytes 0 output error Input bandwidth utilization Output bandwidth utilization 1 5 Configuring the Keepalive Function Before config...

Page 25: ... 2 Retry times of the unreachable timer 1 5 2 Enabling the Keepalive Function The GRE tunnel Keepalive function is unidirectional To implement the Keepalive function on both ends enable the Keepalive function on both ends of a GRE tunnel Context Perform the following steps on the router that requires the Keepalive function Procedure Step 1 Run system view The system view is displayed Step 2 Run in...

Page 26: ...e end l If the Keepalive function is enabled on the local end the local tunnel interface is set Down when the remote end is unreachable As a result the VPN does not select the unreachable GRE tunnel and the data is not lost End 1 5 3 Checking the Configuration After a GRE tunnel is enabled with the Keepalive function you can view the Keepalive packets and Keepalive Response packets sent and receiv...

Page 27: ...nd Keepalive Response packets sent and received by a GRE tunnel interface Procedure l Run the reset counters interface tunnel interface number command in the system view to reset statistics about the tunnel interface l Reset statistics about Keepalive packets on the tunnel interface 1 Run system view The system view is displayed 2 Run interface tunnel interface number The tunnel interface view is ...

Page 28: ...edure l Run the debugging tunnel keepalive command in the user view to debug the Keepalive function of the GRE tunnel End 1 7 Configuration Examples Familiarize yourself with the configuration procedures against the networking diagrams This section provides networking requirements configuration notes and configuration roadmap in configurations examples 1 7 1 Example for Configuring a Static Route ...

Page 29: ...he interface that receives the packet 5 Assign network addresses to the tunnel interfaces to enable the tunnel to support the dynamic routing protocol 6 Configure the static route between Router A and its connected PC and the static route between Router C and its connected PC to make the traffic between PC1 and PC2 transmitted through the GRE tunnel 7 Configure the egress of the static route as th...

Page 30: ...Router A as an example RouterA display ip routing table Route Flags R relay D download to fib Routing Tables Public Destinations 8 Routes 8 Destination Mask Proto Pre Cost Flags NextHop Interface 10 1 1 0 24 Direct 0 0 D 10 1 1 2 GigabitEthernet2 0 0 10 1 1 2 32 Direct 0 0 D 127 0 0 1 InLoopBack0 20 1 1 1 32 Direct 0 0 D 127 0 0 1 InLoopBack0 30 1 1 0 24 OSPF 10 2 D 20 1 1 2 GigabitEthernet1 0 0 1...

Page 31: ...twork segment of the remote user end through the tunnel interface Take Router A as an example RouterA display ip routing table Route Flags R relay D download to fib Routing Tables Public Destinations 11 Routes 11 Destination Mask Proto Pre Cost Flags NextHop Interface 10 1 1 0 24 Direct 0 0 D 10 1 1 2 GigabitEthernet2 0 0 10 1 1 2 32 Direct 0 0 D 127 0 0 1 InLoopBack0 10 2 1 0 24 Static 60 0 D 40 ...

Page 32: ...outerC interface GigabitEthernet1 0 0 ip address 30 1 1 2 255 255 255 0 interface GigabitEthernet2 0 0 ip address 10 2 1 2 255 255 255 0 interface Tunnel0 0 1 ip address 40 1 1 2 255 255 255 0 tunnel protocol gre source 30 1 1 2 destination 20 1 1 1 ospf 1 area 0 0 0 0 network 30 1 1 0 0 0 0 255 ip route static 10 1 1 0 255 255 255 0 Tunnel0 0 1 return 1 7 2 Example for Configuring a Dynamic Routi...

Page 33: ...20 1 1 2 24 GE1 0 0 30 1 1 2 24 GE2 0 0 30 1 1 1 24 GE2 0 0 10 2 1 2 24 OSPF 1 OSPF 2 PC1 PC2 Tunnel Configuration Roadmap The configuration roadmap is as follows 1 Configure IGP on each router in the backbone network to realize the interworking between these devices Here OSPF process 1 is used 2 Create the GRE tunnel between routers that are connected to PCs Then routers can communicate through t...

Page 34: ...a 0 0 0 0 network 10 2 1 0 0 0 0 255 RouterC ospf 2 area 0 0 0 0 quit RouterC ospf 2 quit Step 5 Verify the configuration After the configuration run the display ip routing table command on Router A and Router C You can find the OSPF route to the network segment of the remote user end through the tunnel interface Moreover the next hop to the destination physical address 30 1 1 0 24 of the tunnel i...

Page 35: ...k 10 1 1 0 0 0 0 255 return l Configuration file of Router B sysname RouterB interface GigabitEthernet1 0 0 ip address 20 1 1 2 255 255 255 0 interface GigabitEthernet2 0 0 ip address 30 1 1 1 255 255 255 0 ospf 1 area 0 0 0 0 network 20 1 1 0 0 0 0 255 network 30 1 1 0 0 0 0 255 return l Configuration file of Router C sysname RouterC interface GigabitEthernet1 0 0 ip address 30 1 1 2 255 255 255 ...

Page 36: ...be encapsulated with GRE because IPSec cannot directly encrypt multicast packets Figure 1 7 Networking diagram of transmitting IPSec encrypted multicast packets through a GRE tunnel RouterA RouterC RouterB Tunnel0 0 1 40 1 1 1 24 Tunnel0 0 1 40 1 1 2 24 10 2 1 1 24 10 1 1 1 24 GE2 0 0 10 1 1 2 24 GE1 0 0 20 1 1 1 24 GE1 0 0 20 1 1 2 24 GE1 0 0 30 1 1 2 24 GE2 0 0 30 1 1 1 24 GE2 0 0 10 2 1 2 24 GR...

Page 37: ... ping GE1 0 0 of Router A Step 2 Configure the interfaces of the GRE tunnel Configure Router A RouterA interface tunnel0 0 1 RouterA Tunnel0 0 1 ip address 40 1 1 1 255 255 255 0 RouterA Tunnel0 0 1 tunnel protocol gre RouterA Tunnel0 0 1 source 20 1 1 1 RouterA Tunnel0 0 1 destination 30 1 1 2 RouterA Tunnel0 0 1 quit Configure Router C RouterC interface tunnel0 0 1 RouterC Tunnel0 0 1 ip address...

Page 38: ...terc pre shared key 12345 RouterA ike peer routerc remote name rtc RouterA ike peer routerc remote address 30 1 1 2 RouterA ike peer routerc quit Configure Router C RouterC ike local name rtc RouterC ike peer RouterA v1 RouterC ike peer routera exchange mode aggressive RouterC ike peer routera local id type name RouterC ike peer routera pre shared key 12345 RouterC ike peer routera remote name rta...

Page 39: ... A and Router C can be transmitted through the GRE tunnel encrypted with IPSec Step 6 On the source device and the destination device of the tunnel configure the tunnel to forward routes Configure Router A RouterA ip route static 10 2 1 0 255 255 255 0 tunnel 0 0 1 Configure Router C RouterC ip route static 10 1 1 0 255 255 255 0 tunnel 0 0 1 Step 7 Verify the configuration After PC1 and PC2 succe...

Page 40: ...remote 20 1 1 1 inbound ESP SAs spi 1720763150 0x6690c30e proposal ESP ENCRYPT DES ESP AUTH MD5 sa remaining key duration bytes sec 1887434624 3041 max received sequence number 32 udp encapsulation used for nat traversal N outbound ESP SAs spi 2970386335 0xb10c7f9f proposal ESP ENCRYPT DES ESP AUTH MD5 sa remaining key duration bytes sec 1887434112 3041 max sent sequence number 33 udp encapsulatio...

Page 41: ...ddress 20 1 1 2 255 255 255 0 interface GigabitEthernet2 0 0 ip address 30 1 1 1 255 255 255 0 ospf 1 area 0 0 0 0 network 20 1 1 0 0 0 0 255 network 30 1 1 0 0 0 0 255 return l Configuration file of Router C sysname RouterC ike local name rtc multicast routing enable acl number 3000 rule 5 permit gre source 30 1 1 2 0 0 0 0 destination 20 1 1 1 0 0 0 0 ike peer routera v1 exchange mode aggressive...

Page 42: ...network In this networking the PE is indirectly connected to the CE thus no physical interface can be bound to the VPN instance on the PE Then a GRE tunnel over the public network is required between the CE and PE and the GRE tunnel is required to be bound to the VPN instance on the PE This allows the CE to access the VPN through the GRE tunnel Networking Requirements As shown in Figure 1 8 l rout...

Page 43: ... 11 1 1 1 24 CE2 GE2 0 0 41 1 1 2 24 Configuration Roadmap PE1 and CE1 are indirectly connected So the VPN instance on PE1 cannot be bound to the physical interface on PE1 In such a situation a GRE tunnel is required between CE1 and PE1 vpn1 on PE1 can then be bound to the GRE tunnel and CE1 can access the VPN through the GRE tunnel The configuration roadmap is as follows 1 Configure OSPF10 on PE1...

Page 44: ...E1 CE1 interface tunnel0 0 1 CE1 Tunnel0 0 1 ip address 2 2 2 1 255 255 255 0 CE1 Tunnel0 0 1 tunnel protocol gre CE1 Tunnel0 0 1 source 30 1 1 1 CE1 Tunnel0 0 1 destination 50 1 1 2 Configure PE1 PE1 interface tunnel0 0 1 PE1 Tunnel0 0 1 ip address 2 2 2 2 255 255 255 0 PE1 Tunnel0 0 1 tunnel protocol gre PE1 Tunnel0 0 1 source 50 1 1 2 PE1 Tunnel0 0 1 destination 30 1 1 1 After the configuration...

Page 45: ...ity 50 0000 0000 0004 00 CE2 isis 50 quit CE2 interface gigabitethernet1 0 0 CE2 GigabitEthernet1 0 0 isis enable 50 CE2 GigabitEthernet1 0 0 quit CE2 interface gigabitethernet2 0 0 CE2 GigabitEthernet2 0 0 isis enable 50 CE2 GigabitEthernet2 0 0 quit Configure PE2 PE2 isis 50 vpn instance vpn1 PE2 isis 50 network entity 50 0000 0000 0003 00 PE2 isis 50 quit PE2 interface gigabitethernet2 0 0 PE2 ...

Page 46: ...ress CTRL_C to break Reply from 41 1 1 2 bytes 56 Sequence 1 ttl 253 time 190 ms Reply from 41 1 1 2 bytes 56 Sequence 2 ttl 253 time 110 ms Reply from 41 1 1 2 bytes 56 Sequence 3 ttl 253 time 110 ms Reply from 41 1 1 2 bytes 56 Sequence 4 ttl 253 time 110 ms Reply from 41 1 1 2 bytes 56 Sequence 5 ttl 253 time 100 ms 41 1 1 2 ping statistics 5 packet s transmitted 5 packet s received 0 00 packet...

Page 47: ...1 1 255 255 255 0 ospf 20 area 0 0 0 0 network 30 1 1 0 0 0 0 255 network 50 1 1 0 0 0 0 255 return l Configuration file of PE1 sysname PE1 ip vpn instance vpn1 route distinguisher 100 1 vpn target 111 1 export extcommunity vpn target 111 1 import extcommunity mpls lsr id 1 1 1 9 mpls lsp trigger all mpls ldp isis 50 vpn instance vpn1 network entity 50 0000 0000 0002 00 import route bgp interface ...

Page 48: ...twork 50 1 1 0 0 0 0 255 return l Configuration file of PE2 sysname PE2 ip vpn instance vpn1 route distinguisher 200 1 vpn target 111 1 export extcommunity vpn target 111 1 import extcommunity mpls lsr id 3 3 3 9 mpls lsp trigger all mpls ldp isis 50 vpn instance vpn1 network entity 50 0000 0000 0003 00 import route bgp interface GigabitEthernet1 0 0 ip address 110 1 1 2 255 255 255 0 mpls mpls ld...

Page 49: ...he Keepalive Function for GRE This section provides an example for configuring the Keepalive function of the GRE tunnel In this manner the VPN does not select the GRE tunnel that cannot reach the remote end and data loss can be avoided Networking Requirements As shown in Figure 1 9 Router A and Router B are configured with the GRE protocol The two ends of the GRE tunnel need be configured with the...

Page 50: ...erA Tunnel0 0 1 quit Step 3 Configure a tunnel on Router B and enable the Keepalive function RouterB system view RouterB interface tunnel 0 0 1 RouterB Tunnel0 0 1 ip address 40 1 1 2 255 255 255 0 RouterB Tunnel0 0 1 source 30 1 1 2 RouterB Tunnel0 0 1 destination 20 1 1 1 RouterB Tunnel0 0 1 keepalive period 20 retry times 3 RouterB Tunnel0 0 1 quit Step 4 Verify the configuration The tunnel int...

Page 51: ... debug GRE_FWD Receive the resp onse keepalive packet on mainboard successfully keepalive finished RouterA May 18 2011 11 36 15 120 3 00 00 AR1220 TUNNEL 7 debug GRE_KEEP_NSR Mainboard s end mbuf to slaveboard when RECEIVE response packet End Configuration Files l Configuration file of Router A sysname RouterA interface GigabitEthernet1 0 0 ip address 20 1 1 1 255 255 255 0 interface Tunnel0 0 1 i...

Page 52: ...guring a VPN Instance This section describes how to configure a VPN instance 2 3 Configuring a Route Multi Instance Between an MCE and a Site This section describes how to configure static routes RIP OSPF IS IS and BGP between an MCE and a site 2 4 Configuring a Route Multi Instance Between an MCE and a PE This section describes how to configure static routes RIP OSPF IS IS and BGP between an MCE ...

Page 53: ...f the data and network costs in a VPN MCE isolates services of different VPNs by binding VLANIF interfaces to VPNs and creating and maintaining an independent multi VRF table for each VPN Figure 2 1 Typical MCE networking diagram CE MCE Service provider s backbone CE VPN 1 Site Site Site Site VPN 1 VPN 2 PE PE PE P P P P VPN 2 Basic Concepts l CE An edge device that is located in a user network A ...

Page 54: ... be run between an MCE and a PE and between an MCE and a site including static routes the Routing Information Protocol RIP the Open Shortest Path First OSPF the Intermediate System to Intermediate System IS IS and BGP Multiple Routing Protocols Run Between an MCE and a PE When the AR1200 functions as an MCE multiple routing protocols can be run between the AR1200 and a PE including l Static routes...

Page 55: ...need the following data No Data 1 Name of the VPN instance 2 Route Distinguisher RD of the VPN instance 3 Optional Description of the VPN instance 4 Optional Maximum number of routes supported by the VPN instance 5 ID of the VLAN corresponding to the VPN instance 2 2 2 Creating a VPN instance Context Do as follows on the MCE You need to perform similar configurations on the PE however configuratio...

Page 56: ...s supported by the VPN instance By default the maximum number of routes supported by a VPN instance is not set To prevent excessive routes from being imported set the maximum number of routes supported by a VPN instance End 2 2 3 Binding an Interface with a VPN Instance After associating an interface with a VPN instance you can change the interface to a VPN interface As a result packets that pass ...

Page 57: ...te 2011 09 10 16 58 42 Up time 0 days 21 hours 42 minutes and 10 seconds Log Interval 5 2 3 Configuring a Route Multi Instance Between an MCE and a Site This section describes how to configure static routes RIP OSPF IS IS and BGP between an MCE and a site For configuring a route multi instance between an MCE and a site 2 3 2 Optional Configuring a Static Route Between an MCE and a Site to Optional...

Page 58: ...n MCE and a PE cost of the imported route metric of the imported route tag in the external Link State Advertisement LSA of the imported route and name of the routing policy during route importing 5 Optional IS IS process number Network Entity Title NET of the IS IS process number of the VLANIF interface bound to the VPN instance type and process number of the routing protocol run between an MCE an...

Page 59: ...ter the RIP view Step 3 Run the network network address command to enable RIP routes on the network segment where the IP address of the interface bound to the VPN instance belongs Step 4 Optional Run the import route static direct rip ospf isis process id cost cost route policy route policy name command to import routes from other routing protocols If another routing protocol is run between an MCE...

Page 60: ...ance Step 3 Run the isis enable process id command to enable IS IS on the interface By default IS IS is disabled on a VLANIF interface Step 4 Run the isis process id vpn instance vpn instance name command to create an IS IS process used by a VPN instance and enter the IS IS view Step 5 Run the network entity net command to configure an NET By default no NET is configured for an IS IS process Step ...

Page 61: ...d a PE are optional and can be configured as required 2 4 1 Establishing the Configuration Task Applicable Environment To connect a CE to multiple VPNs and isolate services of these VPNs you need to configure MCE functions Before configuring MCE functions you need to perform the task of 2 2 Configuring a VPN Instance on the MCE and PE and then configure a route multi instance between the MCE and P...

Page 62: ...or storing the imported route 6 Optional AS number IP address of the interface connecting a CE and an MCE type and process number of the routing protocol run between an MCE and a site MED of the imported route and name of the routing policy during route importing 2 4 2 Optional Configuring a Static Route Between an MCE and a PE Context Do as follows on the MCE You can use a static route on a PE an...

Page 63: ...igurations on a PE For details refer to manuals of corresponding products Procedure Step 1 Run the system view command to enter the system view Step 2 Run the ospf process id router id router id vpn instance vpn instance name command to create an OSPF process used by a VPN instance and enter the OSPF view NOTE In this step you must specify vpn instance vpn instance name Step 3 Optional Run the imp...

Page 64: ...g tag route policy route policy name level 1 level 2 level 1 2 command to import routes from other routing protocols If another routing protocol is run between an MCE and a site in this VPN you need to perform this step End 2 4 6 Checking the Configuration Run the display ip routing table vpn instance command on the PE and you can find the routes to the local VPN Take Huawei Huawei AR1200 Series a...

Page 65: ...en the MCE CE3 and CE4 l OSPF is run between the MCE and PE2 It is required that route isolation between VPNs be implemented on the MCE and routes of VPNs be advertised to the PE2 through OSPF Figure 2 2 Networking diagram for configuring MCE vpnb vpna vpna 192 168 2 0 24 vpnb 192 168 1 0 24 BGP MPLS IP VPN CE1 CE2 CE4 CE3 MCE PE1 PE2 Eth0 0 1 Eth0 0 3 Eth0 0 1 Eth0 0 4 Eth0 0 1 VLAN10 VLAN20 VLAN...

Page 66: ...port default vlan 30 MCE Ethernet0 0 1 quit MCE interface ethernet 0 0 2 MCE Ethernet0 0 2 port link type access MCE Ethernet0 0 2 port default vlan 40 MCE Ethernet0 0 2 quit MCE interface ethernet 0 0 3 MCE Ethernet0 0 3 port link type trunk MCE Ethernet0 0 3 port trunk allow pass vlan 10 MCE Ethernet0 0 3 quit MCE interface ethernet 0 0 4 MCE Ethernet0 0 4 port link type trunk MCE Ethernet0 0 4 ...

Page 67: ... vpn instance vpna quit PE2 ip vpn instance vpnb PE2 vpn instance vpnb route distinguisher 100 2 PE2 vpn instance vpnb quit Bind VPN instances to sub interfaces on PE2 and assign IP addresses to the sub interfaces PE2 interface gigabitethernet 0 0 1 PE2 GigabitEthernet0 0 1 ip binding vpn instance vpnb PE2 GigabitEthernet0 0 1 ip address 172 18 1 1 255 255 0 0 PE2 GigabitEthernet0 0 1 quit PE2 int...

Page 68: ...RIP routes on the MCE MCE ospf 100 MCE ospf 100 import route rip 100 MCE ospf 100 quit MCE ospf 200 MCE ospf 200 import route rip 200 5 Verify the configuration After the configuration run the display ip routing table vpn instance command on the MCE and you can view the routes to the local VPN Take vpnb as an example MCE display ip routing table vpn instance vpnb Route Flags R relay D download to ...

Page 69: ...e Vlanif20 ip binding vpn instance vpna ip address 172 17 1 2 255 255 0 0 interface Vlanif30 ip binding vpn instance vpnb ip address 172 18 1 2 255 255 0 0 interface Vlanif40 ip binding vpn instance vpna ip address 172 19 1 2 255 255 0 0 interface Ethernet0 0 1 port link type access port default vlan 30 interface Ethernet0 0 2 port link type access port default vlan 40 interface Ethernet0 0 3 port...

Page 70: ...55 0 0 ospf 100 vpn instance vpna vpn instance capability simple area 0 0 0 0 network 172 19 0 0 0 0 255 255 ospf 200 vpn instance vpnb vpn instance capability simple area 0 0 0 0 network 172 18 0 0 0 0 255 255 return NOTE The following lists only configuration files related to the MCE For details on configuring BGP or MPLS IP VPN refer to manuals of corresponding devices l Configuration file of C...

Page 71: ...17 1 1 255 255 0 0 interface Ethernet0 0 1 port trunk allow pass vlan 20 rip 100 version 2 network 172 17 0 0 network 192 168 2 0 import route direct return Huawei AR1200 Series Enterprise Routers Configuration Guide VPN 2 MCE Configuration Issue 01 2012 04 20 Huawei Proprietary and Confidential Copyright Huawei Technologies Co Ltd 60 ...

Page 72: ...e SP s MPLS backbone network that does not span multiple ASs The role of each PE P or CE of the basic BGP MPLS IP VPN is unique For example a router cannot function as both a PE and a CE 3 5 Configuring Hub and Spoke In the Hub and Spoke networking an access control device is specified in the VPN and users communicate with each other through the access control device 3 6 Configuring Inter AS VPN O...

Page 73: ...tween another CE and the PE 3 14 Configuring VPN FRR In the networking of CE dual homing you can configure VPN FRR to ensure the end to end VPN service fast switchover if the PE fails 3 15 Configuring Route Reflection to Optimize the VPN Backbone Layer Using an RR can reduce the number of MP IBGP connections between PEs This not only reduces the burden of PEs but also facilitates network maintenan...

Page 74: ...k which has one or more interfaces directly connected to the service provider network A CE can be a router a switch or a host Usually CEs cannot sense the existence of the VPN and do not need to support MPLS l A Provider Edge PE is an edge device on the provider network which is directly connected to the CE In the MPLS network PEs perform all the VPN related processing l A Provider P is a backbone...

Page 75: ...lti VPN Instance CE The Multi VPN Instance CE can be configured to improve the routing capability of the LAN solve the security problem of the LAN at a low cost and ensure that the LAN services are safely differentiated Currently LAN services can be differentiated by utilizing VLAN switches but they have a weak routing capability l VPN and Internet interworking The AR1200 supports the interworking...

Page 76: ...licies The inbound routing policy is used to filter the routes imported into the VPN instance IPv4 address family and the outbound routing policy is used to filter the routes advertised to other PEs Pre configuration Tasks Before configuring a VPN instance enabled with an IPv4 address family complete the following tasks l Configuring routing policies if import or export routing policies need to be...

Page 77: ...n the PE Step 3 Optional Run description description information The description of the VPN instance is configured The description of a VPN instance functions the same as the description of a host name or an interface It is recommended that the proper description be configured Step 4 Optional Run service id service id A service ID is set for the VPN instance A service ID identifies a specific VPN ...

Page 78: ...ed or deleted Delete a VPN instance or disable the VPN instance IPv4 address family before changing or deleting the RD of the VPN instance IPv4 address family Step 5 Run vpn target vpn target 1 8 both export extcommunity import extcommunity The VPN target extended community attribute for the VPN instance is created The VPN target is the extended community attribute of the Border Gateway Protocol B...

Page 79: ...tance IPv4 address family to avoid importing too many prefixes from the CE Step 8 Optional Run limit log interval interval The frequency of displaying logs when the number of routes exceeds the threshold is configured Step 9 Optional Run import route policy policy name The inbound routing policy of the VPN instance IPv4 address family is configured Step 10 Optional Run export route policy policy n...

Page 80: ...ocal device including RD attributes and other attributes Prerequisites The functions of the VPN instance enabled with IPv4 address family are fully configured Procedure l Run the display ip vpn instance verbose vpn instance name command to check detailed information about the VPN instance including information about the IPv4 address family l Run the display ip vpn instance vpn instance name comman...

Page 81: ...rs to a VPN that is established on one SP s MPLS backbone network that does not span multiple ASs The role of each PE P or CE of the basic BGP MPLS IP VPN is unique For example a router cannot function as both a PE and a CE 3 4 1 Establishing the Configuration Task Before configuring the basic BGP MPLS IP VPN familiarize yourself with the applicable environment complete the pre configuration tasks...

Page 82: ...n the tunnel policy l Configuring the IP address for the CE interface that is connected to the PE Data Preparation To configure basic BGP MPLS IP VPN you need the following data No Data 1 Data for configuring a VPN instance l Name of the VPN instance l Optional Description of the VPN instance l RD VPN target attribute of the VPN instance IPv4 address families l Optional Routing policy used to cont...

Page 83: ...d to the VPN instance NOTE The running of the ip binding vpn instance command on an interface can delete the Layer 3 attributes such as the IP address and routing protocol If these Layer 3 attributes are still required configure them again An interface cannot be bound to a VPN instance that is not enabled with an address family Disabling an address family of a VPN instance deletes the Layer 3 attr...

Page 84: ...router ID for a BGP VPN instance IPv4 address family are as follows l If the loopback interfaces configured with IP addresses are bound to the VPN instance enabled with the IPv4 address family the largest IP address among the IP addresses of the loopback interfaces is selected as the router ID l If no loopback interfaces configured with IP addresses are bound to the VPN instance enabled with the I...

Page 85: ...mask IP addresses of the loopback interfaces must be used to establish the MP IBGP peer relationship between PEs This can ensure that the tunnel can be iterated The route destined to the loopback interface is advertised to the remote PE based on IGP on the MPLS backbone network Step 5 Run ipv4 family vpnv4 The BGP VPNv4 sub address family view is displayed Step 6 Run peer ipv4 address enable The V...

Page 86: ...simulated as multiple BGP devices logically In this case you can run the as number command to configure an AS number for each VPN instance IPv4 address family NOTE The AS number configured in the BGP VPN instance IPv4 address family view cannot be the same as the AS number configured in the BGP view 5 Run peer ipv4 address as number as number The CE is specified as the peer of the VPN 6 Optional R...

Page 87: ...sent from a CE and advertises the route to other PE peers Before advertising the VPN route to the connected CE the PE peers check the SoO attribute carried in the VPN route If the PE peers find that this SoO attribute is the same as the locally configured SoO attribute the PE peers do not advertise this VPN route to the connected CE 9 Optional Run peer ip address allow as loop number The loop is a...

Page 88: ...ops 5 Run import route direct static rip process id ospf process id isis process id med med route policy route policy name Routes of the local site are imported The CE must advertise the reachable VPN segment addresses to the attached PE Through the PE the addresses are advertised to the remote CEs In applications the types of routes to be imported may be different l Configure IBGP between a PE an...

Page 89: ...TE The PE can automatically learn the direct route to the local CE The route has a higher priority than the direct route that is advertised by IBGP Therefore if this step is not performed the PE does not advertise the direct route to the remote PE using MP BGP Perform the following steps on the CE 1 Run system view The system view is displayed 2 Run bgp as number The BGP view is displayed 3 Run pe...

Page 90: ...E The CE is configured with RIPv1 or RIPv2 The configurations are common therefore not mentioned here NOTE For details see Huawei AR1200 Series Enterprise Routers Configuration Guide IP Routing 1 Run system view The system view is displayed 2 Run rip process id vpn instance vpn instance name The RIP instance is created between the PE and the CE and the RIP view is displayed A RIP process belongs t...

Page 91: ...with OSPF The configurations are common therefore not mentioned here NOTE For details see Huawei AR1200 Series Enterprise Routers Configuration Guide IP Routing 1 Run system view The system view is displayed 2 Run ospf process id router id router id vpn instance vpn instance name The OSPF instance is created between the PE and the CE and the OSPF view is displayed An OSPF process belongs to only o...

Page 92: ... of the tag value are fixed as 0xD000 and the last two bytes are the local AS number by default That is the tag value equals 3489660928 plus the local AS number 5 Run import route bgp cost cost route policy route policy name tag tag type type The BGP route is imported 6 Run area area id The OSPF area view is displayed 7 Run network ip address wildcard mask OSPF is run on the network segment where ...

Page 93: ...rise Routers Configuration Guide IP Routing 1 Run system view The system view is displayed 2 Run isis process id vpn instance vpn instance name The IS IS instance between the CE and the PE is created and the IS IS view is displayed An IS IS process belongs to only one VPN instance If you run an IS IS process without binding it to a VPN instance this process is considered as a public network proces...

Page 94: ...VPN instance IPv4 address family view is displayed 12 Run import route isis process id med med route policy route policy name The IS IS route is imported into the routing table of the BGP VPN instance IPv4 address family NOTE After the VPN instance is deleted or the IPv4 address family of the VPN instance is disabled all IS IS processes are deleted End 3 4 7 Checking the Configuration After config...

Page 95: ... and users communicate with each other through the access control device 3 5 1 Establishing the Configuration Task Before configuring Hub and Spoke networking familiarize yourself with the applicable environment complete the pre configuration tasks and obtain the required data This can help you complete the configuration task quickly and accurately Applicable Environment If all the users are requi...

Page 96: ...ction describes how to configure a VPN instance to manage VPN routes Context Configure the VPN instance on each Spoke PE and Hub PE Every Spoke PE is configured with a VPN instance while each Hub PE is configured with the following two VPN instances l VPN in receives and maintains all the VPNv4 routes advertised by all the Spoke PEs l VPN out maintains the routes of all the Hub stations and Spoke ...

Page 97: ...lert The maximum number of routes of the VPN instance IPv4 address family is configured You can define the maximum number of routes for a VPN instance IPv4 address family to avoid importing excessive routes NOTE If the routing table limit command is run the system gives a prompt when the number of routes injected into the routing table of the VPN instance IPv4 address family exceeds the upper limi...

Page 98: ...yed 4 Run vpn target vpn target1 1 8 import extcommunity The VPN target extended community for the VPN instance IPv4 address family is created to import the IPv4 routes advertised by all the Spoke PEs vpn target1 lists the Export VPN targets advertised by all the Spoke PEs 5 Optional Run import route policy policy name The import routing policy of the VPN instance IPv4 address family is configured...

Page 99: ...d 4 Run vpn target vpn target2 1 8 import extcommunity The VPN target extended community for the VPN instance IPv4 address family is created to import the IPv4 routes advertised by all the Hub PEs vpn target2 should be included in the export VPN target list of the Hub PE 5 Run vpn target vpn target1 1 8 export extcommunity The VPN target extended community for the VPN instance IPv4 address family ...

Page 100: ...n instance name The interface is bound with the VPN instance NOTE Running the ip binding vpn instance command on an interface can delete the Layer 3 attributes such as the IP address and routing protocol If these Layer 3 attributes are still required configure them again An interface cannot be bound to a VPN instance that is not enabled with an address family Disabling an address family of a VPN i...

Page 101: ... unicast The BGP VPNv4 address family view is displayed Step 6 Run peer ipv4 address enable The VPN IPv4 routing information is exchanged between the peers End 3 5 6 Configuring Route Exchange Between PE and CE The routing protocol between a PE and a CE can be EBGP static route or IGP You can choose any of them as required in the configuration process Context The Hub PE and the Hub CE can exchange...

Page 102: ...ke CE If the Hub CE uses the default route to access the Hub PE to advertise the default route to all the Spoke PEs perform the following steps on the Hub PE 1 Run system view The system view is displayed 2 Run ip route static vpn instance vpn source name 0 0 0 0 0 0 0 0 nexthop address preference preference tag tag description text Here vpn instance name refers to the VPN out nexthop address is t...

Page 103: ... successful Additionally the Hub CE and all the Spoke CEs have routes to the Hub and all the Spoke stations Huawei display ip routing table Total Number of Routes 6 BGP Local router ID is 100 1 1 1 Status codes valid best d damped h history i internal s suppressed S Stale Origin i IGP e EGP incomplete Network NextHop MED LocPrf PrefVal Path Ogn 100 1 1 0 24 0 0 0 0 0 0 100 1 1 2 0 0 100 100 1 1 1 ...

Page 104: ...Option A therefore requires high performance of the ASBRs No inter AS configuration is needed on the ASBRs Pre configuration Tasks Before configuring inter AS VPN Option A complete the following tasks l Configuring IGP for MPLS backbone networks in each AS to keep IP connectivity of the backbones in one AS l Enabling MPLS and MPLS LDP on the PE and the ASBR l Setting up the tunnel LSP or GRE betwe...

Page 105: ...g the peer ASBR as its CE Step 3 Configuring VPN instances for the PE and the ASBR separately The VPN instance for PE is used to access CE that for ASBR is used to access its peer ASBR NOTE In inter AS VPN Option A mode for the same VPN the VPN targets of ASBR and the PE VPN instance must be matched in an AS This is not required for the PEs in different ASs End 3 6 3 Checking the Configuration Aft...

Page 106: ...ting table Local AS number 100 BGP Local router ID is 2 2 2 9 Status codes valid best d damped h history i internal s suppressed S Stale Origin i IGP e EGP incomplete Total number of routes from all PE 5 Route Distinguisher 100 1 Network NextHop MED LocPrf PrefVal Path Ogn i 10 1 1 0 24 1 1 1 9 0 100 0 Route Distinguisher 100 2 Network NextHop MED LocPrf PrefVal Path Ogn 10 2 1 0 24 192 1 1 2 0 20...

Page 107: ...bearing VPN routes crosses multiple ASs the inter AS VPN is needed If the ASBR can manage VPN routes but there are not enough interfaces for each inter AS VPN the inter AS VPN Option B is adopted In this option the ASBR is involved in maintaining and advertising VPN IPv4 routes Pre configuration Tasks Before configuring inter AS VPN Option B complete the following tasks l Configuring IGP for MPLS ...

Page 108: ... peer between the PE and ASBR 3 7 2 Configuring MP IBGP Between PEs and ASBRs in the Same AS By importing extended community attributes to BGP MP IBGP can advertise VPNv4 routes between the PE and the ASBR Context Perform the following steps on the PE and ASBR in the same AS Procedure Step 1 Run system view The system view is displayed Step 2 Run bgp as number The BGP view is displayed Step 3 Run ...

Page 109: ...PE End 3 7 3 Configuring MP EBGP Between ASBRs in Different ASs After the MP EBGP peer relationship is established between ASBRs either ASBR can advertise the VPNv4 routes of its AS to the other ASBR Context Perform the following steps on the ASBR Procedure Step 1 Run system view The system view is displayed Step 2 Run interface interface type interface number The view of the interface connected w...

Page 110: ... 3 7 4 Controlling the Receiving and Sending of VPN Routes by Using Routing Policies An ASBR can either save all VPNv4 routes or partial VPNv4 routes by filtering VPN targets through a routing policy Context The following describes two methods for controlling the receiving and sending of VPN routes l Without VPN Target Filtering Without the filtering method the ASBR stores all the VPN IPv4 routes ...

Page 111: ... VPN target filtering l VPN Target Filtering Perform the following steps on the ASBR 1 Run system view The system view is displayed 2 Run ip extcommunity filter basic extcomm filter num basic basic extcomm filter name advanced extcomm filter num advanced advanced extcomm filter name permit deny rt as number nn ipv4 address nn 1 16 The extended community filter is configured 3 Run route policy rout...

Page 112: ...name A VPN instance is created and the VPN instance view is displayed Step 3 Run ipv4 family The IPv4 address family is enabled for the VPN instance and the VPN instance IPv4 address family view is displayed Step 4 Run route distinguisher route distinguisher The RD of the VPN instance IPv4 address family is configured Step 5 Run vpn target vpn target 1 8 import extcommunity The VPN target extended...

Page 113: ... The export routing policy of the VPN instance IPv4 address family is configured End 3 7 6 Optional Enabling Next Hop based Label Allocation on the ASBR To save label resources on an ASBR you can enable next hop based label allocation on the ASBR Note that next hop based label allocation and one label per instance need to be used together on the ASBR Context In a VPN Option B scenario after next h...

Page 114: ...d 3 7 8 Checking the Configuration After configuring inter AS VPN Option B you can view information about all the BGP peer relationships and VPNv4 routes on PEs or ASBRs Prerequisites The configurations of the inter AS VPN Option B function are complete Procedure l Run the display bgp vpnv4 all peer command to check the VPN IPv4 routing table on the PE or ASBR l Run the display bgp vpnv4 all routi...

Page 115: ...1 32 0 0 0 0 0 0 Run the display bgp vpnv4 all peer command on the PE or ASBR If the status of the IBGP peer between the PE and ASBR in the same AS is Established and the status of the EBGP peer between ASBRs in the different AS is Established the configuration is successful Huawei display bgp vpnv4 all peer BGP local router ID 10 1 1 1 Local AS number 100 Total number of peers 1 Peers in establis...

Page 116: ...e ASs the inter AS VPN is needed If each AS needs to exchange a large number of VPN routes inter AS VPN Option C is a good choice to prevent the ASBR from becoming a bottleneck that impedes network expansion Two solutions can be adopted to realize inter AS VPN Option C l Solution 1 After learning the labeled BGP routes of the public network in the remote AS from the remote ASBR the local ASBR allo...

Page 117: ...e connected with the CE 3 AS number of the PE 4 IP addresses of the interfaces connected the ASBRs 5 Routing policy configured on the ASBR 6 Routing protocol configured between the PE and CE static routes RIP OSPF IS IS or BGP 7 IP addresses and interfaces setting up the IBGP peer between the PE and ASBR NOTE In inter AS VPN Option C do not enable LDP between ASBRs If LDP is enabled on the interfa...

Page 118: ...dress label route capability The exchange of the labeled IPv4 routes with the PE of the same AS is enabled In the Option C solution establish an inter AS VPN LSP The related PEs and ASBRs exchange public network routes with the MPLS labels The ASBR establishes a common EBGP peer relationship with the remote ASBR to switch labeled IPv4 routes The public network routes with the MPLS labels are adver...

Page 119: ...s over a faulty LSP because this will cause data forwarding failures If tunnel reachability checking is disabled BGP advertises labeled routes to peers whether the tunnels for imported routes are reachable or not End 3 8 3 Configuring a Routing Policy to Control Label Distribution Configure a routing policy to control label allocation for the inter AS BGP LSP If labeled IPv4 routes are advertised ...

Page 120: ...cy name2 export The routing policy adopted when the route is advertised to the peer ASBR is created End 3 8 4 Establishing the MP EBGP Peer Relationship Between PEs By importing extended community attributes to BGP MP EBGP can advertise VPNv4 routes between PEs PEs of different ASs are generally not directly connected Therefore to set up the EBGP connection between the PEs of different ASs configu...

Page 121: ...as number as number The peer PE is specified as the EBGP peer 4 Run peer ipv4 address ebgp max hop hop count The maximum hop of the EBGP peer is configured PEs of different ASs are generally not directly connected To set up the EBGP peer between PEs of different ASs configure the maximum hop between PEs and ensure the PEs are reachable 5 Run ipv4 family vpnv4 unicast The BGP VPNv4 address family i...

Page 122: ...gurations of the inter AS VPN Option C function are complete Procedure l Run the display bgp vpnv4 all peer command to check the BGP peers on the PE l Run the display bgp vpnv4 all routing table command to check the VPN IPv4 routing table on the PE or ASBR l Run the display bgp routing table label command to check information about the label of the IPv4 route on the ASBR l Run the display ip routi...

Page 123: ...eled BGP routes of the public network in the remote AS from the remote ASBR the local ASBR allocates labels for these routes and advertises these routes to the IBGP peer that supports the label switching capability In this manner a complete LSP is set up l Solution 2 The IBGP peer relationship between the PE and the ASBR is not needed In this solution an ASBR learns the labeled public BGP routes o...

Page 124: ... of the public network NOTE In inter AS VPN Option C do not enable LDP between ASBRs If LDP is enabled on the interfaces between ASBRs LDP sessions are then established between the ASBRs In this case the ASBRs establish an egress LSP and send Mapping messages to the upstream ASBR After receiving Mapping messages the upstream ASBR establishes a transit LSP When there are high volume BGP routes enab...

Page 125: ...ction can be set up between the EBGP peers through multiple hops End 3 9 3 Advertising the Routes of the PE in the Local AS to the Remote PE After the routes of the loopback interface on a PE in an AS are advertised to the remote PE in another AS the MP EBGP peer relationship is established between the PEs Procedure l The loopback address of the PE in the local AS is advertised to the remote ASBR ...

Page 126: ...etween ASBRs Procedure l Creating a routing policy Perform the following steps on ASBRs 1 Run system view The system view is displayed 2 Run route policy route policy name permit node seq number The routing policy applied to advertise routes to the remote ASBR is configured 3 Run apply mpls label Labels for IPv4 routes are distributed 4 Run quit Return to the system view l Applying a Routing Polic...

Page 127: ... configured If tunnel reachability checking is enabled BGP advertises IPv4 unicast routes to peers when routed tunnels are unreachable or advertises labeled routes to peers when routed tunnels are reachable This eliminates the risk of establishing an MP EBGP peer relationship between PEs over a faulty LSP because this will cause data forwarding failures If tunnel reachability checking is disabled ...

Page 128: ...Therefore to set up the EBGP connection between the PEs of different ASs configure the permitted maximum hops between the PEs Procedure l Perform the following steps on PEs 1 Run system view The system view is displayed 2 Run bgp as number The BGP view is displayed 3 Run peer ipv4 address as number as number The remote PE is specified as the EBGP peer 4 Run peer ipv4 address connect interface inte...

Page 129: ...as number The CE is configured to be the peer of the VPN private network 5 Optional Run peer ipv4 address group name ebgp max hop hop count The maximum number of hops in the EBGP connection is specified 6 Optional Run network ip address mask The direct routes are advertised to the local CE 7 Optional Run peer ip address allow as loop number The routing loop is permitted 8 Optional Run peer ip addr...

Page 130: ... label command to check information about the labels of IPv4 routes on an ASBR l Run the display ip routing table vpn instance vpn instance name command to check the VPN routing table on a PE l Run the display mpls route state vpn instance vpn instance name exclude include idle ready settingup destination address mask length verbose command to check the matching relationship between routes and the...

Page 131: ...ASBR display ip routing table 4 4 4 9 verbose Route Flags R relay D download to fib Routing Table Public Summary Count 1 Destination 4 4 4 9 32 Protocol EBGP Process ID 0 Preference 255 Cost 1 NextHop 192 1 1 2 Neighbour 192 1 1 2 State Active Adv Age 00h12m53s Tag 0 Priority low Label 15360 QoSInfo 0x0 IndirectID 0x0 RelayNextHop 0 0 0 0 Interface GE2 0 0 TunnelID 0x6002006 Flags D Run the displa...

Page 132: ...devices Pre configuration Tasks Before configuring HoVPN complete the task of Configuring Basic BGP MPLS IP VPN Data Preparation To configure HoVPN you need the following data No Data 1 Relationship between the UPE and SPE 2 Name of the VPN instance sending default routes to the UPE 3 10 2 Specifying UPE Before configuring a UPE establish the VPNv4 peer relationship between the UPE and SPE Procedu...

Page 133: ...The BGP view is displayed Step 3 Run ipv4 family vpnv4 The BGP VPNv4 sub address family view is displayed Step 4 Run peer ipv4 address group name default originate vpn instance vpn instance name The default routes of a specified VPN instance are advertised to the UPE After running the command the SPE advertises a default route to the UPE with its local address as the next hop regardless of whether...

Page 134: ...1 1 Establishing the Configuration Task Before configuring a multi VPN instance CE familiarize yourself with the applicable environment complete the pre configuration tasks and obtain the data required for the configuration This will help you complete the configuration task quickly and accurately Applicable Environment The multi VPN instance CE is used in the LAN You can implement service isolatio...

Page 135: ... the OSPF Multi Instance on the PE Different services are configured in different instances and use different OSPF process IDs Context Perform the following steps on the PE that is accessed by the multi instance CE Procedure Step 1 Run system view The system view is displayed Step 2 Run ospf process id router id router id vpn instance vpn instance name The OSPF multi instance is configured Differe...

Page 136: ... Instance CE The process ID of the OSPF multi instance configured on the multi VPN instance CE must be the same as that configured on the PE Context Perform the following steps on the multi instance CE Procedure Step 1 Run system view The system view is displayed Step 2 Run ospf process id router id router id vpn instance vpn instance name The OSPF multi instance is configured The OSPF process ID ...

Page 137: ... 2 Run ospf process id router id router id vpn instance vpn instance name The OSPF multi instance view is displayed Step 3 Run vpn instance capability simple Loop detection is not performed End 3 11 5 Checking the Configuration After the multi VPN instance CE is configured the VPN routing table of the CE contains the routes destined for the LAN and remote sites for each service Prerequisites The c...

Page 138: ...sers because VPN users cannot access the Internet If each VPN site needs to access the Internet configure the interconnection between the VPN and the Internet 3 12 1 Establishing the Configuration Task Before configuring the interconnection between a VPN and the Internet familiarize yourself with the applicable environment complete the pre configuration tasks and obtain the required data This can ...

Page 139: ... be 0 Note that the out interface must be the interface connected directly with the PE and the next hop is the IP address of the peer PE interface connected directly with the CE NOTE If the CE and the PE are connected through an Ethernet network the next hop must be specified End 3 12 3 Configuring the Private Network Static Route on the PE This section describes how to configure static routes on ...

Page 140: ...ess NOTE If the CE and PE are connected through an Ethernet network the next hop must be specified End 3 12 5 Checking the Configuration After configuring the interconnection between a VPN and the Internet the VPN routing table contains the routes destined for the CE and the router in the public network and the routing table in the destined device of the public network contains the route to the CE...

Page 141: ... 3 3 3 32 OSPF 10 3 D 100 1 1 2 Pos2 0 0 100 1 1 0 24 Direct 0 0 D 100 1 1 1 Pos2 0 0 100 1 1 1 32 Direct 0 0 D 127 0 0 1 Pos1 0 0 100 1 1 2 32 Direct 0 0 D 100 1 1 2 Pos2 0 0 100 2 1 0 24 OSPF 10 2 D 100 1 1 2 Pos2 0 0 100 3 1 0 24 Static 60 0 D 10 1 1 1 Pos1 0 0 127 0 0 0 8 Direct 0 0 D 127 0 0 1 InLoopBack0 127 0 0 1 32 Direct 0 0 D 127 0 0 1 InLoopBack0 Run the ping command to check the connec...

Page 142: ...rotocol on the router to enable the connectivity between network devices l Setting up the VPN network l Generating two unequal cost routes by configuring different metrics Data Preparation To configure the IP FRR of private network you need the following data No Data 1 Name of the routing policy 2 Name of the VPN instance 3 Outbound interface of the backup route 4 Next hop of the backup route 3 13...

Page 143: ...N instance IPv4 address family view is displayed Step 8 Run ip frr route policy route policy name The IP FRR of the private network is enabled End 3 13 3 Checking the Configuration After configuring IP FRR you can view information about the backup outgoing interface and backup next hop in the VPN routing table Prerequisites The configurations of the IP FRR of a private network function are complet...

Page 144: ...g VPN FRR In the networking of CE dual homing you can configure VPN FRR to ensure the end to end VPN service fast switchover if the PE fails 3 14 1 Establishing the Configuration Task Before configuring VPN FRR familiarize yourself with the applicable environment complete the pre configuration tasks and obtain the required data This can help you complete the configuration task quickly and accurate...

Page 145: ...en PEs fails Context Before configuring VPN FRR on a PE configure a routing policy to specify a backup next hop The routing policy will be used when VPN FRR is enabled in a VPN instance Procedure Step 1 Run system view The system view is displayed Step 2 Run route policy route policy name permit deny node node The routing policy node is created and the routing policy view is displayed Step 3 Run a...

Page 146: ...it means the configuration succeeds 3 15 Configuring Route Reflection to Optimize the VPN Backbone Layer Using an RR can reduce the number of MP IBGP connections between PEs This not only reduces the burden of PEs but also facilitates network maintenance and management 3 15 1 Establishing the Configuration Task Before configuring an RR to optimize the VPN backbone layer familiarize yourself with t...

Page 147: ...ing tasks l Configuring the routing protocol for the MPLS backbone network to implement IP interworking between routers in the backbone network l Establishing tunnels LSPs or GRE tunnels between the RR and all Client PEs Data Preparation To configure the BGP VPNv4 route reflection you need the following data No Data 1 Local AS number and peer AS number 2 Type and number of the interfaces used to s...

Page 148: ...and RR is enabled End 3 15 3 Configuring the RR to Establish MP IBGP Connections with the Client PEs MP IBGP connections are configured between the RR and all its clients PEs to facilitate VPNv4 route reflection Context Choose one of the following schemes to configure the RR Procedure l Configuring the RR to Establish MP IBGP Connections with the Peer Group 1 Run system view The system view is dis...

Page 149: ...ient PE is specified as the BGP peer 4 Run peer ipv4 address connect interface interface type interface number The interface is specified as an interface to establish the TCP connection The interface IP address must be the same as the MPLS LSR ID It is recommended to specify a loopback interface to establish the TCP connection 5 Run ipv4 family vpnv4 The BGP VPNv4 address family view is displayed ...

Page 150: ...extcomm filter name The reflection policy is configured for the RR Only IBGP routes of which the RT extended community attribute matches the reflection policy can be reflected End 3 15 5 Checking the Configuration After configuring an RR to optimize the VPN backbone layer you can view BGP VPNv4 peer information and VPNv4 routing information on the RR or its clients PEs Prerequisites The configurat...

Page 151: ...er command on the RR or the Client PEs Huawei display bgp vpnv4 all routing table peer 2 2 2 9 received routes BGP Local router ID is 1 1 1 9 Status codes valid best d damped h history i internal s suppressed S Stale Origin i IGP e EGP incomplete Total Number of Routes 1 Route Distinguisher 100 1 Network NextHop MED LocPrf PrefVal Path Ogn i 1 1 1 1 2 2 2 9 0 100 0 i l If the peer group is configu...

Page 152: ...ns between the CEs the PE can be configured as an RR to reflect the routes of the VPN instance and the CEs can be configured as clients which are called Client CEs This procedure simplifies and facilitates network maintenance and management Pre configuration Tasks Before configuring route reflection to optimize the VPN access layer complete the following tasks l Configure a routing protocol for th...

Page 153: ...terface to establish the TCP connection The interface IP address must be the same as the MPLS LSR ID It is recommended to specify a loopback interface to establish the TCP connection End 3 16 3 Configuring the RR to Establish MP IBGP Connections with All Client CEs This section describes how to configure MP IBGP connections between the RR and all its clients CEs to reflect VPNv4 routes to all clie...

Page 154: ...view is displayed 2 Run bgp as number The BGP view is displayed 3 Run ipv4 family vpn instance vpn instance name The BGP VPN instance IPv4 address family view is displayed 4 Run peer ipv4 address as number as number The peer of the BGP IPv4 VPN instance is configured 5 Run peer ipv4 address connect interface interface type interface number The interface is specified as an interface to establish th...

Page 155: ... By default route reflection between the Client CEs is enabled If the Client CEs are fully connected you can use the undo reflect between clients command to disable route reflection between the clients to reduce costs Step 6 Optional Run reflector cluster id cluster id The RR cluster ID is set If a cluster has multiple RRs you can use this command to set the same cluster ID for these RRs to preven...

Page 156: ...etween the RR and all Client CEs is Established after running the display bgp vpnv4 all peer command on the RR Huawei display bgp vpnv4 all peer BGP local router ID 1 1 1 9 Local AS number 100 Total number of peers 3 Peers in established state 3 Peer V AS MsgRcvd MsgSent OutQ Up Down State PrefRcv 2 2 2 9 4 100 2 4 0 00 00 31 Established 0 3 3 3 9 4 100 3 5 0 00 01 23 Established 0 Peer of IPv4 fa...

Page 157: ...awei display bgp vpnv4 all routing table statistics Total number of routes from all PE 4 VPN Instance vpn1 router ID 1 1 1 9 Total Number of Routes 4 VPN Instance vpn2 router ID 1 1 1 9 Total Number of Routes 0 l If the peer group is configured you can view information about the group members and find that the status of the BGP connections between the RR and the group members is Established after ...

Page 158: ... routing table of a VPN instance l Run the display ip vpn instance verbose vpn instance name command to check information about the VPN instance l Run the display bgp vpnv4 all vpn instance vpn instance name routing table label command to check information about labeled routes in the BGP routing table l Run the display bgp vpnv4 all route distinguisher route distinguisher vpn instance vpn instance...

Page 159: ... that the packet passes by from the source to the destination l Run the ping lsp a source ip c count exp exp value h ttl value m interval r reply mode s packet size t time out v vpn instance vpn name remote remote address mask length command to check the connectivity of the L3VPN LSP End Example After the VPN configuration run the ping command with vpn instance vpn instance name on the PE to check...

Page 160: ...ily cannot be restored after being cleared Exercise caution when performing the action Procedure l Run the reset bgp vpn instance vpn instance name ipv4 family ipv4 address flap info command in the user view to clear statistics of the BGP peer flap for a specified VPN instance IPv4 address family l Run the reset bgp vpn instance vpn instance name ipv4 family dampening ipv4 address mask mask length...

Page 161: ...oup name all internal external command in the user view to reset BGP connections of the VPN instance IPv4 address family l Run the reset bgp vpnv4 as number ipv4 address group group name all internal external command in the user view to reset BGP VPNv4 connections End 3 18 Configuration Examples This section provides several configuration examples of VPN networking In each configuration example th...

Page 162: ...DP on the PEs and establish the MPLS LSPs between the PEs 3 Configure MP IBGP to exchange the VPN routing information between the PEs 4 Configure the VPN instance on the PE connected with the CE in the backbone network and bind the PE interface connected with the CE to the corresponding VPN instance 5 Configure EBGP between the CE and the PE to exchange VPN routing information Data Preparation To ...

Page 163: ...2 LoopBack1 ip address 3 3 3 9 32 PE2 LoopBack1 quit PE2 interface ethernet 2 0 1 PE2 Ethernet2 0 1 ip address 172 2 1 2 24 PE2 Ethernet2 0 1 quit PE2 ospf PE2 ospf 1 area 0 PE2 ospf 1 area 0 0 0 0 network 172 2 1 0 0 0 0 255 PE2 ospf 1 area 0 0 0 0 network 3 3 3 9 0 0 0 0 PE2 ospf 1 area 0 0 0 0 quit PE2 ospf 1 quit After the configuration the OSPF neighbor relationship should be established betw...

Page 164: ...2 0 1 mpls ldp PE1 Ethernet2 0 1 quit Configure the P P mpls lsr id 2 2 2 9 P mpls P mpls quit P mpls ldp P mpls ldp quit P interface ethernet 1 0 0 P Ethernet1 0 0 mpls P Ethernet1 0 0 mpls ldp P Ethernet1 0 0 quit P interface ethernet 2 0 0 P Ethernet2 0 0 mpls P Ethernet2 0 0 mpls ldp P Ethernet2 0 0 quit Configure PE2 PE2 mpls lsr id 3 3 3 9 PE2 mpls PE2 mpls quit PE2 mpls ldp PE2 mpls ldp qui...

Page 165: ...number 100 PE1 bgp peer 3 3 3 9 connect interface loopback 1 PE1 bgp ipv4 family vpnv4 PE1 bgp af vpnv4 peer 3 3 3 9 enable PE1 bgp af vpnv4 quit PE1 bgp quit Configure PE2 PE2 bgp 100 PE2 bgp peer 1 1 1 9 as number 100 PE2 bgp peer 1 1 1 9 connect interface loopback 1 PE2 bgp ipv4 family vpnv4 PE2 bgp af vpnv4 peer 1 1 1 9 enable PE2 bgp af vpnv4 quit PE2 bgp quit After the configuration run the ...

Page 166: ...et1 0 0 quit PE2 interface ethernet 2 0 0 PE2 Ethernet2 0 0 ip binding vpn instance vpnb PE2 Ethernet2 0 0 ip address 10 4 1 2 24 PE2 Ethernet2 0 0 quit Configure an IP address for the CE interface according to Figure 3 2 Details for the configuration procedure are not provided here After the configuration check the configuration of VPN instances by running the display ip vpn instance verbose comm...

Page 167: ... route direct NOTE The configuration procedures of CE2 CE3 and CE4 are similar to that of CE1 Configure PE1 PE1 bgp 100 PE1 bgp ipv4 family vpn instance vpna PE1 bgp vpna peer 10 1 1 1 as number 65410 PE1 bgp vpna import route direct PE1 bgp vpna quit PE1 bgp ipv4 family vpn instance vpnb PE1 bgp vpnb peer 10 2 1 1 as number 65420 PE1 bgp vpnb import route direct PE1 bgp vpnb quit NOTE The configu...

Page 168: ...can successfully ping CE3 10 3 1 1 24 but cannot ping CE4 10 4 1 1 24 CE1 ping 10 3 1 1 PING 10 3 1 1 56 data bytes press CTRL_C to break Reply from 10 3 1 1 bytes 56 Sequence 1 ttl 253 time 72 ms Reply from 10 3 1 1 bytes 56 Sequence 2 ttl 253 time 34 ms Reply from 10 3 1 1 bytes 56 Sequence 3 ttl 253 time 50 ms Reply from 10 3 1 1 bytes 56 Sequence 4 ttl 253 time 50 ms Reply from 10 3 1 1 bytes ...

Page 169: ...00 peer 3 3 3 9 connect interface LoopBack1 ipv4 family unicast undo synchronization peer 3 3 3 9 enable ipv4 family vpnv4 policy vpn target peer 3 3 3 9 enable ipv4 family vpn instance vpna peer 10 1 1 1 as number 65410 import route direct ipv4 family vpn instance vpnb peer 10 2 1 1 as number 65420 import route direct ospf 1 area 0 0 0 0 network 172 1 1 0 0 0 0 255 network 1 1 1 9 0 0 0 0 return ...

Page 170: ...Ethernet1 0 0 ip binding vpn instance vpna ip address 10 3 1 2 255 255 255 0 interface Ethernet2 0 0 ip binding vpn instance vpnb ip address 10 4 1 2 255 255 255 0 interface Ethernet2 0 1 ip address 172 2 1 2 255 255 255 0 mpls mpls ldp interface LoopBack1 ip address 3 3 3 9 255 255 255 255 bgp 100 peer 1 1 1 9 as number 100 peer 1 1 1 9 connect interface LoopBack1 ipv4 family unicast undo synchro...

Page 171: ... bgp 65420 peer 10 2 1 2 as number 100 ipv4 family unicast undo synchronization import route direct peer 10 2 1 2 enable return l Configuration file of CE3 sysname CE3 interface Ethernet1 0 0 ip address 10 3 1 1 255 255 255 0 bgp 65430 peer 10 3 1 2 as number 100 ipv4 family unicast undo synchronization import route direct peer 10 3 1 2 enable return l Configuration file of CE4 sysname CE4 interfa...

Page 172: ...2 0 0 30 1 1 2 24 GE1 0 0 10 1 1 2 24 GE2 0 0 100 1 1 1 24 GE1 0 0 10 1 1 1 24 CE1 PE1 PE2 GE1 0 0 10 2 1 2 24 CE2 GE1 0 0 10 2 1 1 24 VPN1 VPN1 Loopback1 3 3 3 9 32 Loopback1 1 1 1 9 32 Loopback1 2 2 2 9 32 GE1 0 0 20 1 1 2 24 GE2 0 0 30 1 1 1 24 P GE2 0 0 200 1 1 1 24 Backbone AS 600 AS 600 AS 100 Configuration Roadmap The configuration roadmap is as follows 1 Configure IGP on the backbone netwo...

Page 173: ...ce on CE1 that is connected with PE1 There is no route to the VPN site 100 1 1 0 24 of the CE1 The same situation occurs on CE1 CE2 display ip routing table Route Flags R relay D download to fib Routing Tables Public Destinations 9 Routes 9 Destination Mask Proto Pre Cost Flags NextHop Interface 10 1 1 0 24 EBGP 255 0 D 10 2 1 2 GigabitEthernet1 0 0 10 1 1 1 32 EBGP 255 0 D 10 2 1 2 GigabitEtherne...

Page 174: ...eer 10 2 1 2 received routes Total Number of Routes 6 BGP Local router ID is 10 2 1 1 Status codes valid best d damped h history i internal s suppressed S Stale Origin i IGP e EGP incomplete Network NextHop MED LocPrf PrefVal Path Ogn 10 1 1 0 24 10 2 1 2 0 100 10 1 1 1 32 10 2 1 2 0 100 10 1 1 2 32 10 2 1 2 0 100 100 10 2 1 0 24 10 2 1 2 0 0 100 10 2 1 1 32 10 2 1 2 0 0 100 100 1 1 0 24 10 2 1 2 ...

Page 175: ...0 0 ip address 100 1 1 1 255 255 255 0 bgp 600 peer 10 1 1 2 as number 100 ipv4 family unicast undo synchronization import route direct peer 10 1 1 2 enable return l Configuration file of PE1 sysname PE1 ip vpn instance vpn1 ipv4 family route distinguisher 100 1 vpn target 1 1 export extcommunity vpn target 1 1 import extcommunity mpls lsr id 1 1 1 9 mpls mpls ldp interface GigabitEthernet1 0 0 ip...

Page 176: ... 255 255 0 mpls mpls ldp interface LoopBack1 ip address 2 2 2 9 255 255 255 255 ospf 1 area 0 0 0 0 network 2 2 2 9 0 0 0 0 network 20 1 1 0 0 0 0 255 network 30 1 1 0 0 0 0 255 return l Configuration file of PE2 sysname PE2 ip vpn instance vpn1 ipv4 family route distinguisher 100 1 vpn target 1 1 export extcommunity vpn target 1 1 import extcommunity mpls lsr id 3 3 3 9 mpls mpls ldp interface Gi...

Page 177: ...itEthernet2 0 0 ip address 200 1 1 1 255 255 255 0 bgp 600 peer 10 2 1 2 as number 100 ipv4 family unicast undo synchronization import route direct peer 10 2 1 2 enable return 3 18 3 Example for Configuring Hub and Spoke In the networking of Hub and Spoke an access control device is specified in the VPN and users communicate with each other through the access control device Networking Requirements...

Page 178: ...he Spoke PEs 2 Create a VPN instance on the Spoke PE and set the Import Target differenet from the Export Target 3 Create two VPN instances namely vpn_in and vpn_out on the Hub PE Set the VPN Target community attribute received by vpn_in as those advertised by two Spoke PEs Set the VPN target community attribute advertised by vpn_out to be the VPN target community attribute received by the two Spo...

Page 179: ...b PE should include the Export Targets of all Spoke PEs The Export Target list of another VPN on Hub PE should include the Import Targets of all Spoke PEs Configure Spoke PE 1 Spoke PE1 system view Spoke PE1 ip vpn instance vpna Spoke PE1 vpn instance vpna ipv4 family Spoke PE1 vpn instance vpna af ipv4 route distinguisher 100 1 Spoke PE1 vpn instance vpna af ipv4 vpn target 100 1 export extcommun...

Page 180: ...nd on the PE devices and you can see the configurations of VPN instances Each PE can ping through its attached CEs using the ping vpn instance vpn name ip address command NOTE When the interfaces on a PE are bound to the same VPN you need to specify the source IP address when you use the ping command to ping the CE connected with the peer PE That is you need to specify a source ip address in the p...

Page 181: ...established between the PE and the CE Step 5 Establish MP IBGP peers between the PEs Configure Spoke PE 1 Spoke PE1 bgp 100 Spoke PE1 bgp peer 2 2 2 9 as number 100 Spoke PE1 bgp peer 2 2 2 9 connect interface loopback 1 Spoke PE1 bgp ipv4 family vpnv4 Spoke PE1 bgp af vpnv4 peer 2 2 2 9 enable Spoke PE1 bgp af vpnv4 quit Configure Spoke PE 2 Spoke PE2 bgp 100 Spoke PE2 bgp peer 2 2 2 9 as number ...

Page 182: ...32 ms Spoke CE1 tracert 120 1 1 1 traceroute to 120 1 1 1 120 1 1 1 max hops 30 packet length 40 1 100 1 1 2 8 ms 2 ms 2 ms 2 110 2 1 2 3 ms 2 ms 2 ms 3 110 2 1 1 3 ms 2 ms 2 ms 4 110 1 1 2 3 ms 2 ms 2 ms 5 120 1 1 2 6 ms 6 ms 6 ms 6 120 1 1 1 6 ms 6 ms 6 ms Run the display bgp routing table command on Spoke CE and you can see that there are repetitive AS numbers in AS paths of the BGP routes towa...

Page 183: ... 2 2 9 as number 100 peer 2 2 2 9 connect interface LoopBack1 ipv4 family unicast undo synchronization peer 2 2 2 9 enable ipv4 family vpnv4 policy vpn target peer 2 2 2 9 enable ipv4 family vpn instance vpna peer 100 1 1 1 as number 65410 import route direct ospf 1 area 0 0 0 0 network 10 1 1 0 0 0 0 255 network 1 1 1 9 0 0 0 0 return l Configuration file of Spoke PE 2 sysname Spoke PE2 ip vpn in...

Page 184: ... 3 9 0 0 0 0 network 11 1 1 0 0 0 0 255 return l Configuration file of Spoke CE 2 sysname Spoke CE2 interface Ethernet1 0 0 ip address 120 1 1 1 255 255 255 0 bgp 65420 peer 120 1 1 2 as number 100 ipv4 family unicast undo synchronization import route direct peer 120 1 1 2 enable return l Configuration file of Hub CE sysname Hub CE interface Ethernet1 0 0 ip address 110 1 1 1 255 255 255 0 interfa...

Page 185: ...rface Ethernet1 0 1 ip binding vpn instance vpn_out ip address 110 2 1 2 255 255 255 0 interface LoopBack1 ip address 2 2 2 9 255 255 255 255 bgp 100 peer 1 1 1 9 as number 100 peer 1 1 1 9 connect interface LoopBack1 peer 3 3 3 9 as number 100 peer 3 3 3 9 connect interface LoopBack1 ipv4 family unicast undo synchronization peer 1 1 1 9 enable peer 3 3 3 9 enable ipv4 family vpnv4 policy vpn targ...

Page 186: ...s Figure 3 5 Networking diagram of inter AS VPN PE2 ASBR2 BGP MPLS Backbone AS 200 ASBR1 PE1 BGP MPLS Backbone AS 100 GE2 0 0 10 1 1 2 24 Loopback1 1 1 1 9 32 GE1 0 0 172 1 1 2 24 GE2 0 0 192 1 1 1 24 Loopback1 2 2 2 9 32 GE1 0 0 172 1 1 1 24 Loopback1 3 3 3 9 32 GE1 0 0 162 1 1 1 24 GE1 0 0 162 1 1 2 24 Loopback1 4 4 4 9 32 GE2 0 0 10 2 1 2 24 CE1 AS 65001 CE2 AS 65002 GE1 0 0 10 1 1 1 24 GE1 0 0...

Page 187: ...ace address of each other Step 2 Configure MPLS basic capability and MPLS LDP on the MPLS backbone of AS 100 and AS 200 respectively to set up LDP LSP Configure basic MPLS capability on PE1 and enable LDP on the interface connecting ASBR1 PE1 system view PE1 mpls lsr id 1 1 1 9 PE1 mpls PE1 mpls quit PE1 mpls ldp PE1 mpls ldp quit PE1 interface gigabitethernet1 0 0 PE1 GigabitEthernet1 0 0 mpls PE...

Page 188: ...p 3 Configure basic BGP MPLS IP VPN on the MPLS backbone of AS 100 and AS 200 respectively NOTE The VPN target of the VPN instances of the ASBR and the PE in the same AS should match In different ASs the matching of the VPN target attributes of the PEs is unnecessary Configure CE1 CE1 system view CE1 interface gigabitethernet 1 0 0 CE1 GigabitEthernet1 0 0 ip address 10 1 1 1 24 CE1 GigabitEtherne...

Page 189: ...0 VPN Instance vpn1 router ID 1 1 1 9 Total number of peers 1 Peers in established state 1 Peer V AS MsgRcvd MsgSent OutQ Up Down State PrefRcv 10 1 1 1 4 65001 10 10 0 00 07 10 Established 2 PE1 display bgp vpnv4 all peer BGP local router ID 1 1 1 9 Local AS number 100 Total number of peers 2 Peers in established state 2 Peer V AS MsgRcvd MsgSent OutQ Up Down State PrefRcv 2 2 2 9 4 100 3 7 0 00 ...

Page 190: ... between the ASBRs Step 5 Verify the configuration After the above configuration the CEs learn interface routes of each other CE1 and CE2 can ping through each other Consider CE1 as an example CE1 display ip routing table Route Flags R relay D download to fib Routing Tables Public Destinations 7 Routes 7 Destination Mask Proto Pre Cost Flags NextHop Interface 10 1 1 0 24 Direct 0 0 D 10 1 1 1 Giga...

Page 191: ...the ASBR and you can see the VPNv4 routes on the ASBR ASBR1 display bgp vpnv4 all routing table Local AS number 100 BGP Local router ID is 2 2 2 9 Status codes valid best d damped h history i internal s suppressed S Stale Origin i IGP e EGP incomplete Total number of routes from all PE 5 Route Distinguisher 100 1 Network NextHop MED LocPrf PrefVal Path Ogn i 10 1 1 0 24 1 1 1 9 0 100 0 Route Disti...

Page 192: ...tance vpn1 ip address 10 1 1 2 255 255 255 0 interface LoopBack1 ip address 1 1 1 9 255 255 255 255 bgp 100 peer 2 2 2 9 as number 100 peer 2 2 2 9 connect interface LoopBack1 ipv4 family unicast undo synchronization peer 2 2 2 9 enable ipv4 family vpnv4 policy vpn target peer 2 2 2 9 enable ipv4 family vpn instance vpn1 peer 10 1 1 1 as number 65001 ospf 1 area 0 0 0 0 network 1 1 1 9 0 0 0 0 net...

Page 193: ... peer 192 1 1 2 as number 200 import route direct ospf 1 area 0 0 0 0 network 2 2 2 9 0 0 0 0 network 172 1 1 0 0 0 0 255 return l Configuration file of ASBR2 sysname ASBR2 ip vpn instance vpn1 ipv4 family route distinguisher 200 2 vpn target 2 2 export extcommunity vpn target 2 2 import extcommunity mpls lsr id 3 3 3 9 mpls mpls ldp interface GigabitEthernet1 0 0 ip address 162 1 1 1 255 255 255 ...

Page 194: ... ldp interface GigabitEthernet1 0 0 ip address 162 1 1 2 255 255 255 0 mpls mpls ldp interface GigabitEthernet2 0 0 ip binding vpn instance vpn1 ip address 10 2 1 2 255 255 255 0 interface LoopBack1 ip address 4 4 4 9 255 255 255 255 bgp 200 peer 3 3 3 9 as number 200 peer 3 3 3 9 connect interface LoopBack1 ipv4 family unicast undo synchronization peer 3 3 3 9 enable ipv4 family vpnv4 policy vpn ...

Page 195: ... 200 The inter AS BGP MPLS IP VPN is implemented using Option B l ASBR 1 exchange VPN IPv4 routes with ASBR 2 by MP EBGP l ASBR does not perform VPN target filtering on the received VPN IPv4 routes Figure 3 6 Networking diagram of inter AS VPN PE2 ASBR2 BGP MPLS Backbone AS 200 ASBR1 PE1 BGP MPLS Backbone AS 100 GE2 0 0 10 1 1 2 24 Loopback1 1 1 1 9 32 GE1 0 0 172 1 1 2 24 GE2 0 0 192 1 1 1 24 Loo...

Page 196: ...ould be advertised by OSPF After the configuration the OSPF neighbor relationship should be established between the ASBR and the PE of the same AS Run the display ospf peer command to find that the status of the OSPF neighbor relationship is Full The ASBR and the PE in the same AS can learn the Loopback addresses of each other and can ping through each other Step 2 Configure MPLS basic capability ...

Page 197: ... 1 32 Direct 0 0 D 127 0 0 1 InLoopBack0 CE1 ping 10 2 1 1 PING 10 2 1 1 56 data bytes press CTRL_C to break Reply from 10 2 1 1 bytes 56 Sequence 1 ttl 252 time 120 ms Reply from 10 2 1 1 bytes 56 Sequence 2 ttl 252 time 73 ms Reply from 10 2 1 1 bytes 56 Sequence 3 ttl 252 time 111 ms Reply from 10 2 1 1 bytes 56 Sequence 4 ttl 252 time 86 ms Reply from 10 2 1 1 bytes 56 Sequence 5 ttl 252 time ...

Page 198: ...interface GigabitEthernet1 0 0 ip address 172 1 1 2 255 255 255 0 mpls mpls ldp interface GigabitEthernet2 0 0 ip binding vpn instance vpn1 ip address 10 1 1 2 255 255 255 0 interface LoopBack1 ip address 1 1 1 9 255 255 255 255 bgp 100 peer 2 2 2 9 as number 100 peer 2 2 2 9 connect interface LoopBack1 ipv4 family unicast undo synchronization peer 2 2 2 9 enable ipv4 family vpnv4 policy vpn targe...

Page 199: ...2 1 1 2 enable peer 1 1 1 9 enable ipv4 family vpnv4 undo policy vpn target apply label per nexthop peer 1 1 1 9 enable peer 192 1 1 2 enable ospf 1 area 0 0 0 0 network 2 2 2 9 0 0 0 0 network 172 1 1 0 0 0 0 255 return l Configuration file of ASBR 2 sysname ASBR2 mpls lsr id 3 3 3 9 mpls mpls ldp interface GigabitEthernet1 0 0 ip address 162 1 1 1 255 255 255 0 mpls mpls ldp interface GigabitEth...

Page 200: ...pls lsr id 4 4 4 9 mpls mpls ldp interface GigabitEthernet1 0 0 ip address 162 1 1 2 255 255 255 0 mpls mpls ldp interface GigabitEthernet2 0 0 ip binding vpn instance vpn1 ip address 10 2 1 2 255 255 255 0 interface LoopBack1 ip address 4 4 4 9 255 255 255 255 bgp 200 peer 3 3 3 9 as number 200 peer 3 3 3 9 connect interface LoopBack1 ipv4 family unicast undo synchronization peer 3 3 3 9 enable i...

Page 201: ...k through the PE1 in AS 100 and the CE2 accesses the network through the PE2 in AS 200 The Inter AS BGP MPLS IP VPN is implemented using Option C Figure 3 7 Networking diagram of inter AS VPN PE2 ASBR2 BGP MPLS Backbone AS 200 ASBR1 PE1 BGP MPLS Backbone AS 100 GE2 0 0 10 1 1 2 24 Loopback1 1 1 1 9 32 GE1 0 0 172 1 1 2 24 GE2 0 0 192 1 1 1 24 Loopback1 2 2 2 9 32 GE1 0 0 172 1 1 1 24 Loopback1 3 3...

Page 202: ... is not mentioned here NOTE The 32 bit loopback interface address used as the LSR ID should be advertised by OSPF After the configuration the OSPF neighbor relationship should be established between the ASBR and the PE of the same AS Run the display ospf peer command to find the status of the OSPF neighbor relationship as Full Take PE1 as an example PE1 display ospf peer OSPF Process 1 with Router...

Page 203: ... match mpls label ASBR1 route policy apply mpls label ASBR1 route policy quit Configure ASBR 1 Apply route policies to the routes advertised to PE1 and enable to exchange label IPv4 routes with PE1 ASBR1 bgp 100 ASBR1 bgp peer 1 1 1 9 route policy policy2 export ASBR1 bgp peer 1 1 1 9 label route capability Configure ASBR 1 Apply route policies to the routes advertised to ASBR 2 and enable to exch...

Page 204: ... 127 0 0 1 InLoopBack0 127 0 0 1 32 Direct 0 0 D 127 0 0 1 InLoopBack0 CE1 ping 10 2 1 1 PING 10 2 1 1 56 data bytes press CTRL_C to break Reply from 10 2 1 1 bytes 56 Sequence 1 ttl 252 time 102 ms Reply from 10 2 1 1 bytes 56 Sequence 2 ttl 252 time 89 ms Reply from 10 2 1 1 bytes 56 Sequence 3 ttl 252 time 106 ms Reply from 10 2 1 1 bytes 56 Sequence 4 ttl 252 time 104 ms Reply from 10 2 1 1 by...

Page 205: ...2 0 0 ip binding vpn instance vpn1 ip address 10 1 1 2 255 255 255 0 interface LoopBack1 ip address 1 1 1 9 255 255 255 255 bgp 100 peer 2 2 2 9 as number 100 peer 2 2 2 9 connect interface LoopBack1 peer 4 4 4 9 as number 200 peer 4 4 4 9 ebgp max hop 10 peer 4 4 4 9 connect interface LoopBack1 ipv4 family unicast undo synchronization peer 2 2 2 9 enable peer 2 2 2 9 label route capability peer 4...

Page 206: ... 1 2 route policy policy1 export peer 192 1 1 2 label route capability peer 1 1 1 9 enable peer 1 1 1 9 route policy policy2 export peer 1 1 1 9 label route capability ospf 1 area 0 0 0 0 network 2 2 2 9 0 0 0 0 network 172 1 1 0 0 0 0 255 route policy policy1 permit node 1 apply mpls label route policy policy2 permit node 1 if match mpls label route policy policy3 permit node 1 if match mpls toke...

Page 207: ...tch mpls label apply mpls label route policy policy3 permit node 1 if match mpls token return l Configuration file of PE2 sysname PE2 ip vpn instance vpn1 ipv4 family route distinguisher 200 1 vpn target 1 1 export extcommunity vpn target 1 1 import extcommunity mpls lsr id 4 4 4 9 mpls mpls ldp interface GigabitEthernet1 0 0 ip address 162 1 1 2 255 255 255 0 mpls mpls ldp interface GigabitEthern...

Page 208: ...as number 200 ipv4 family unicast undo synchronization import route direct peer 10 2 1 2 enable return 3 18 7 Example for Configuring Inter AS VPN Option C Solution 2 If no MP IBGP relationships are established between PEs and ASBRs you can use LDP to allocate labels for BGP and implement the inter AS VPN OptionC solution Networking Requirements As shown in Figure 3 8 CE1 and CE2 belong to the sam...

Page 209: ...PE within an AS to the remote ASBR through BGP import these BGP routes to IGP on the remote ASBR and then advertise the routes of the PE to the remote PE by using IGP 2 Configure a routing policy on the ASBR Allocate MPLS labels to the the routes with MPLS tokens received by a PE within the local AS and advertised to the remote ASBR Allocate new MPLS labels to the labeled IPv4 routes advertised to...

Page 210: ...0 The ASBR and PE in the same AS can learn the IP address of the loopback1 interface of each other They can also ping each other successfully Step 2 Establish the EBGP peer relationship between the ASBRs Configure ASBR1 ASBR1 bgp 100 ASBR1 bgp peer 192 1 1 2 as number 200 ASBR1 bgp quit Configure ASBR2 ASBR2 bgp 200 ASBR2 bgp peer 192 1 1 1 as number 100 ASBR2 bgp quit After the configuration run ...

Page 211: ... 32 Direct 0 0 D 127 0 0 1 InLoopBack0 2 2 2 9 32 OSPF 10 1 D 172 1 1 1 GigabitEthernet1 0 0 4 4 4 9 32 O_ASE 150 1 D 172 1 1 1 GigabitEthernet1 0 0 127 0 0 0 8 Direct 0 0 D 127 0 0 1 InLoopBack0 127 0 0 1 32 Direct 0 0 D 127 0 0 1 InLoopBack0 172 1 1 0 24 Direct 0 0 D 172 1 1 2 GigabitEthernet1 0 0 172 1 1 1 32 Direct 0 0 D 172 1 1 1 GigabitEthernet1 0 0 172 1 1 2 32 Direct 0 0 D 127 0 0 1 InLoop...

Page 212: ...SBR1 and between PE2 and ASBR2 are set up Run the display mpls ldp session command You can view that the status is Operational Run the display mpls ldp lsp command and you can view whether LDP LSPs are set up Take PE1 as an example PE1 display mpls ldp session LDP Session s in Public Network Codes LAM Label Advertisement Mode SsnAge Unit DDDD HH MM A before a session means the session is being del...

Page 213: ...abeled BGP routes of the public network on ASBRs Configure ASBR1 ASBR1 mpls ASBR1 mpls lsp trigger bgp label route ASBR1 mpls quit Configure ASBR2 ASBR2 mpls ASBR2 mpls lsp trigger bgp label route ASBR2 mpls quit Step 7 Configure the VPN instance on the PEs and configure the CEs to access the instances Configure PE1 PE1 ip vpn instance vpn1 PE1 vpn instance vpn1 ipv4 family PE1 vpn instance vpn1 a...

Page 214: ... 56 Sequence 3 ttl 255 time 40 ms Reply from 10 1 1 1 bytes 56 Sequence 4 ttl 255 time 30 ms Reply from 10 1 1 1 bytes 56 Sequence 5 ttl 255 time 10 ms 10 1 1 1 ping statistics 5 packet s transmitted 4 packet s received 20 00 packet loss round trip min avg max 10 32 50 ms Step 8 Establish the MP EBGP peer relationship between PE1 and PE2 Configure PE1 PE1 bgp 100 PE1 bgp peer 4 4 4 9 as number 200...

Page 215: ...4 65001 3 3 0 00 00 52 Established 1 Step 10 Varify the configuration After the preceding configuration CEs can learn routes of interfaces on each other and CE1 and CE2 can ping each other successfully Take CE1 as an example CE1 display ip routing table Route Flags R relay D download to fib Routing Tables Public Destinations 5 Routes 5 Destination Mask Proto Pre Cost Flags NextHop Interface 10 1 1...

Page 216: ...g 0 Priority 0 Label 15360 QoSInfo 0x0 IndirectID 0x0 RelayNextHop 0 0 0 0 Interface GigabitEthernet2 0 0 TunnelID 0x6002006 Flags D Run the display mpls lsp protocol ldp include dest ip address verbose on ASBR1 and PE2 respectively you can find that an LDP LSP is established between ASBR1 and PE2 Besides you can find an LDP Ingress LSP on a PE to the remote PE ASBR1 display mpls lsp protocol ldp ...

Page 217: ...n1 ip address 10 1 1 2 255 255 255 0 interface LoopBack1 ip address 1 1 1 9 255 255 255 255 bgp 100 peer 4 4 4 9 as number 200 peer 4 4 4 9 ebgp max hop 10 peer 4 4 4 9 connect interface LoopBack1 ipv4 family unicast undo synchronization peer 4 4 4 9 enable ipv4 family vpnv4 policy vpn target peer 4 4 4 9 enable ipv4 family vpn instance vpn1 import route direct peer 10 1 1 1 as number 65001 ospf 1...

Page 218: ...h mpls token route policy policy1 permit node 1 apply mpls label return l Configuration file of ASBR2 sysname ASBR2 mpls lsr id 3 3 3 9 mpls lsp trigger bgp label route mpls ldp interface GigabitEthernet1 0 0 ip address 162 1 1 1 255 255 255 0 mpls mpls ldp interface GigabitEthernet2 0 0 ip address 192 1 1 2 255 255 255 0 mpls interface LoopBack1 ip address 3 3 3 9 255 255 255 255 bgp 200 peer 192...

Page 219: ...ce vpn1 ip address 10 2 1 2 255 255 255 0 interface LoopBack1 ip address 4 4 4 9 255 255 255 255 bgp 200 peer 1 1 1 9 as number 100 peer 1 1 1 9 ebgp max hop 10 peer 1 1 1 9 connect interface LoopBack1 ipv4 family unicast undo synchronization peer 1 1 1 9 enable ipv4 family vpnv4 policy vpn target peer 1 1 1 9 enable ipv4 family vpn instance vpn1 import route direct peer 10 2 1 1 as number 65002 o...

Page 220: ...s the backbone network through the UPE and CE2 accesses the network through the PE l The UPE the SPE and the PE are interconnected through OSPF Figure 3 9 Networking diagram of HoVPN AS 65420 VPN A CE2 UPE SPE AS 65410 VPN A CE1 GE2 0 0 172 1 1 1 24 GE2 0 0 172 2 1 1 24 AS 100 Loopback1 1 1 1 9 32 Loopback1 3 3 3 9 32 GE1 0 0 10 2 1 1 24 GE1 0 0 10 1 1 1 24 GE1 0 0 10 2 1 2 24 GE1 0 0 10 1 1 2 24 ...

Page 221: ...know loopback routes from each other The specific configuration procedures are not mentioned here Step 2 Configure basic MPLS capability and MPLS LDP on MPLS backbone networks and establish LDP LSP After the configuration LDP session can be established among UPE SPE and PE Run the display mpls ldp session command to see that the session state is Operational Run the display mpls ldp lsp command to ...

Page 222: ...gp 65420 CE2 bgp peer 10 2 1 2 as number 100 CE2 bgp import route direct CE2 bgp quit After the configuration run the display ip vpn instance verbose command on the PE or UPE to see the configurations of VPN instances By running the command ping vpn instance the PE and UPE can ping the CEs attached to themselves successfully NOTE When the interfaces on a PE are bound to the same VPN you need to sp...

Page 223: ...1 1 9 default originate vpn instance vpna SPE bgp af vpnv4 quit Step 6 Verify the configuration After the configuration CE1 does not have a route to the network segment of the interface on CE2 but has a default route with the next hop to UPE The CE2 has the route to the network segment of the interface on CE1 Therefore CE1 and CE2 can ping through each other using the ping ip address command CE1 d...

Page 224: ...e a default route of VPN instances vpna with the next hop to SPE UPE display bgp vpnv4 all routing table BGP Local router ID is 1 1 1 9 Status codes valid best d damped h history i internal s suppressed S Stale Origin i IGP e EGP incomplete Total number of routes from all PE 3 Route Distinguisher 100 1 Network NextHop MED LocPrf PrefVal Path Ogn 10 1 1 0 24 0 0 0 0 0 0 10 1 1 1 0 0 65410 Route Dis...

Page 225: ...s number 100 peer 2 2 2 9 connect interface LoopBack1 ipv4 family unicast undo synchronization peer 2 2 2 9 enable ipv4 family vpnv4 policy vpn target peer 2 2 2 9 enable ipv4 family vpn instance vpna peer 10 1 1 1 as number 65410 import route direct ospf 1 area 0 0 0 0 network 1 1 1 9 0 0 0 0 network 172 1 1 0 0 0 0 255 return l Configuration file of SPE sysname SPE ip vpn instance vpna ipv4 fami...

Page 226: ...a 0 0 0 0 network 2 2 2 9 0 0 0 0 network 172 1 1 0 0 0 0 255 network 172 2 1 0 0 0 0 255 return l Configuration file of PE sysname PE ip vpn instance vpna ipv4 family route distinguisher 100 2 vpn target 1 1 export extcommunity vpn target 1 1 import extcommunity mpls lsr id 3 3 3 9 mpls mpls ldp interface GigabitEthernet1 0 0 ip binding vpn instance vpna ip address 10 2 1 2 255 255 255 0 interfac...

Page 227: ...stance on CEs you can implement service isolation on the LAN Networking Requirements As shown in Figure 3 10 the networking requirements are as follows l CE1 and CE2 belong to the same LAN and MCE CE3 and CE4 belong to the same LAN l An MCE is used by the client to exchange routes between multiple VPN instances l CE1 and CE3 belong to vpna while CE2 and CE4 belong to vpnb l vpna and vpnb use diffe...

Page 228: ...en MCE and CE4 to exchange VPN routes NOTE When configuring OSPF multi instance between MCE and PE2 configure as follows l In the OSPF view of the PE2 This OSPF process refers to the process used for the configuration of OSPF multi instance import the BGP route Therefore the MCE obtains the VPN routes that PE1 has learned from CE1 or CE2 l Import the OSPF routes This OSPF process refers to the pro...

Page 229: ...d that the session status of the MPLS LDP between the PEs is operational Consider PE2 as an example PE2 display mpls ldp session LDP Session s in Public Network Codes LAM Label Advertisement Mode SsnAge Unit DDDD HH MM A before a session means the session is being deleted PeerID Status LAM SsnRole SsnAge KASent Rcv 1 1 1 9 0 Operational DU Active 0000 00 04 17 17 TOTAL 1 session s Found Step 3 Con...

Page 230: ... vpna quit MCE ip vpn instance vpnb MCE vpn instance vpnb ipv4 family MCE vpn instance vpnb af ipv4 route distinguisher 300 2 MCE vpn instance vpnb af ipv4 vpn target 222 2 both MCE vpn instance vpnb af ipv4 quit MCE vpn instance vpnb quit MCE interface ethernet2 0 1 MCE Ethernet2 0 1 ip binding vpn instance vpna MCE Ethernet2 0 1 ip address 10 3 1 2 24 MCE Ethernet2 0 1 quit MCE interface etherne...

Page 231: ... 100 PE2 bgp ipv4 family vpn instance vpna PE2 bgp vpna import route ospf 100 PE2 bgp vpna quit PE2 bgp ipv4 family vpn instance vpnb PE2 bgp vpnb import route ospf 200 PE2 bgp vpnb quit Configure MCE MCE system view MCE ospf 100 vpn instance vpna MCE ospf 100 area 0 MCE ospf 100 area 0 0 0 0 network 192 1 1 0 0 0 0 255 MCE ospf 100 area 0 0 0 0 quit MCE ospf 100 quit MCE ospf 200 vpn instance vpn...

Page 232: ...3 1 0 24 Direct 0 0 D 10 3 1 2 Ethernet2 0 1 10 3 1 1 32 Direct 0 0 D 10 3 1 1 Ethernet2 0 1 10 3 1 2 32 Direct 0 0 D 127 0 0 1 InLoopBack0 192 1 1 0 24 Direct 0 0 D 192 1 1 2 Ethernet1 0 0 192 1 1 1 32 Direct 0 0 D 192 1 1 1 Ethernet1 0 0 192 1 1 2 32 Direct 0 0 D 127 0 0 1 InLoopBack0 Run the display ip routing table vpn instance command on the PE You can find PE has a route to each peer CE Cons...

Page 233: ... time out Request time out Request time out 10 4 1 1 ping statistics 5 packet s transmitted 0 packet s received 100 00 packet loss End Configuration Files l Configuration file of CE1 sysname CE1 interface Ethernet1 0 0 ip address 10 1 1 1 255 255 255 0 bgp 65410 peer 10 1 1 2 as number 100 ipv4 family unicast undo synchronization import route direct peer 10 1 1 2 enable return l Configuration file...

Page 234: ...255 bgp 100 peer 2 2 2 9 as number 100 peer 2 2 2 9 connect interface LoopBack1 ipv4 family unicast undo synchronization peer 2 2 2 9 enable ipv4 family vpnv4 policy vpn target peer 2 2 2 9 enable ipv4 family vpn instance vpna peer 10 1 1 1 as number 65410 import route direct ipv4 family vpn instance vpnb peer 10 2 1 1 as number 65420 import route direct ospf 1 area 0 0 0 0 network 1 1 1 9 0 0 0 0...

Page 235: ...amily unicast undo synchronization peer 1 1 1 9 enable ipv4 family vpnv4 policy vpn target peer 1 1 1 9 enable ipv4 family vpn instance vpna import route ospf 100 ipv4 family vpn instance vpnb import route ospf 200 ospf 1 area 0 0 0 0 network 2 2 2 9 0 0 0 0 network 172 1 1 0 0 0 0 255 ospf 100 vpn instance vpna import route bgp area 0 0 0 0 network 192 1 1 0 0 0 0 255 ospf 200 vpn instance vpnb i...

Page 236: ...100 vpn instance capability simple area 0 0 0 0 network 192 1 1 0 0 0 0 255 ospf 200 vpn instance vpnb import route rip 200 vpn instance capability simple area 0 0 0 0 network 192 2 1 0 0 0 0 255 rip 100 vpn instance vpna version 2 network 10 0 0 0 import route ospf 100 rip 200 vpn instance vpnb version 2 network 10 0 0 0 import route ospf 200 return l Configuration file of CE3 sysname CE3 interfa...

Page 237: ...0 0 100 2 1 1 24 GE1 0 0 10 1 1 1 24 GE1 0 0 10 2 1 1 24 GE2 0 0 10 2 1 2 24 Agent Server AS 65410 AS 65420 Loopback1 1 1 1 1 32 Loopback1 2 2 2 2 32 Loopback1 3 3 3 3 32 vpn1 vpn1 GE2 0 0 100 3 1 2 24 100 3 1 1 24 Configuration Roadmap In this configuration configure the L3VPN first It needs the following static routes 1 Add a default route on CE1 The next hop is PE1 2 Add a default route from th...

Page 238: ...D Status LAM SsnRole SsnAge KASent Rcv 1 1 1 1 0 Operational DU Active 0000 00 05 23 23 3 3 3 3 0 Operational DU Passive 0000 00 04 18 18 TOTAL 2 session s Found Run the display bgp vpnv4 all peer command on PE You can find that the MP IBGP peer relationship state is Established Consider PE1 as an example PE1 display bgp vpnv4 all peer BGP local router ID 1 1 1 1 Local AS number 100 Total number o...

Page 239: ... vpn instance vpn1 0 0 0 0 0 100 1 1 2 public Configure a static route back to the proxy server The next hop is CE1 PE1 ip route static 100 3 1 0 24 vpn instance vpn1 10 1 1 1 Use IGP to advertise the static route back to the proxy server on PE1 to the Internet PE1 ospf 1 PE1 ospf 1 import route static Configure the proxy server Set the IP address of the proxy server as 100 3 1 1 24 Set its defaul...

Page 240: ...SPF 10 2 D 100 1 1 2 GigabitEthernet2 0 0 100 3 1 0 24 Static 60 0 D 10 1 1 1 GigabitEthernet1 0 0 127 0 0 0 8 Direct 0 0 D 127 0 0 1 InLoopBack0 127 0 0 1 32 Direct 0 0 D 127 0 0 1 InLoopBack0 P can ping through the proxy server P ping 100 3 1 1 PING 100 3 1 1 56 data bytes press CTRL_C to break Reply from 100 3 1 1 bytes 56 Sequence 1 ttl 254 time 62 ms Reply from 100 3 1 1 bytes 56 Sequence 2 t...

Page 241: ...1 1 1 1 255 255 255 255 bgp 100 peer 3 3 3 3 as number 100 peer 3 3 3 3 connect interface LoopBack1 ipv4 family unicast undo synchronization peer 3 3 3 3 enable ipv4 family vpnv4 policy vpn target peer 3 3 3 3 enable ipv4 family vpn instance vpn1 peer 10 1 1 1 as number 65410 import route static import route direct ospf 1 import route static area 0 0 0 0 network 1 1 1 1 0 0 0 0 network 100 1 1 0 0...

Page 242: ... lsr id 3 3 3 3 mpls mpls ldp interface GigabitEthernet1 0 0 ip address 100 2 1 2 255 255 255 0 mpls mpls ldp interface GigabitEthernet2 0 0 ip binding vpn instance vpn1 ip address 10 2 1 2 255 255 255 0 interface LoopBack1 ip address 3 3 3 3 255 255 255 255 bgp 100 peer 1 1 1 1 as number 100 peer 1 1 1 1 connect interface LoopBack1 ipv4 family unicast undo synchronization peer 1 1 1 1 enable ipv4...

Page 243: ... the PE Networking Requirements As shown in Figure 3 12 configure the backup egress and the backup nexthop on PE to configure link B as the backup of link A When some defects occur on link A the flow switches onto link B Figure 3 12 Configure IP FRR on the private network PE CE1 CE2 RTA VPN backbone GE1 0 0 10 1 1 1 30 GE2 0 0 10 2 1 1 30 GE1 0 0 10 1 1 2 30 GE1 0 0 10 2 1 2 30 GE2 0 0 10 3 1 1 30...

Page 244: ...ernet1 0 0 10 3 1 0 30 Direct 0 0 D 10 3 1 1 GigabitEthernet2 0 0 10 3 1 1 32 Direct 0 0 D 127 0 0 1 GigabitEthernet2 0 0 10 2 1 0 30 OSPF 10 2 D 10 3 1 2 GigabitEthernet2 0 0 10 4 1 0 30 OSPF 10 2 D 10 3 1 2 GigabitEthernet2 0 0 10 5 1 0 24 OSPF 10 2 D 10 3 1 2 GigabitEthernet2 0 0 127 0 0 0 8 Direct 0 0 D 127 0 0 1 InLoopBack0 127 0 0 1 32 Direct 0 0 D 127 0 0 1 InLoopBack0 Step 3 Configure VPNi...

Page 245: ...abitethernet2 0 0 PE route policy quit Step 6 Configure BFD to sense the link status Configure BFD to sense the link status on the PE PE bfd PE bfd quit PE bfd for_ip_frr bind peer ip 10 1 1 2 vpn instance vpn1 interface gigabitethernet1 0 0 PE bfd session for_ip_frr discriminator local 10 PE bfd session for_ip_frr discriminator remote 20 PE bfd session for_ip_frr commit Configure BFD to sense the...

Page 246: ...1 export extcommunity vpn target 111 1 import extcommunity bfd interface GigabitEthernet1 0 0 ip binding vpn instance vpn1 ip address 10 1 1 1 255 255 255 252 interface GigabitEthernet2 0 0 ip binding vpn instance vpn1 ip address 10 2 1 1 255 255 255 252 ospf cost 100 ospf 1 vpn instance vpn1 area 0 0 0 0 network 10 1 1 0 0 0 0 3 network 10 2 1 0 0 0 0 3 ip ip prefix frr1 index 10 permit 10 5 1 0 ...

Page 247: ... 3 network 10 4 1 0 0 0 0 3 return l Configuration file of RTA sysname RTA interface GigabitEthernet1 0 0 ip address 10 3 1 2 255 255 255 252 interface GigabitEthernet2 0 0 ip address 10 4 1 2 255 255 255 252 ospf cost 100 interface GigabitEthernet3 0 0 ip address 10 5 1 1 255 255 255 0 ospf 1 area 0 0 0 0 network 10 3 1 0 0 0 0 3 network 10 4 1 0 0 0 0 3 area 0 0 0 2 network 10 5 1 0 0 0 0 255 re...

Page 248: ...nnection 2 Configure the basic MPLS function on the MPLS backbone and enable the MPLS LDP to set up an LSP 3 Configure the VPN instances on every PE device PE1 PE2 and PE3 and connect CE with PE2 and PE3 4 Establish the EBGP peers between PE and CE Import the VPN routing and establish the MP IBGP peers among PEs 5 Configure the VPN FRR routing policy on PE1 Configure the backup nexthop Enable the ...

Page 249: ... 0 PE1 Pos2 0 0 mpls PE1 Pos2 0 0 mpls ldp PE1 Pos2 0 0 quit PE1 interface pos3 0 0 PE1 Pos3 0 0 mpls PE1 Pos3 0 0 mpls ldp PE1 Pos3 0 0 quit Configure the PE2 PE2 system view PE2 mpls lsr id 2 2 2 2 PE2 mpls PE2 mpls quit PE2 mpls ldp PE2 mpls ldp quit PE2 interface pos1 0 0 PE2 Pos1 0 0 mpls PE2 Pos1 0 0 mpls ldp PE2 Pos1 0 0 quit Configure the PE3 PE3 system view PE3 mpls lsr id 3 3 3 3 PE3 mpl...

Page 250: ...Ethernet2 0 0 quit Configure the PE3 PE3 ip vpn instance vpn1 PE3 vpn instance vpn1 ipv4 family PE3 vpn instance vpn1 af ipv4 route distinguisher 100 3 PE3 vpn instance vpn1 af ipv4 vpn target 111 1 PE3 vpn instance vpn1 af ipv4 quit PE3 vpn instance vpn1 quit PE3 interface gigabitethernet2 0 0 PE3 GigabitEthernet2 0 0 ip binding vpn instance vpn1 PE3 GigabitEthernet2 0 0 ip address 10 2 1 2 30 PE...

Page 251: ... ipv4 family vpnv4 PE1 bgp af vpnv4 peer 2 2 2 2 enable PE1 bgp af vpnv4 peer 3 3 3 3 enable PE1 bgp af vpnv4 quit Configure the PE2 PE2 bgp 100 PE2 bgp peer 1 1 1 1 as number 100 PE2 bgp peer 1 1 1 1 connect interface loopback 1 PE2 bgp ipv4 family vpnv4 PE2 bgp af vpnv4 peer 1 1 1 1 enable PE2 bgp af vpnv4 quit Configure the PE3 PE3 bgp 100 PE3 bgp peer 1 1 1 1 as number 100 PE3 bgp peer 1 1 1 1...

Page 252: ...can find that a multi hop BFD session is set up and the session status is Up Step 9 Enable the VPN FRR PE1 ip vpn instance vpn1 PE1 vpn instance vpn1 ipv4 family PE1 vpn instance vpn1 af ipv4 vpn frr route policy vpn_frr_rp PE1 vpn instance vpn1 af ipv4 quit PE1 vpn instance vpn1 quit Check the information about the backup next hop the backup label and the backup Tunnel ID PE1 display ip routing t...

Page 253: ...policy1 permit node 10 apply preferred value 100 bgp 100 ipv4 family vpnv4 peer 2 2 2 2 route policy policy1 import l In the BGP VPNv4 address family view of PE2 set a higher Local_Pref for the advertised routes The relevant configuration is as follows route policy policy2 permit node 10 apply local preference 200 bgp 100 ipv4 family vpnv4 peer 1 1 1 1 route policy policy2 export End Configuration...

Page 254: ..._frr_rp permit node 10 if match ip next hop ip prefix vpn_frr_list apply backup nexthop 3 3 3 3 return l Configuration file of the PE2 sysname PE2 bfd ip vpn instance vpn1 ipv4 family route distinguisher 100 2 vpn target 111 1 export extcommunity vpn target 111 1 import extcommunity mpls lsr id 2 2 2 2 mpls mpls ldp interface Pos1 0 0 link protocol ppp ip address 100 1 1 2 255 255 255 252 mpls mpl...

Page 255: ...tcommunity mpls lsr id 3 3 3 3 mpls mpls ldp interface Pos1 0 0 link protocol ppp ip address 100 2 1 2 255 255 255 252 mpls mpls ldp interface GigabitEthernet2 0 0 ip binding vpn instance vpn1 ip address 10 2 1 2 255 255 255 252 interface LoopBack1 ip address 3 3 3 3 255 255 255 255 bgp 100 peer 1 1 1 1 as number 100 peer 1 1 1 1 connect interface LoopBack1 ipv4 family unicast undo synchronization...

Page 256: ...face GigabitEthernet3 0 0 ip address 10 3 1 1 255 255 255 0 bgp 65410 peer 10 1 1 2 as number 100 peer 10 2 1 2 as number 100 ipv4 family unicast undo synchronization network 10 3 1 0 255 255 255 0 import route direct peer 10 1 1 2 enable peer 10 2 1 2 enable return Huawei AR1200 Series Enterprise Routers Configuration Guide VPN 3 BGP MPLS IP VPN Configuration Issue 01 2012 04 20 Huawei Proprietar...

Page 257: ... device determines whether the user is an access user and whether to initiate a connection to an LNS 4 4 Configuring LNS After receiving a tunnel setup request from an LAC an LNS checks the authentication method and determines whether to allow the LAC to set up an L2TP tunnel 4 5 Adjusting L2TP Connection After an L2TP tunnel is set up you can configure or adjust L2TP parameters 4 6 Maintaining L2...

Page 258: ...2TP extends the PPP model because L2TP permits Layer 2 link endpoints and PPP session termination points to stay at different devices and can realize information exchange based on packet switching technology By combining the advantages of the Layer 2 Forwarding L2F and Point to Point Tunneling Protocol PPTP L2TP is defined by the Internet Engineering Task Force IETF as an industry standard of the ...

Page 259: ...ection between the user and LAC can be established in other modes in addition to PPP The users can send IP packets to the LAC and then the LAC forwards the packets to the LNS To make the LAC serve as a PPP client create a virtual PPP user and server on the LAC The virtual PPP user negotiates with the virtual PPP server and the virtual PPP server establishes an L2TP tunnel with the LNS to negotiate...

Page 260: ...e Handshake Authentication Protocol CHAP authentication on the user information provided by the PC 4 RouterA sends an access request which contains the user s name and password to the LAC RADIUS server for identity authentication 5 The LAC RADIUS server authenticates this user and replies with an access accepting message such as the LNS address corresponding to the user After authentication is suc...

Page 261: ...ic L2TP functions before configuring other L2TP functions 4 2 1 Establishing the Configuration Task Before configuring basic L2TP functions familiarize yourself with the applicable environment complete the pre configuration tasks and obtain the required data This can help you complete the configuration task quickly and accurately Applicable Environment The L2TP group is an important concept that y...

Page 262: ...an be realized only if L2TP is enabled If L2TP is disabled the device cannot offer related L2TP functions even if parameters of L2TP have been configured By default L2TP is disabled and no L2TP group exists Step 3 Run l2tp group group number An L2TP group is created and the L2TP group view is displayed The group number 1 indicates a default L2TP group To receive the request for establishing a tunn...

Page 263: ... conditions namely a full user name or the specified domain name of a user is needed to initiate the L2TP connection request When initiating a tunnel establishment request the LAC needs to send the source address of the tunnel to the LNS Pre configuration Tasks Before configuring the LAC complete the following tasks l Configuring Basic L2TP Functions Data Preparation To configure the LAC you need ...

Page 264: ...he start l2tp ip ip address 1 4 fullusername user name command to specify the triggering condition as the full user name End 4 3 3 Optional Configuring LAC Auto Dial The router initiates virtual private dial up network VPDN dialup and serves as a PPP client and LAC Context Enterprises expect virtual private networks VPNs to be constructed between the headquarters and branches The VPN construction ...

Page 265: ...gured 2 Run ppp chap password cipher simple password The password in CHAP authentication is configured The user name and password configured on the local device must be the same as those configured on the remote device By default the local device sends a request to the remote device with the empty user name and password in PAP authentication Step 5 Run l2tp auto client enable LAC auto dial is enab...

Page 266: ...d the user is valid The access user can initiate a tunnel connection request only after the authentication on the LAC side succeeds By default the LAC side is configured with no user name and password and the local authentication is adopted Therefore the LAC side must be configured with user name and password for local authentication End 4 3 5 Optional Configuring RADIUS Authentication on LAC Side...

Page 267: ... system view is displayed 2 Run radius server template template name A RADIUS server template is created 3 Run radius server authentication ip address port The IP address and port of the RADIUS authentication server are configured 4 Run radius server accounting ip address port The IP address and port of the RADIUS accounting server are configured 5 Run radius server shared key cipher simple key st...

Page 268: ... the user side End 4 3 6 Checking the Configuration After an LAC is configured you can view information about L2TP tunnels and L2TP sessions Prerequisites The configurations of the LAC function are complete Procedure l Run the display l2tp tunnel command to check information about the L2TP tunnel l Run the display l2tp session command to check information about the L2TP session l Run the display l...

Page 269: ...4 1 Establishing the Configuration Task Before configuring an LNS familiarize yourself with the applicable environment complete the pre configuration tasks and obtain the required data This can help you complete the configuration task quickly and accurately Applicable Environment An LNS offers different virtual templates to receive the tunnel establishing requests from different LACs After receivi...

Page 270: ...uthentication for users l Agent authentication If neither LCP re negotiation nor mandatory CHAP authentication is configured the LNS performs agent authentication for users In this authentication mode the LAC sends all user authentication information to the LNS The LNS then authenticate the user information based on the local configuration Suppose the authentication mode configured on the virtual ...

Page 271: ...e allow l2tp virtual template virtual template number remote remote name command The default L2TP group number is 1 When the group number of L2TP is set to 1 you need not specify the remote name of the tunnel If you specify the name of the remote end in the view of the L2TP group 1 L2TP group 1 will not be regarded as the default L2TP group any more NOTE Only the L2TP group with the group number 1...

Page 272: ...ser authentication l Run the local user user name password password command to configure the user name and password if the local authentication is adopted l For the mandatory local CHAP authentication LCP re negotiation and agent authentication the user name and password for authentication must be set on LNS l If the RADIUS authentication is adopted see 4 3 5 Optional Configuring RADIUS Authentica...

Page 273: ... to check information about the L2TP tunnel l Run the display l2tp session command to check information about the L2TP session l Run the display l2tp group group number command to check the configuration about one special L2TP group l Run the display access user command to view information about the accessed users End Example Run the display l2tp tunnel command If information about the L2TP tunnel...

Page 274: ...rwise the local end disconnects the tunnel automatically If the tunnel authentications are disabled on both ends the L2TP tunnel still cannot be established even if the passwords on two ends are the same l Attribute Value Pair AVP hidden transmission AVP is adopted in the L2TP protocol to transmit and negotiate some parameter attributes of L2TP For the sake of security users transmit these AVPs in...

Page 275: ... By default the tunnel authentication is enabled You can decide whether to enable tunnel authentication before establishing a tunnel connection To ensure the tunnel security you are recommended to enable the tunnel authentication NOTE If tunnel authentication is enabled on one end either the LAC or the LNS the peer must be enabled with tunnel authentication Step 4 Choose one of the following comma...

Page 276: ...terval for sending Hello packets is set By default the interval for sending Hello packets is 60 seconds End 4 6 Maintaining L2TP This section describes how to disconnect a tunnel forcibly and monitor the running status of L2TP 4 6 1 Disconnecting a Tunnel Forcibly When there are no access users a network fault occurs or the administrator needs to disconnect a tunnel you can run the reset l2tp tunn...

Page 277: ...xt In routine maintenance you can run the following commands to view the running status of L2TP Procedure l Run the display l2tp session command to view information about the L2TP session l Run the display l2tp tunnel command to view information about the L2TP tunnel l Run the display access user command to view information about the user sessions l Run the display l2tp group command to view infor...

Page 278: ...ialized VPNs Domain Name Access This section provides an example for configuring a NAS initialized VPN with users accessing the network through domain names and the user name and password being authenticated locally on the LAC and LNS Networking Requirements As shown in Figure 4 4 PC1 connects the Public Switched Telephone Network PSTN through a Modem and then connects the LAC namely Router A acro...

Page 279: ...ocol used on the LNS side tunnel authentication mode CHAP is used password for the tunnel and local and remote names of the LNS l Number IP address and network mask of the virtual template l L2TP group number l Number range and address mask of the remote address pool Procedure Step 1 Configure the user side Create a dial in connection and an access number named Huawei1 In addition receive the addr...

Page 280: ...Configure an IP address for Serial 1 0 0 on the LNS Huawei system view Huawei sysname RouterB RouterB interface serial 1 0 0 RouterB Serial1 0 0 link protocol ppp RouterB Serial1 0 0 ip address 202 38 160 2 255 255 255 0 RouterB Serial1 0 0 quit Create a virtual template and configure related parameters RouterB interface virtual template 1 RouterB Virtual Template1 ip address 192 168 0 1 255 255 2...

Page 281: ...unnel Total tunnel 1 LocalTID RemoteTID RemoteAddress Port Sessions RemoteName 1 1 202 38 160 1 57344 1 LAC Run the display l2tp session command You can check whether the L2TP session is set up Take the display on the LNS side as an example RouterB display l2tp session Total session 1 LocalSID RemoteSID LocalTID 2036 1469 1 In this manner VPN users can access the server in the headquarters End Con...

Page 282: ...ault domain huawei com local user vpdnuser huawei com password simple Hello local user vpdnuser huawei com service type ppp interface Virtual Template1 ppp authentication mode chap ip address 192 168 0 1 255 255 255 0 interface Serial1 0 0 link protocol ppp ip address 202 38 160 2 255 255 255 0 l2tp group 1 mandatory chap allow l2tp virtual template 1 remote LAC tunnel password simple quidway tunn...

Page 283: ...et up the NAS sends the information about the negotiation with the VPN user as the contents of the packets to the LNS 4 The LNS decides whether to accept the connecting request according to the negotiated information 5 The user communicates with the headquarters by using the tunnel between the NAS and the LNS 6 The user accesses the headquarters network by using the default domain the domain name ...

Page 284: ...igure the LNS router Configure an IP address for Serial 1 0 0 Huawei system view Huawei sysname RouterA RouterA interface serial 1 0 0 RouterA Serial1 0 0 link protocol ppp RouterA Serial1 0 0 ip address 202 38 160 2 255 255 255 0 RouterA Serial1 0 0 quit Create a virtual template and configure related parameters RouterA interface virtual template 1 RouterA Virtual Template1 ip address 192 168 0 1...

Page 285: ...2tp session Total session 1 LocalSID RemoteSID LocalTID 1469 2036 1 In this manner the VPN user can access the network of the headquarters End Configuration Files NOTE Only the configuration file of the LNS is listed sysname RouterA l2tp enable ip pool 1 network 192 168 0 0 mask 255 255 255 0 aaa authentication scheme default authorization scheme default accounting scheme default local user vpdnus...

Page 286: ...nection request to the LNS 2 A virtual tunnel is set up between the VPN user and the LNS after the LNS accepts this connection request 3 The VPN user communicates with the company headquarters by using the tunnel between the VPN user and LNS 4 The VPN user accesses the network with the default domain the domain name is default and adopts the local authentication by default The address is allocated...

Page 287: ...plate1 ppp authentication mode chap RouterA Virtual Template1 remote address pool 1 RouterA Virtual Template1 quit Enable L2TP and set an L2TP group RouterA l2tp enable RouterA l2tp group 1 Configure the names of the local end and the tunnel peer on the LNS RouterA l2tp1 tunnel name LNS RouterA l2tp1 allow l2tp virtual template 1 remote vpdnuser Disable the tunnel authentication RouterA l2tp1 undo...

Page 288: ...ddress 192 168 0 1 255 255 255 0 l2tp group 1 undo tunnel authentication allow l2tp virtual template 1 remote vpdnuser tunnel name LNS return 4 7 4 Example for Configuring LAC Auto Initiated VPN This example shows how to configure LAC auto initiated VPN Networking Requirements Departments in the enterprise headquarters need to use independent network segments Staff in branches need to access the n...

Page 289: ...e an IP address pool in the domain on the LNS Data Preparation To complete the configuration you need the following data l Number IP address and mask of the LAC virtual template interface l L2TP group number l Protocol used on the LNS authentication mode CHAP is used in this example tunnel password local and remote device names of the LNS l Number range and mask of the remote address pool Procedur...

Page 290: ...unnel RouterA interface virtual template 1 RouterA virtual template1 l2tp auto client enable Step 2 Configure RouterB the LNS side Assign an IP address to Serial1 0 0 on RouterB Huawei system view Huawei sysname RouterB RouterB interface serial 1 0 0 RouterB Serial1 0 0 link protocol ppp RouterB Serial1 0 0 ip address 12 1 1 1 255 255 255 0 RouterB Serial1 0 0 quit Create and configure a virtual t...

Page 291: ...the session status The following shows the command output on the LNS RouterB display l2tp session Total session 1 LocalSID RemoteSID LocalTID 1 1 1 The VPN user can access the resources in the enterprise headquarters End Configuration Files l Configuration file of RouterA sysname RouterA l2tp enable aaa authentication scheme default authorization scheme default accounting scheme default domain def...

Page 292: ...cal user huawei password OUM Q Q MAF4 1 local user huawei service type ppp interface Virtual Template1 ppp authentication mode pap remote address pool 1 ip address 13 1 1 1 255 255 255 0 interface Serial1 0 1 link protocol ppp ip address 12 1 1 1 255 255 255 0 l2tp group 1 allow l2tp virtual template 1 remote LAC tunnel password simple 123 tunnel name LNS return Huawei AR1200 Series Enterprise Rou...

Page 293: ...nel interface or Efficient VPN policy 5 3 Establishing an IPSec Tunnel Manually You can establish IPSec tunnels manually when the network topology is simple 5 4 Establishing an IPSec Tunnel Through IKE Negotiation IKE provides an automatic protection mechanism to distribute keys authenticate the identity and set up SAs on an insecure network 5 5 Establishing an IPSec Tunnel Using an IPSec Tunnel I...

Page 294: ... several configuration examples of IPSec Huawei AR1200 Series Enterprise Routers Configuration Guide VPN 5 IPSec Configuration Issue 01 2012 04 20 Huawei Proprietary and Confidential Copyright Huawei Technologies Co Ltd 283 ...

Page 295: ...gorithm DES 3DES or AES shared key to protect certain flow and the lifetime of the shared key An SA is unidirectional at least two SAs are required to protect data flows in bidirectional communication If two peers need to communicate using both AH and ESP each peer needs to establish two SAs for the two protocols An SA is identified by three parameters Security Parameter Index SPI destination IP a...

Page 296: ...ed manually or using IKE negotiation IPSec tunnel interface or Efficient VPN policy The AR1200 implements IPSec tunnel setup as follows l In manual mode or IKE negotiation mode an IPSec tunnel is established based on ACLs IPSec peers can use various security protection measures authentication encryption or both on different data flows The general process of establishing an IPSec tunnel in manual m...

Page 297: ...n algorithm and IPSec proposal it supports to the server The server establishes an IPSec tunnel with the remote device according to the preconfigured IPSec tunnel parameters and those sent from the remote device NOTE The Efficient VPN function is used with a license To use the Efficient VPN function apply for and purchase the following license from the Huawei local office l AR1200 Value Added Secu...

Page 298: ...ts on your network 5 3 2 Defining Protected Data Flows IPSec can protect different data flows In real world applications configure an ACL to define the protected data flows and apply the ACL to a security policy Procedure Step 1 Run system view The system view is displayed Step 2 Run acl number acl number match order config auto An advanced ACL is created and the ACL view is displayed Step 3 Run r...

Page 299: ...al Run esp authentication algorithm md5 sha1 sha2 256 sha2 384 sha2 512 The authentication algorithm used by ESP is specified By default both ESP and AH use the MD5 authentication algorithm You can configure the authentication and encryption algorithms only after selecting a security protocol using the transform command Step 6 Optional Run esp encryption algorithm 3des des aes 128 aes 192 aes 256 ...

Page 300: ...ne ACL If more than one ACL is applied to the IPSec policy the last configured ACL takes effect Step 4 Run proposal proposal name An IPSec proposal is applied to the IPSec policy If the manual mode is used an IPSec policy can use only one proposal If an IPSec proposal has been applied to the IPSec policy cancel the existing proposal before applying a new one to the IPSec policy In addition the IPS...

Page 301: ...UTION Use the same key format on the two ends For example if the key on one end is a character string but the key on the other end is a hexadecimal number the IPSec tunnel cannot be established If you configure the keys in different formats the last configured key takes effect Step 11 Run sa encryption hex inbound outbound esp hex key The encryption key a hexadecimal number is configured for ESP N...

Page 302: ...urations required for establishing an IPSec tunnel manually are complete Procedure l Run the display ipsec sa command to view information about the SA l Run the display ipsec proposal name proposal name command to view information about the IPSec proposal l Run the display ipsec policy brief name policy name seq number command to view information about the IPSec policy End 5 4 Establishing an IPSe...

Page 303: ...ntication method used in IKE negotiation identifier of the Diffie Hellman group and SA lifetime 3 IKE peer name negotiation mode IKE proposal name IKE peer ID type pre shared key remote address optional VPN instance bound to the IPSec tunnel and remote host name 4 IPSec proposal name security protocol authentication algorithm of AH authentication algorithm and encryption algorithm of ESP and packe...

Page 304: ...ity requirements End 5 4 3 Optional Configuring an IKE Proposal You can create multiple IKE proposals with different priority levels The two ends must have at least one matching IKE proposal for IKE negotiation Procedure Step 1 Run system view The system view is displayed Step 2 Run ike proposal proposal number An IKE proposal is created and the IKE proposal view is displayed The IKE negotiation s...

Page 305: ...s automatically updated You can set the lifetime only for the SAs established through IKE negotiation The lifetime of manually created SAs is not limited That is the manually created SAs are always effective End 5 4 4 Configuring an IKE Peer Procedure Step 1 Run system view The system view is displayed Step 2 Run ike peer peer name v1 v2 An IKE peer is created and the IKE peer view is displayed St...

Page 306: ...mote peer The two ends of an IPSec tunnel must use the same pre shared key When pre shared key authentication is configured an authenticator must be configured Step 10 Run remote address ip address host name The IP address or the domain name of the remote peer is configured NOTE In the IPSec policy template mode you do not need to run the remote address command Step 11 Optional Run sa binding vpn ...

Page 307: ...ertificate based on the PKI domain configuration Step 15 Run quit Return to the system view Step 16 Optional Run ike local name local name The local host name used in the IKE negotiation is configured Perform this step when the local id type is set to name End 5 4 5 Configuring an IPSec Proposal Both ends of the tunnel must be configured with the same security protocol authentication algorithm enc...

Page 308: ... configured By default the security protocol uses the tunnel mode to encapsulate IP packets End 5 4 6 Configuring an IPSec Policy After configuring an IKE peer apply it to an IPSec policy Then the two ends can start IKE negotiation Procedure Step 1 Run system view The system view is displayed Step 2 Run ipsec policy policy name seq number isakmp template template name An IPSec policy is created St...

Page 309: ...conds and the default traffic volume is 1843200 kilobytes Step 7 Run ike peer peer name An IKE peer is applied to the IPSec policy NOTE For details on how to configure an IKE peer see 5 4 4 Configuring an IKE Peer Step 8 Optional Run pfs dh group1 dh group2 dh group5 dh group14 The Perfect Forward Secrecy PFS feature used in the negotiation is configured If PFS is specified on the local end you al...

Page 310: ...roup1 dh group2 dh group5 dh group14 The Perfect Forward Secrecy PFS feature used in the negotiation is configured By default the PFS feature is not used in IKE negotiation End 5 4 8 Optional Setting Optional Parameters This section describes how to set optional parameters for IKE negotiation Procedure Step 1 Run system view The system view is displayed Step 2 Run ipsec sa global duration time bas...

Page 311: ...n ike nat keepalive timer interval interval The interval for sending NAT keepalive packets is set Step 6 Run ipsec anti replay enable disable The anti replay function is set Step 7 Run ipsec df bit clear set copy The DF flag bit is set on the IPSec tunnel Step 8 Run ipsec fragmentation before encryption The fragmentation mode of IPSec packets is set Step 9 Run ike peer The IKE peer view is display...

Page 312: ...t be configured using IKE negotiation or an IPSec tunnel interface Step 3 Run route inject static dynamic preference preference Route injection is enabled By default route injection is disabled End 5 4 10 Applying an IPSec policy to an interface An interface can use only one IPSec policy An IPSec policy for IKE negotiation can be applied to multiple interfaces Procedure Step 1 Run system view The ...

Page 313: ...ation of a specified IKE peer or all IKE peers l Run the display ike proposal command to view the configuration of a specified IKE proposal or all IKE proposals l Run the display ipsec sa brief duration policy policy name seq number peerip peer ip address command to view the configuration of a specified SA or all SAs l Run the display ipsec policy brief name policy name seq number command to view ...

Page 314: ...thm of AH authentication algorithm and encryption algorithm of ESP packet encapsulation mode and PFS feature 2 IKE peer name negotiation mode IKE proposal name IKE peer ID type pre shared key 3 SA lifetime and global SA lifetime 4 Number IP address and source and destination IP addresses of the IPSec tunnel interface 5 Number of the IPSec tunnel interface to which an IPSec profile is applied 5 5 2...

Page 315: ...h group1 dh group2 dh group5 dh group14 The Diffie Hellman group referenced by an IPSec profile during negotiation is configured By default an IPSec profile does not reference any Diffie Hellman group during negotiation Step 6 Optional Run sa duration traffic based kilobytes time based seconds The SA lifetime is set Step 7 Run quit Return to the system view Step 8 Optional Run ipsec sa global dura...

Page 316: ... number The source address is configured for the tunnel interface NOTE It is recommended that you specify the interface type and number for source If you specify an IP address that is dynamically assigned to an interface the IPSec configuration may fail to be restored because of invalid source address Step 6 Optional Run destination dest ip address The destination address is configured for the tun...

Page 317: ...on workload 5 6 1 Establishing the Configuration Task Before configuring the Efficient VPN policy familiarize yourself with the applicable environment complete the pre configuration tasks and obtain the data required for configuration This will help you complete the configuration task quickly and accurately Applicable Environment You must perform a great number of IPSec configurations on two peers...

Page 318: ...d peer name 5 6 2 Configuring Client Mode The client mode of the Efficient VPN policy protects data flows whose addresses are NAT translated Context Only mandatory parameters such as the IP address and pre shared key need to be configured on a remote device Other parameters such as authentication and encryption algorithms used in IKE negotiation and the IPSec proposal are preconfigured on the serv...

Page 319: ...2 Perform the following steps on the server router 1 Run system view The system view is displayed 2 Run ip pool ip pool name A global address pool is created 3 Run network ip address mask mask mask length An allocable network segment address is specified for the global address pool 4 Run quit The system view is displayed 5 Run aaa The AAA view is displayed 6 Run service scheme service scheme name ...

Page 320: ...ils see 5 4 3 Optional Configuring an IKE Proposal NOTE The DH group used in IKE negotiation must be set to dh group2 for an efficient vpn policy 15 Run quit The system view is displayed 16 Run ike peer peer name v1 v2 An IKE peer is configured For details see 5 4 4 Configuring an IKE Peer NOTE l When the IKE v1 version is used the aggressive mode must be enabled using exchange mode l Run the serv...

Page 321: ... is created using the configured IPSec policy template For details see 5 4 6 Configuring an IPSec Policy 23 Run quit The system view is displayed 24 Run interface interface type interface number The interface view is displayed 25 Run ipsec policy policy name An IPSec policy is applied to the interface End 5 6 3 Configuring Network Mode The network mode of the Efficient VPN policy protects data flo...

Page 322: ... remote IKE peer Step 8 Optional Run remote name name The name of the remote IKE peer is specified Step 9 Optional Run authentication method pre share rsa signature An authentication method is specified for the IKE proposal By default an IKE proposal uses pre shared key authentication Step 10 Optional Run pre shared key key The key is specified for pre shared key authentication By default no key i...

Page 323: ...ional Run service scheme service scheme name A service scheme is created and the service scheme view is displayed Step 19 Optional Run dns ip address The IP address of the primary DNS server is configured Step 20 Optional Run dns ip address secondary The IP address of the secondary DNS server is configured Step 21 Optional Run wins ip address The IP address of the primary WINS server is configured...

Page 324: ...sa brief duration policy policy name seq number profile profile name efficient vpn efficient vpn name peerip peer ip address command to check information about SAs l Run the display ipsec proposal name proposal name command to check information about IPSec proposals l Run the display ipsec efficient vpn brief capality name efficient vpn name command to check information about the Efficient VPN pol...

Page 325: ... SAs and information about the IPSec tunnels established through IKE negotiation Context CAUTION The statistics cannot be restored after being cleared Procedure l Run the reset ipsec statistics ah esp command in the user view to clear the statistics about IPSec packets l Run the reset ike statistics all msg command in the user view to clear the statistics about IKE packets l Run the reset ipsec sa...

Page 326: ...tocol DES encryption algorithm and SHA 1 authentication algorithm Figure 5 3 Network diagram for configuring IPSec PC A PC B RouterB RouterA 10 1 1 2 24 10 1 2 2 24 Eth 1 0 0 Eth 1 0 0 Internet 202 138 163 1 24 202 138 162 1 24 IPSec Tunnel Configuration Roadmap The configuration roadmap is as follows 1 Configure IP addresses for interfaces 2 Configure Access Control Lists ACLs and define the data...

Page 327: ...terB Configure a static route to the peer on RouterA In this example the next hop to PCB is 202 138 163 2 Huawei ip route static 10 1 2 0 255 255 255 0 202 138 163 2 Configure a static route to the peer on RouterB In this example the next hop to PCA is 202 138 162 2 Huawei ip route static 10 1 1 0 255 255 255 0 202 138 162 2 Step 4 Create an IPSec proposal on RouterA and RouterB Create the IPSec p...

Page 328: ...d esp 54321 Huawei ipsec policyl manual use1 10 sa spi inbound esp 12345 Huawei ipsec policyl manual use1 10 sa string key outbound esp gfedcba Huawei ipsec policyl manual use1 10 sa string key inbound esp abcdefg Huawei ipsec policyl manual use1 10 quit Run the display ipsec policy command on RouterA and RouterB to view the configurations of the IPSec policies Take the display on RouterA as an ex...

Page 329: ...I 12345 0x3039 Proposal ESP ENCRYPT DES 64 ESP AUTH SHA1 No duration limit for this SA Inbound ESP SAs SPI 54321 0xd431 Proposal ESP ENCRYPT DES 64 ESP AUTH SHA1 No duration limit for this SA Step 7 Verify the configurations After the configurations are complete PC A can ping PC B successfully You can run the display ipsec statistics esp command to view packet statistics End Configuration Files l ...

Page 330: ... 10 manual security acl 3101 proposal tran1 tunnel local 202 138 162 1 tunnel remote 202 138 163 1 sa spi inbound esp 12345 sa string key inbound esp abcdefg sa spi outbound esp 54321 sa string key outbound esp gfedcba ip route static 10 1 1 0 255 255 255 0 202 138 162 2 interface Ethernet1 0 0 ip address 202 138 162 1 255 255 255 0 ipsec policy use1 return 5 8 2 Example for Configuring IKE Negoti...

Page 331: ...138 162 1 24 IPSec Tunnel Configuration Roadmap The configuration roadmap is as follows 1 Configure IP addresses for interfaces 2 Specify the local host ID and IKE peer for IKE negotiation 3 Configure Access Control Lists ACLs and define the data flows to be protected 4 Configure static routes to peers 5 Configure an IPSec proposal 6 Configure IPSec policies and apply the ACLs and IPSec proposal t...

Page 332: ...tion of the IKE peer Take the display on RouterA as an example Huawei display ike peer name spub verbose Peer name spub Exchange mode main on phase 1 Pre shared key huawei Local ID type IP DPD Disable DPD mode Periodic DPD idle time 30 DPD retransmit interval 15 DPD retry limit 3 Host name Peer Ip address 202 138 162 1 VPN name Local IP address Remote name Nat traversal Disable Configured IKE vers...

Page 333: ...l Authentication MD5 HMAC 96 Encryption DES Step 6 Create IPSec policies on RouterA and RouterB Create an IPSec policy on RouterA Huawei ipsec policy map1 10 isakmp Huawei ipsec policy isakmp map1 10 ike peer spub Huawei ipsec policy isakmp map1 10 proposal tran1 Huawei ipsec policy isakmp map1 10 security acl 3101 Huawei ipsec policy isakmp map1 10 quit Create an IPSec policy on RouterB Huawei ip...

Page 334: ... inbound ESP SAs spi 1406123142 0x53cfbc86 proposal ESP ENCRYPT DES ESP AUTH MD5 sa remaining key duration bytes sec 1887436528 3575 max received sequence number 4 udp encapsulation used for nat traversal N outbound ESP SAs spi 3835455224 0xe49c66f8 proposal ESP ENCRYPT DES ESP AUTH MD5 sa remaining key duration bytes sec 1887436464 3575 max sent sequence number 5 udp encapsulation used for nat tr...

Page 335: ...cy map1 return l Configuration file of RouterB acl number 3101 rule 5 permit ip source 10 1 2 0 0 0 0 255 destination 10 1 1 0 0 0 0 255 ipsec proposal tran1 esp authentication algorithm sha1 ike peer spua v1 pre shared key huawei remote address 202 138 163 1 ipsec policy use1 10 isakmp security acl 3101 ike peer spua proposal tran1 ip route static 10 1 1 0 255 255 255 0 202 138 162 2 interface Et...

Page 336: ... 10 1 2 2 24 Eth 1 0 0 Eth 1 0 0 Internet 202 138 163 1 24 202 138 162 1 24 IPSec Tunnel Configuration Roadmap The configuration roadmap is as follows 1 Configure IP addresses for interfaces 2 Configure an IKE proposal 3 Specify the local host ID and IKE peer for IKE negotiation 4 Configure Access Control Lists ACLs and define the data flows to be protected 5 Configure static routes to peers 6 Con...

Page 337: ... ike peer spub local id type name Huawei ike peer spub pre shared key huawei Huawei ike peer spub remote name huawei02 Huawei ike peer spub remote address 202 138 162 1 Huawei ike peer spub local address 202 138 163 1 Huawei ike peer spub quit NOTE In aggressive mode if the value of local id type is name configure the IP address of the remote peer remote address x x x x on the local end Configure ...

Page 338: ... 163 2 Configure a static route to the peer on RouterB In this example the next hop to PCA is 202 138 162 2 Huawei ip route static 10 1 1 0 255 255 255 0 202 138 162 2 Step 6 Create an IPSec proposal on RouterA and RouterB Create the IPSec proposal on RouterA Huawei ipsec proposal tran1 Huawei ipsec proposal tran1 encapsulation mode tunnel Huawei ipsec proposal tran1 transform esp Huawei ipsec pro...

Page 339: ...as an example Huawei display ipsec policy IPsec policy group map1 Using interface Sequence number 10 Security data flow 3101 Peer name spub Perfect forward secrecy None Proposal name tran1 IPsec SA local duration time based 3600 seconds IPsec SA local duration traffic based 1843200 kilobytes SA trigger mode Automatic Route inject None Step 8 Apply the IPSec policies to the interfaces of RouterA an...

Page 340: ... is encrypted Run the display ike sa command on RouterA and the following information is displayed Huawei display ike sa Conn ID Peer VPN Flag s Phase 14 202 138 162 1 0 RD ST 1 16 202 138 162 1 0 RD ST 2 Flag Description RD READY ST STAYALIVE RL REPLACED FD FADING TO TIMEOUT HRT HEARTBEAT LKG LAST KNOWN GOOD SEQ NO BCK BACKED UP End Configuration Files l Configuration file of RouterA acl number 3...

Page 341: ... 1 1 0 0 0 0 255 ipsec proposal tran1 esp authentication algorithm sha1 ike proposal 1 encryption algorithm aes cbc 128 authentication algorithm md5 ike local name huawei02 ike peer spua v1 exchange mode aggressive pre shared key huawei ike proposal 1 local id type name remote name huawei01 local address 202 138 162 1 remote address 202 138 163 1 ipsec policy use1 10 isakmp security acl 3101 ike p...

Page 342: ...gorithm Figure 5 6 Networking diagram for establishing an IPSec tunnel using the IPSec tunnel interface RouterB RouterA 10 1 1 2 24 10 1 2 2 24 Eth1 0 0 Eth1 0 0 Internet 202 138 163 1 24 202 138 162 1 24 Network A Network B Tunnel0 0 0 192 168 1 1 24 Tunnel0 0 0 192 168 1 2 24 IPSec Tunnel Configuration Roadmap The configuration roadmap is as follows 1 Assign IP addresses to interfaces 2 Configur...

Page 343: ...posal on RouterA Huawei ike proposal 1 Huawei ike proposal 1 dh group5 Huawei ike proposal 1 authentication algorithm aes_xcbc_mac_96 Huawei ike proposal 1 prf aes_xcbc_128 Huawei ike proposal 1 quit Create an IKE proposal on RouterB Huawei ike proposal 1 Huawei ike proposal 1 dh group5 Huawei ike proposal 1 authentication algorithm aes_xcbc_mac_96 Huawei ike proposal 1 prf aes_xcbc_128 Huawei ike...

Page 344: ...1 Huawei ipsec proposal tran1 esp authentication algorithm sha1 Huawei ipsec proposal tran1 esp encryption algorithm 3des Huawei ipsec proposal tran1 quit Run the display ipsec proposal command on RouterA and RouterB to view the configuration of the IPSec proposal Take the display on RouterA as an example Huawei display ipsec proposal Number of Proposals 1 IPSec proposal name tran1 Encapsulation m...

Page 345: ...rB to view the configurations of the IPSec profiles Take the display on RouterA as an example Huawei display ipsec profile IPSec profile profile1 Using interface Tunnel0 0 0 IPSec Profile Name profile1 Peer Name spub PFS Group 0 0 Disable 1 Group1 2 Group2 5 Group5 14 Group14 SecondsFlag 0 0 Global 1 Local SA Life Time Seconds 3600 KilobytesFlag 0 0 Global 1 Local SA Life Kilobytes 1843200 Number ...

Page 346: ...address 192 168 1 2 255 255 255 0 tunnel protocol gre source 202 138 162 1 destination 202 138 163 1 ipsec profile profile2 interface Ethernet1 0 0 ip address 202 138 162 1 255 255 255 0 return 5 8 5 Example for Establishing an SA Using Efficient VPN in Client Mode This topic describes an example for establishing an SA using Efficient VPN in client mode in the actual networking Networking Requirem...

Page 347: ...ute 3 Configure the resource attributes to be allocated 4 Configure the IKE proposal and IKE peer 5 Configure the IPSec proposal template policy and policy group 6 Apply the policy group to the interface Procedure Step 1 Configure RouterA 1 Assign an IP address to the interface on RouterA Huawei system view Huawei interface ethernet 1 0 0 Huawei Ethernet1 0 0 ip address 60 1 1 1 255 255 255 0 Huaw...

Page 348: ...y Huawei aaa service schemetest ip pool pooltest Huawei aaa service schemetest wins 3 3 3 2 Huawei aaa service schemetest wins 3 3 3 3 secondary Huawei aaa service schemetest quit Huawei aaa quit 4 Configure the IKE proposal and IKE peer Huawei ike proposal 5 Huawei ike proposal 5 dh group2 Huawei ike proposal 5 quit Huawei ike peer rut3 v2 Huawei ike peer rut3 pre shared key huawei Huawei ike pee...

Page 349: ...6800 1390 Max sent sequence number 0 UDP encapsulation used for NAT traversal N Inbound ESP SAs SPI 4182141148 0xf94668dc proposal ESP ENCRYPT DES 64 ESP AUTH MD5 SA remaining key duration bytes sec 1887436800 1390 Max received sequence number 0 UDP encapsulation used for NAT traversal N 3 Run the display ipsec efficient vpn command on RouterA to view information about the Efficient VPN policy Hua...

Page 350: ...ion file of RouterB ipsec proposal tran1 ike proposal 5 dh group2 ike peer rut3 v2 pre shared key huawei ike proposal 5 service scheme schemetest ipsec policy template use1 10 ike peer rut3 proposal tran1 sa duration time based 600000 ipsec policy policy1 10 isakmp template use1 ip pool pooltest network 100 1 1 0 mask 255 255 255 128 aaa service scheme schemetest Huawei AR1200 Series Enterprise Ro...

Page 351: ...A and RouterB to protect data flows that are transmitted between the subnet of PC A 10 1 1 0 24 and subnet of PC B 10 1 2 0 24 and match the ACL In network mode the remote device does not apply for or an IP address and NAT and PAT are disabled on the remote device Figure 5 8 Networking for Establishing an SA Using Efficient VPN in Network Mode Server RouterA Eth1 0 0 100 1 2 1 24 Eth1 0 0 1 99 1 1...

Page 352: ...i Ethernet1 0 0 1 ip address 99 1 2 1 255 255 255 0 Huawei Ethernet1 0 0 1 dot1q termination vid 1 Huawei Ethernet1 0 0 1 arp broadcast enable Huawei Ethernet1 0 0 1 quit Step 2 Configure static routes to the peers on RouterA and RouterB Configure a static route to the remote peer on RouterA This example assumes that the next hop address in the route to RouterB is 100 1 1 2 Huawei ip route static ...

Page 353: ...ethernet 1 0 0 1 Huawei Ethernet1 0 0 1 ipsec efficient vpn easyvpn_1 Step 6 Verify the configuration After the preceding configuration RouterA can still ping RouterB and the data transmitted between them is encrypted l Run the display ipsec sa command on RouterA and RouterB to view the IKE configuration The display on RouterA is used as an example Huawei display ike sa Conn ID Peer VPN Flag s Pha...

Page 354: ...255 255 0 100 1 1 2 interface Ethernet1 0 0 1 dot1q termination vid 1 ip address 99 1 1 1 255 255 255 0 ipsec efficient vpn easyvpn_1 arp broadcast enable return l Configuration file of RouterB acl number 3000 rule 5 permit ip source 10 1 2 0 0 0 0 255 destination 10 1 1 0 0 0 0 255 ipsec efficient vpn easyvpn_1 mode network remote address 99 1 1 1 v1 pre shared key htipl1 09876543211 security acl...

Page 355: ...GRE MGRE tunnel interfaces 6 3 Configuring DSVPN When Dynamic Smart VPN DSVPN is configured IPSec does not need to be configured If IPSec is configured to protect GRE traffic the remote IP address in an NHRP mapping entry needs to be advertised to the local device to establish an IPSec tunnel 6 4 Maintaining DSVPN This section describes how to display the DSVPN configuration and clear DSVPN statis...

Page 356: ... logical interface of the central office device so that routes can be advertised between branches If the Routing Information Protocol RIP is enabled the split horizon function must be disabled to ensure that routes are directly advertised between branches l Branches have only summarized routes to the central office If branches need to learn routes from each other they must have high performance an...

Page 357: ...en two branches to implement IPSec the central office needs to decrypt data on the tunnel of the sending branch and encrypt the data on the tunnel of the receiving branch Traffic between the two branches needs to pass through the central office wasting resources of the central office and causing a delay in traffic forwarding To solve this problem the DSVPN technology is used to enable the two bran...

Page 358: ...ulation mode before setting the source IP address or other parameters for a tunnel interface Changing the encapsulation mode of a tunnel interface deletes other parameters of the tunnel interface Step 4 Run ip address ip address mask mask length The IP address of the tunnel interface is configured Step 5 Run source source ip address interface type interface number The source address or source inte...

Page 359: ...n function must be disabled on the tunnel interface End 6 3 4 Configuring NHRP on a Branch This section describes how to configure NHRP mapping entries on a branch device Context NHRP allows a source device on a Non Broadcast Multiple Access NBMA network to obtain the public address of the next hop to the destination device Perform the following operations on the router of a branch Procedure Step ...

Page 360: ...required when branches have only summarized routes to the central office End 6 3 5 Configuring NHRP on the Central Office This section describes how to configure NHRP mapping entries on the central office device Context NHRP allows a source device on a Non Broadcast Multiple Access NBMA network to obtain the public address of the next hop to the destination device Perform the following operations ...

Page 361: ... unique The AR1200 is configured to override conflicting NHRP mapping entries during NHRP registration By default the AR1200 does not override conflicting NHRP mapping entries during NHRP registration Step 8 Run nhrp redirect The NHRP redirect function is enabled By default the NHRP redirect function is disabled NOTE This step is required when branches have only summarized routes to the central of...

Page 362: ...PSec Proposal Step 5 Run pfs dh group1 dh group2 dh group5 dh group14 The router is configured to use Perfect Forward Secrecy PFS in IPSec negotiation By default PFS is not used in IPSec negotiation Step 6 Run quit Return to the system view Step 7 Run interface tunnel interface number The tunnel interface view is displayed Step 8 Run tunnel protocol gre p2mp ipsec ipv4 ipv6 none The tunnel encapsu...

Page 363: ...e DSVPN Configuration You can run the display commands to check NHRP mapping entries and NHRP packet statistics Prerequisites All DSVPN configurations are complete Procedure l Run the display nhrp peer command to check NHRP mapping entries l Run the display nhrp statistics interface interface type interface number command to check NHRP packet statistics End 6 4 2 Clearing DSVPN Statistics This sec...

Page 364: ... other on the IP network using routing protocols Figure 6 1 Configuring DSVPN when branches learn routes from each other Spoke1 branch Spoke2 branch Hub central office Eth1 0 0 44 1 1 1 24 Eth1 0 0 44 3 1 2 24 Eth1 0 0 44 4 1 2 24 Tunnel 0 0 0 172 16 1 102 24 Tunnel 0 0 0 172 16 1 101 24 Tunnel 0 0 0 172 16 1 1 24 Internet NHRP NHRP NHRP Configuration Roadmap The configuration roadmap is as follow...

Page 365: ...ea 0 0 0 0 quit Huawei ospf 2 quit Configure OSPF on the Ethernet interface of the Spoke2 Huawei ospf 2 Huawei ospf 2 area 0 Huawei ospf 2 area 0 0 0 0 network 44 4 1 0 0 0 0 255 Huawei ospf 2 area 0 0 0 0 quit Huawei ospf 2 quit Step 3 Configure OSPF on the tunnel interfaces Configure hub Huawei ospf 3 Huawei ospf 2 area 0 Huawei ospf 2 area 0 0 0 0 network 172 16 1 0 0 0 0 255 Huawei ospf 2 area...

Page 366: ...l0 0 0 tunnel protocol gre p2mp Huawei Tunnel0 0 0 source ethernet 1 0 0 Huawei Tunnel0 0 0 nhrp entry 172 16 1 1 44 1 1 1 register Huawei Tunnel0 0 0 ospf network type broadcast Huawei Tunnel0 0 0 ospf dr priority 8 Step 5 Verify the configuration After the preceding configurations are complete check the NHRP mapping entries on Spoke1 and Spoke2 Run the display nhrp peer all command on Spoke1 and...

Page 367: ...4 1 1 1 172 16 1 1 static hub Tunnel interface Tunnel0 0 0 Created time 2011 08 18 15 10 26 Expire time Protocol addr Mask NBMA addr NextHop addr Type Flag 172 16 1 102 32 44 4 1 2 172 16 1 102 dynamic route tunnel Tunnel interface Tunnel0 0 0 Created time 2011 08 18 16 09 31 Expire time 2011 08 18 18 09 31 Run the display nhrp peer all command on Spoke2 and the command output is as follows Huawei...

Page 368: ... 1 2 255 255 255 0 interface Tunnel0 0 0 ip address 172 16 1 102 255 255 255 0 tunnel protocol gre p2mp source Ethernet1 0 0 nhrp entry 172 16 1 1 44 1 1 1 register ospf network type broadcast ospf dr priority 8 ospf 2 area 0 0 0 0 network 44 4 1 0 0 0 0 255 ospf 3 area 0 0 0 0 network 172 16 1 0 0 0 0 255 return l Configuration file of the hub interface Ethernet1 0 0 ip address 44 1 1 1 255 255 2...

Page 369: ...he central office Spoke1 branch Spoke2 branch Hub central office Eth1 0 0 44 1 1 1 24 Eth1 0 0 44 3 1 2 24 Eth1 0 0 44 4 1 2 24 Tunnel 0 0 0 172 16 1 102 24 Tunnel 0 0 0 172 16 1 101 24 Tunnel 0 0 0 172 16 1 1 24 Internet NHRP NHRP NHRP Configuration Roadmap The configuration roadmap is as follows 1 Run a routing protocol on the Routers to implement interconnection 2 Create tunnel interfaces on th...

Page 370: ...rnet interface of the Spoke2 Huawei rip Huawei rip 1 network 44 0 0 0 Huawei rip 1 version 2 Huawei rip 1 quit Step 3 Configure RIP on the tunnel interfaces Configure hub Huawei rip 2 Huawei rip 1 network 172 16 1 0 Huawei rip 1 version 2 Huawei rip 1 quit Configure Spoke1 Huawei rip 2 Huawei rip 1 network 172 16 1 0 Huawei rip 1 version 2 Huawei rip 1 quit Configure Spoke2 Huawei rip 2 Huawei rip...

Page 371: ...configurations are complete check the NHRP mapping entries on Spoke1 and Spoke2 Run the display nhrp peer all command on Spoke1 and the command output is as follows Huawei display nhrp peer all Protocol addr Mask NBMA addr NextHop addr Type Flag 172 16 1 1 32 44 1 1 1 172 16 1 1 static hub Tunnel interface Tunnel0 0 0 Created time 2011 08 18 15 10 26 Expire time Run the display nhrp peer all comma...

Page 372: ... 1 102 32 44 4 1 2 172 16 1 102 dynamic route tunnel Tunnel interface Tunnel0 0 0 Created time 2011 08 18 16 09 31 Expire time 2011 08 18 18 09 31 Run the display nhrp peer all command on Spoke2 and the command output is as follows Huawei display nhrp peer all Protocol addr Mask NBMA addr NextHop addr Type Flag 172 16 1 1 32 44 1 1 1 172 16 1 1 static hub Tunnel interface Tunnel0 0 0 Created time ...

Page 373: ...55 255 255 0 tunnel protocol gre p2mp source Ethernet1 0 0 nhrp entry 172 16 1 1 44 1 1 1 register nhrp shortcut rip 1 version 2 network 44 0 0 0 rip 2 version 2 network 172 16 1 0 return l Configuration file of the hub interface Ethernet1 0 0 ip address 44 1 1 1 255 255 255 0 interface Tunnel0 0 0 ip address 172 16 1 1 255 255 255 0 tunnel protocol gre p2mp source Ethernet1 0 0 nhrp redirect nhrp...

Page 374: ... virtual gateway basic VPN functions SSL VPN user management and SSL VPN services 7 3 Configuring Basic SSL VPN Functions The configurations of basic SSL VPN functions include extranet intranet interfaces and AAA domain 7 4 Managing SSL VPN Users The user management functions include configuring user information maximum number of online users and maximum online duration of users and forcibly disco...

Page 375: ...L protocol to help ensure that remote access to enterprise intranets is safe and secure SSL VPN is a remote access technology As shown in Figure 7 1 SSL VPN meets the following remote access requirements l Dynamic remote access Users can use any terminals to access an enterprise s intranet through the Internet anytime and anywhere l Differentiated user access privileges The SSL VPN gateway assigns...

Page 376: ...urces To use an AR1200 as an SSL VPN gateway you must configure and enable the basic SSL VPN functions If the basic SSL VPN functions are disabled no user can access internal servers through the SSL VPN gateway SSL VPN User Management User management functions include l Configuring user information To log in to virtual gateways each authorized user needs a user name and a password All the user nam...

Page 377: ...pply for and purchase the following license from the Huawei local office l AR1200 Value Added Security Package NOTE The maximum number of online SSL VPN users is limited by the license The SSL VPN function has multiple capacity licenses which allow different numbers of access users Select one or more capacity licenses according to service requirements The device supports a maximum of two online SS...

Page 378: ...way manages users and services based on virtual gateways Context An AR1200 functioning as an SSL VPN gateway can be divided into multiple virtual gateways Service configuration and user management are based on virtual gateways Before configuring SSL VPN services on the AR1200 create a virtual gateway Procedure Step 1 Run system view The system view is displayed Step 2 Run sslvpn gateway gateway na...

Page 379: ...sses Procedure Step 1 Run system view The system view is displayed Step 2 Run sslvpn gateway gateway name The virtual gateway view is displayed Step 3 Run extranet interface interface type interface number The extranet interface is configured By default no extranet interface exists on a virtual gateway Step 4 Run intranet interface interface type interface number The intranet interface is configur...

Page 380: ...ation Guide Security End 7 3 5 Enabling Basic SSL VPN Functions After you configure the basic SSL VPN functions enable them to make the functions effective Prerequisites The following basic SSL VPN configurations have been completed l Extranet and intranet interfaces See 7 3 3 Configuring Intranet and Extranet Interfaces l AAA domain See 7 3 4 Binding an AAA Domain to the Virtual Gateway Procedure...

Page 381: ...online users An administrator can limit the number of online users When the number of online users on the virtual gateway exceeds the limit no more user can log in NOTE The number of online SSL VPN users supported by the AR1200 is limited by the license The number of online SSL VPN users that each license support depends on the license level The AR1200 supports a maximum of two online SSL VPN user...

Page 382: ...wed by the virtual gateway is configured NOTE The number of online SSL VPN users supported by the AR1200 is limited by the license The number of online SSL VPN users that each license support depends on the license level The AR1200 supports a maximum of two online SSL VPN users without a license To enable the AR1200 to support more online SSL VPN users buy licenses from Huawei local office Step 5 ...

Page 383: ... using the SSL VPN gateway Internet SSL VPN gateway Email Web server FTP server Internal host Intranet Remote host LAN SSL tunnel As shown in Figure 7 3 an SSL VPN gateway is located at an intranet s edge and works with the browsers installed on remote terminals or clients downloaded using browsers to protect user data on the Internet Additionally the SSL VPN gateway functions as the proxy to allo...

Page 384: ... user management are based on virtual gateways Before configuring SSL VPN services on the AR1200 create a virtual gateway Procedure Step 1 Run system view The system view is displayed Step 2 Run sslvpn gateway gateway name A virtual gateway is created and its view is displayed By default no virtual gateway exists on an AR1200 End 7 5 3 Configuring the Web Proxy Service The Web proxy service is bas...

Page 385: ...ateway does not provide the Web proxy service Step 4 Optional Run description description The description for the Web proxy service is configured Step 5 Run link url web tunnel A URL is configured for an internal Web server By default an internal Web server does not have a URL NOTE If the Web proxy function on the SSL VPN gateway is invalid enable the tunnel mode however the tunnel mode lowers sec...

Page 386: ...n sslvpn gateway gateway name The virtual gateway view is displayed Step 3 Run service type port forwarding resource resource name The port forwarding service is created and its view is displayed By default the virtual gateway does not provide the port forwarding service Step 4 Optional Run description description The description for the port forwarding service is configured Step 5 Run server ip a...

Page 387: ...address is allocated from the IP address pool to the terminal To limit user access you can use the bind acl command to apply an ACL to the IP forwarding service Alternatively you can set the routing mode to Split In the Split mode a terminal can only communicate with the servers in the specified network segment Procedure Step 1 Run system view The system view is displayed Step 2 Run sslvpn gateway...

Page 388: ...ice the running program cannot stop and routes cannot be restored In this situation stop and restart the network adapter End 7 5 6 Checking the Configuration After the configurations of SSL VPN services are complete you can verify the service configurations Procedure l Run the display sslvpn gateway gateway name command to check the virtual gateway configurations l Run the display sslvpn gateway g...

Page 389: ...arketing personnel Web server Mail server Intranet Router Desktop sharing host Eth2 0 0 Vlanif 10 Configuration Roadmap The configuration roadmap is as follows l Create a virtual gateway on the Router for marketing personnel and configure resources to meet the access requirements of marketing personnel Data Preparation To complete the configuration you need the following data l Data on the intrane...

Page 390: ...Huawei system view Huawei sysname Router Router ip pool market_pool Router ip pool company_pool network 10 139 30 0 mask 24 Router ip pool company_pool quit Step 2 Create a virtual gateway named market Router sslvpn gateway market Step 3 Configure the intranet extranet interfaces and bind an AAA domain to the virtual gateway Router sslvpn market extranet interface ethernet 2 0 0 Router sslvpn mark...

Page 391: ... Router sslvpn market if res market_ip forwarding route split ip address 10 138 10 64 mask 27 Router sslvpn market if res market_ip forwarding quit Router sslvpn market quit Step 6 Verify the configuration Open the Internet Explorer on the terminal such as a computer and enter https 1 1 1 1 sslvpn to access the login page Enter the user name and password and select the virtual gateway market After...

Page 392: ...server ip address 10 138 10 21 port 3389 service type ip forwarding resource market_ip forwarding bind ip pool market_pool route mode split route split ip address 10 138 10 64 mask 27 return Huawei AR1200 Series Enterprise Routers Configuration Guide VPN 7 SSL VPN Configuration Issue 01 2012 04 20 Huawei Proprietary and Confidential Copyright Huawei Technologies Co Ltd 381 ...

Reviews:

No comments