Configuration Guide - VPN(V200R001C01_01)

8/10/2019 Configuration Guide - VPN(V200R001C01_01)

1/90

Huawei AR2200-S Series Enterprise Routers

V200R001C01

Configuration Guide - VPN

Issue 01

Date 2012-01-06

HUAWEI TECHNOLOGIES CO., LTD.


2/90

Copyright Huawei Technologies Co., Ltd. 2012. All rights reserved.

No part of this document may be reproduced or transmitted in any form or by any means without prior writtenconsent of Huawei Technologies Co., Ltd. Trademarks and Permissions

and other Huawei trademarks are trademarks of Huawei Technologies Co., Ltd. All other trademarks and trade names mentioned in this document are the property of their respective holders. Notice

The purchased products, services and features are stipulated by the contract made between Huawei and thecustomer. All or part of the products, services and features described in this document may not be within the

purchase scope or the usage scope. Unless otherwise specified in the contract, all statements, information,and recommendations in this document are provided "AS IS" without warranties, guarantees or representationsof any kind, either express or implied.

The information in this document is subject to change without notice. Every effort has been made in thepreparation of this document to ensure accuracy of the contents, but all statements, information, andrecommendations in this document do not constitute the warranty of any kind, express or implied.

Huawei Technologies Co., Ltd. Address: Huawei Industrial Base

Bantian, LonggangShenzhen 518129People's Republic of China

Website: http://www.huawei.com

Email: [email protected]

Issue 01 (2012-01-06) Huawei Proprietary and ConfidentialCopyright Huawei Technologies Co., Ltd.

i
http://www.huawei.com/


3/90

About This Document

Intended AudienceThis document provides the basic concepts, configuration procedures, and configurationexamples in different application scenarios of the VPN supported by the AR2200-S device.

This document describes how to configure the VPN.

This document is intended for:

l Data configuration engineersl Commissioning engineersl Network monitoring engineersl System maintenance engineers

Symbol ConventionsThe symbols that may be found in this document are defined as follows.

Symbol Description

DANGER

Indicates a hazard with a high level of risk, which if notavoided, will result in death or serious injury.

WARNING

Indicates a hazard with a medium or low level of risk, which

if not avoided, could result in minor or moderate injury.

CAUTION

Indicates a potentially hazardous situation, which if notavoided, could result in equipment damage, data loss,

performance degradation, or unexpected results.

TIP Indicates a tip that may help you solve a problem or savetime.

NOTE Provides additional information to emphasize or supplementimportant points of the main text.

Huawei AR2200-S Series Enterprise RoutersConfiguration Guide - VPN About This Document


ii


4/90

Command ConventionsThe command conventions that may be found in this document are defined as follows.

Convention DescriptionBoldface The keywords of a command line are in boldface .

Italic Command arguments are in italics .

[ ] Items (keywords or arguments) in brackets [ ] are optional.

{ x | y | ... } Optional items are grouped in braces and separated by vertical bars. One item is selected.

[ x | y | ... ] Optional items are grouped in brackets and separated by vertical bars. One item is selected or no item is selected.

{ x | y | ... } * Optional items are grouped in braces and separated by vertical bars. A minimum of one item or a maximum of all items can beselected.

[ x | y | ... ] * Optional items are grouped in brackets and separated by vertical bars. Several items or no item can be selected.

& The parameter before the & sign can be repeated 1 to n times.

# A line starting with the # sign is comments.

Interface Numbering ConventionsInterface numbers used in this manual are examples. In device configuration, use the existinginterface numbers on devices.

Change HistoryChanges between document issues are cumulative. Therefore, the latest document version

contains all updates made to previous versions.

Changes in Issue 01 (2012-01-06)Initial commercial release.

Huawei AR2200-S Series Enterprise RoutersConfiguration Guide - VPN About This Document


iii


5/90

Contents

About This Doc ument.....................................................................................................................ii

1 GRE Configurati on.......................................................................................................................11.1 Introduction t o GRE...........................................................................................................................................2

1.2 GRE Feat ures Supported by the AR2200-S.......................................................................................................21.3 Co nfiguring GRE................................................................................................................................................3

1.3.1 Establis hing the Configuration Task.........................................................................................................3

1.3.2 Configu ring a Tunnel Interface.................................................................................................................4

1.3.3 Configu ring Routes for the Tunnel............................................................................................................5

1.3.4 (Optiona l) Configuring GRE Security Options.........................................................................................6

1.3.5 Chec king the Configuration.......................................................................................................................7

1.4 Configuring t he Keepalive Function..................................................................................................................8

1.4.1 Establis hing the Configuration Task.........................................................................................................8

1.4.2 Enablin g the Keepalive Function..............................................................................................................9

1.4.3 Chec king the Configuration.....................................................................................................................10

1.5 Maintaining G RE..............................................................................................................................................11

1.5.1 Resettin g the Statistics of a Tunnel Interface..........................................................................................11

1.5.2 Monitor ing the Running Status of GRE..................................................................................................12

1.5.3 Deb ugging GRE......................................................................................................................................12

1.6 Configuration Examples...................................................................................................................................12

1.6.1 Example for Configuring a Static Route for GRE...................................................................................12

1.6.2 Example for Configuring a Dynamic Routing Protocol for GRE...........................................................17

1.6.3 Example for Configuring a GRE Tunnel to Transmit VPN Multicast Data Encrypted with IPSec........20

1.6.4 Example for Configuring the Keepalive Function for GRE....................................................................26

2 MCE Configu ration.....................................................................................................................292.1 Introducti on to MCE.........................................................................................................................................30

2.1.1 MC E Overview........................................................................................................................................30

2.1 .2 MCE Functions Supported by the AR2200-S.........................................................................................31

2.2 Co nfiguring a VPN Instance.............................................................................................................................31

2.2.1 Establishing the Configuration Task.......................................................................................................32

2.2.2 Creating a VPN instance..........................................................................................................................32

2.2.3 Binding an Interface with a VPN Instance..............................................................................................33

2.2.4 Checking the Configuration.....................................................................................................................34

Huawei AR2200-S Series Enterprise RoutersConfiguration Guide - VPN Contents


iv


6/90


7/90

3.6.2 Example for Configuring IKE Negotiation Using Default Settings........................................................72

3.6.3 Example for Configuring IKE Negotiation.............................................................................................77

Huawei AR2200-S Series Enterprise RoutersConfiguration Guide - VPN Contents


vi


8/90

1 GRE ConfigurationAbout This Chap ter

Generic Routing Encapsulation (GRE) encapsulates the packets of certain network layer protocols so t hat the encapsulated packets can be transmitted over the IPv4 network.

1.1 Introducti on to GREThe transmission of packets in a GRE tunnel involves two processes: encapsulation anddecapsulation . After receiving a packet of a certain network layer protocol that needs to beencapsulated and routed, the system adds a GRE header to the packet, and encapsulates the

packet into a packet of another protocol, such as IP.

1.2 GRE Fea tures Supported by the AR2200-SGRE features supported by the AR2200-S include the following: enlargement of the operationscope of the network running a hop-limited protocol, and wo rking in conjunction with the IPSecurity Protocol (IPSec) to compensate for the IPSec flaw in multicast data protection.

1.3 Configuri ng GREYou can conf igure GRE only after a GRE tunnel is configured.

1.4 Configuri ng the Keepalive Functi onBefore configuring a tunnel policy and a GRE tunnel for the VPN, enable the GRE tunnelKeepalive function. With this function enabled, the VPN does not select the GRE tunnel thatcannot reach the remote end, and data loss can be avoided.

1.5 Maintaining GREThis section describes how to reset the statistics of a tunnel interface and monitor the GRErunning status.

1.6 Configuration ExamplesFamiliarize yourself with the configuration procedures against the networking diagrams. Thissection provides networking requirements, configuration notes, and configuration roadmap inconfigurations examples.

Huawei AR2200-S Series Enterprise RoutersConfiguration Guide - VPN 1 GRE Configuration


1


9/90


10/90

Figure 1-2 Networking diagram of GRE-IPSec tunnel application

IPSec tunnelGRE tunnel

Internet

Corporateintranet

Remoteoffice

network

As shown in Figure 1-2 , if the multicast data is transmitted in the IPSec tunnel, establish theGRE tunnel and encapsulate the multicast data with GRE. Then encrypt the encapsulatedmulticast data with IPSec. When these tasks are performed, the encrypted multicast data can betransmitted in the IPSec tunnel.

1.3 Configuring GREYou can configure GRE only after a GRE tunnel is configured.

1.3.1 Establishing the Configuration TaskBefore configuring a GRE tunnel, familiarize yourself with the applicable environment,complete the pre-configuration tasks, and obtain the data required for the configuration.

Applicable Environment

To set up a GRE tunnel, create a tunnel interface first, and configure the GRE functions on thetunnel interface. If the tunnel interface is deleted, all the configurations on the interface aredeleted.

Pre-configuration Tasks

Before configuring an ordinary GRE tunnel, complete the following task:

l Configuring reachable routes between the source and destination interfaces

Data Preparation

To configure an ordinary GRE tunnel, you need the following data.

No. Data

1 Number of the tunnel interface

2 Source address and destination address of the tunnel



3


11/90

No. Data

3 IP address of the tunnel interface

4 Key of the tunnel interface

1.3.2 Configuring a Tunnel InterfaceAfter creating a tunnel interface, specify GRE as the encapsulation type, set the tunnel sourceaddress or source interface, and set the tunnel destination address. In addition, set the tunnelinterface network address so that the tunnel can support dynamic routing protocols.

Context

Perform the following steps on the routers at the two ends of a tunnel.

Procedure

Step 1 Run:system-view

The system view is displayed.

Step 2 Run:interface tunnel interface-number

A tunnel interface is created and the tunnel interface view is displayed.

Step 3 Run:tunnel-protocol { gre | none }

The tunnel is encapsulated with GRE.

Step 4 Run:source { source-ip-address | interface-type interface-number }

The source address or source interface of the tunnel is configured.

NOTE

l The virtual IP address of the VRRP backup group can be configured as the source address of the GRE

tunnel.l The bridge-if interface can not be configured as the source interface of the GRE tunnel.

The source interface of the tunnel cannot be the interface of the tunnel, but can be specified asthe interface of another tunnel.

Step 5 Run:destination ip-address

The destination address of the tunnel is configured.

Step 6 (Optional) Run: mtu mtu

The Maximum Transmission Unit (MTU) of the tunnel interface is modified.



4


12/90

The new MTU takes effect only after you run the shutdown command and the undoshutdown command on the interface.

Step 7 Choose one of the following commands to configure the IP address of the tunnel interface.l Run the ip address ip-address { mask | mask-length } [ sub ] command to configure the IP

address of the tunnel interface.l Run the ip address unnumbered interface interface-type interface-number command to

configure IP unnumbered for the tunnel i nterface.

To support dynamic routing protocols on a tunnel, configure a network address for the tunnelinterface. The network address of the tunnel interface may not be a public address, but should

be in the same network segment on both ends of the tunnel.

By default, the network address of a tunnel interface is not set.

----End

1.3.3 Configuring Routes for the TunnelRoutes for a tunnel must be available on both the source and destination devices so that packetsencapsulated with GRE can be forwarded correctly. A route passing through tunnel interfacescan be a static route or a dynamic route.

ContextPerform the following steps on the devices at two ends of a tunnel.

NOTE

The packets encapsulated with GRE are forwarded correctly only if the routes for the tunnel are availableon both the source and destination routers.

Procedure



Step 2 Choose one of the following methods to configure routes passing through the tunnel interface.l Run the ip route-static ip-address { mask | mask-length } tunnel interface-number

[ description text ] command to configure a static route.

The static route must be configured on both ends of the tunnel. In this command, thedestination address is neither the destination address of the tunnel nor the address of theopposite tunnel interface, but the destination address of the packet that is not encapsulatedwith GRE. The outbound interface must be the local tunnel interface.

l Configure dynamic routes using IGP or BGP. Details for the procedure are not provided here.For the configuration of dynamic routes, see the AR2200-S Configuration Guide - IP

Routing .

When configuring a dynamic routing protocol, enable the dynamic routing protocol on boththe tunnel interface and the interface connected to the private network. To ensure correctrouting, do not choose the tunnel interface as the next hop when configuring the route to the

physical or logical interface of the destination tunnel.

Use Router A in Figure 1-3 as an example. The source interface of Tunnel 0/0/1 is GE 1/0/0on Router A, and its destination interface is GE 2/0/0 on Router C. If a dynamic routing



5


13/90

protocol is used, the protocol must be configured on the tunnel interface and the GE interfaceconnected to the PC. Moreover, in the routing table of Router A, the egress with thedestination as the network segment where GE 2/0/0 on Router C resides cannot be Tunnel0/0/1.

In practical configurations, configure a multi-process routing protocol or change the metricvalue of the tunnel interface. This prevents the tunnel interface from being selected as theoutbound interface of routes to the destination physical interface of the tunnel.

In practical configurations, tunnel interfaces and physical interfaces connected to the publicnetwork should use different routing protocols or different processes of the same routing

protocol. With one of these procedures in place, you can avoid selecting a tunnel interfaceas an outbound interface for packets destined for the destination of the tunnel. In addition, a

physical interface is prevented from forwarding user packets that should be forwardedthrough the tunnel.

Figure 1-3 Diagram of configuring the GRE dynamic routing protocol

RouterA RouterC

Tunnel0/0/1 Tunnel0/0/2

PC2PC1

GE1/0/0 GE2/0/0

Backbone

GE2/0/0 GE1/0/0

Tunnel

----End

1.3.4 (Optional) Configuring GRE Security OptionsTo enhance the security of a GRE tunnel, configure end-to-end checksum authentication or keyauthentication. This security mechanism can prevent the tunnel interface from incorrectlyidentifying and receiving packets from other devices.

Context

Perform the following steps on the routers at two ends of a tunnel.

Procedure



Step 2 Run:interface tunnel interface-number



6


14/90

The tunnel interface view is displayed.

Step 3 Run:gre checksum

End-to-end checksum authentication is configured for the tunnel.By default, end-to-end checksum authentication is disabled.

Step 4 Run:gre key key-number

The key is set for the tunnel interface.

If the keys are set for tunnel interfaces on the two ends of the tunnel, ensure that they have thesame key number. Alternatively, you may choose not to set the keys for tunnel interfaces on

both ends of the tunnel.

By default, no key is configured for the tunnel.

NOTE

Step 3 and Step 4 can be performed in random order.

----End

1.3.5 Checking the ConfigurationAfter a GRE tunnel is set up, you can view the running status and routing information about thetunnel interface.

ContextThe configurations of the GRE function are complete.

Procedurel Run the display interface tunnel [ interface-number ] command to check tunnel interface

information.l Run the display ip routing-table command to check the IPv4 routing table.l Run the ping -a source-ip-address host command to check whether the two ends of the

tunnel can successfully ping each other.

----End

ExampleRun the display interface tunnel command. If the tunnel interface is Up, the configurationsucceeds. For example:

display interface Tunnel 0/0/1Tunnel0/0/1 current state : UPLine protocol current state : UPDescription:HUAWEI, AR Series, Tunnel0/0/1 InterfaceRoute Port,The Maximum Transmit Unit is 1500Internet Address is 5.5.5.2/24Encapsulation is TUNNEL, loopback not setTunnel source 150.1.1.1 (Ethernet4/0/0), destination 150.1.1.2Tunnel protocol/transport GRE/IP, key disabled

keepalive disabledChecksumming of packets disabled



7


15/90

Current system time: 2008-03-04 19:17:30300 seconds input rate 0 bits/sec, 0 packets/sec300 seconds output rate 0 bits/sec, 0 packets/sec0 seconds input rate 0 bits/sec, 0 packets/sec0 seconds output rate 0 bits/sec, 0 packets/sec0 packets input, 0 bytes

0 input error0 packets output, 0 bytes0 output errorInput:

Unicast: 0 packets, Multicast: 0 packetsOutput:

Unicast: 0 packets, Multicast: 0 packetsInput bandwidth utilization : --Output bandwidth utilization : --

Run the display ip routing-table command. If the route passing through the tunnel interfaceexists in the routing table, the configuration succeeds. For example:

[Huawei] display ip routing-tableRoute Flags: R - relay, D - download to fib------------------------------------------------------------------------------Routing Tables: Public Destinations : 8 Routes : 8Destination/Mask Proto Pre Cost Flags NextHop Interface 10.1.1.0/24 Direct 0 0 D 10.1.1.2GigabitEthernet2/0/0 10.1.1.2/32 Direct 0 0 D 127.0.0.1 InLoopBack0 10.2.1.0/24 Static 60 0 D 40.1.1.1 Tunnel0/0/2 20.1.1.1/32 Direct 0 0 D 127.0.0.1 InLoopBack0 40.1.1.0/24 Direct 0 0 D 40.1.1.1 Tunnel0/0/2 40.1.1.1/32 Direct 0 0 D 127.0.0.1 InLoopBack0 127.0.0.0/8 Direct 0 0 D 127.0.0.1 InLoopBack0 127.0.0.1/32 Direct 0 0 D 127.0.0.1 InLoopBack0

Run the ping -a source-ip-address host command to see that the ping from the local tunnelinterface to the destination tunnel succeeds.

ping -a 40.1.1.1 40.1.1.2 PING 40.1.1.2: 56 data bytes, press CTRL_C to break Reply from 40.1.1.2: bytes=56 Sequence=1 ttl=255 time=24 ms Reply from 40.1.1.2: bytes=56 Sequence=2 ttl=255 time=33 ms Reply from 40.1.1.2: bytes=56 Sequence=3 ttl=255 time=48 ms Reply from 40.1.1.2: bytes=56 Sequence=4 ttl=255 time=33 ms Reply from 40.1.1.2: bytes=56 Sequence=5 ttl=255 time=36 ms --- 40.1.1.2 ping statistics --- 5 packet(s) transmitted 5 packet(s) received 0.00% packet loss round-trip min/avg/max = 24/34/48 ms

1.4 Configuring the Keepalive FunctionBefore configuring a tunnel policy and a GRE tunnel for the VPN, enable the GRE tunnelKeepalive function. With this function enabled, the VPN does not select the GRE tunnel thatcannot reach the remote end, and data loss can be avoided.

1.4.1 Establishing the Configuration TaskBefore configuring the GRE tunnel Keepalive function, familiarize yourself with the applicable

environment, complete the pre-configuration tasks, and obtain the required data. This can helpyou complete the configuration task quickly and accurately.



8


16/90

Application Environment

The Keepalive function can be configured on one end of a GRE tunnel to test the GRE tunnelstatus. If the remote end is found unreachable, the tunnel is disconnected on time to avoid data

black hole.

Figure 1-4 GRE tunnel supporting Keepalive

RouterA RouterB

GRE tunnel

Source DestinationInternet


Before configuring the Keepalive function, complete the following tasks:

l Configuring the link layer attributes of the interfacesl Assigning IP addresses to the interfacesl Establishing the GRE tunnel and keeping the tunnel Up

Data Preparation

To configure the Keepalive function, you need the following data.

No. Data

1 Interval for sending Keepalive messages

2 Retry times of the unreachable timer

1.4.2 Enabling the Keepalive FunctionThe GRE tunnel Keepalive function is unidirectional. To implement the Keepalive function on

both ends, enable the Keepalive function on both ends of a GRE tunnel.

Context

Perform the following steps on the router that requires the Keepalive function.

Procedure





9


17/90


18/90

Check the Keepalive packets and Keepalive Response packets sent and received by the GREtunnel interface.

----End

Example

On the tunnel interface that is enabled with the Keepalive function, run the display keepalivepackets count command to ascertain the number of sent Keepalive packets and receivedKeepalive Response packets on both the local end and the remote end. If the Keepalive functionis successfully configured on the local tunnel interface, the number of sent Keepalive packetsor received Keepalive Response packets on the local end is not 0.

[Huawei] interface tunnel 0/0/1[Huawei-Tunnel0/0/1] tunnel-protocol gre[Huawei-Tunnel0/0/1] keepalive[Huawei-Tunnel0/0/1] display keepalive packets countSend 34 keepalive packets to peers, Receive 34 keepalive response packets from peers

Receive 0 keepalive packets from peers, Send 0 keepalive response packets to peers

1.5 Maintaining GREThis section describes how to reset the statistics of a tunnel interface and monitor the GRErunning status.

1.5.1 Resetting the Statistics of a Tunnel InterfaceWhen you need to reset the statistics of a tunnel interface, you can run the reset commands toclear the Keepalive packets and Keepalive Response packets sent and received by a GRE tunnelinterface.

Procedurel Run the reset counters interface tunnel [ interface-number ] command in the system view

to reset statistics about the tunnel interface.l Reset statistics about Keepalive packets on the tunnel interface.

1. Run:system-view


2. Run:interface tunnel interface-number

The tunnel interface view is displayed.

3. Run:reset keepalive packets count

Reset the statistics on Keepalive packets on the tunnel interface.

NOTE

You can run the reset keepalive packets count command only in the tunnel interface view,and the interface tunnel protocol must be GRE.

----End



11


19/90


20/90

Networking Requirements

In Figure 1-5 , Router A, Router B, and Router C belong to the VPN backbone network andOSPF runs between them.

GRE is enabled between Router A and Router C to achieve interworking between PC 1 and PC2.

PC1 takes Router A as its default gateway, and PC2 takes Router C as its default gateway.

Figure 1-5 Networking diagram of configuring a static route for GRE

RouterA RouterC

RouterB

Tunnel0/0/140.1.1.1/24

Tunnel0/0/140.1.1.2/24

10.2.1.1/2410.1.1.1/24

GE2/0/010.1.1.2/24

GE1/0/020.1.1.1/24

GE1/0/020.1.1.2/24

GE1/0/030.1.1.2/24

GE2/0/030.1.1.1/24

GE2/0/010.2.1.2/24

Tunnel

PC1 PC2

Configuration Roadmap

The configuration roadmap is as follows:

1. Configure a dynamic routing protocol on routers.

2. Create a tunnel interface on Router A and Router C.

3. Specify the source address of the tunnel interface as the IP address of the interface thatsends the packet.

4. Specify the destination address of the tunnel interface as the IP address of the interface thatreceives the packet.

5. Assign network addresses to the tunnel interfaces to enable the tunnel to support thedynamic routing protocol.

6. Configure the static route between Router A and its connected PC, and the static route between Router C and its connected PC to make the traffic between PC1 and PC2transmitted through the GRE tunnel.

7. Configure the egress of the static route as the local tunnel interface.

Data Preparation

To complete the configuration, you need the following data:



13


21/90

l Data for running OSPFl Source address and destination address of the GRE tunnel, and IP addresses of tunnel

interfaces

ProcedureStep 1 Assign an IP address to each interface.

Assign an IP address to each interface as shown in Figure 1-5 . The specific configuration is notmentioned here.

Step 2 Configure IGP for the VPN backbone network.

# Configure Router A.

[RouterA] ospf 1[RouterA-ospf-1] area 0[RouterA-ospf-1-area-0.0.0.0] network 20.1.1.0 0.0.0.255

[RouterA-ospf-1-area-0.0.0.0] quit[RouterA-ospf-1] quit

# Configure Router B.

[RouterB] ospf 1[RouterB-ospf-1] area 0[RouterB-ospf-1-area-0.0.0.0] network 20.1.1.0 0.0.0.255[RouterB-ospf-1-area-0.0.0.0] network 30.1.1.0 0.0.0.255[RouterB-ospf-1-area-0.0.0.0] quit[RouterB-ospf-1] quit

# Configure Router C.

[RouterC] ospf 1[RouterC-ospf-1] area 0[RouterC-ospf-1-area-0.0.0.0] network 30.1.1.0 0.0.0.255[RouterC-ospf-1-area-0.0.0.0] quit[RouterC-ospf-1] quit

After the configuration, run the display ip routing-table command on Router A and Router C.You can find that they both learn the OSPF route to the network segment of the remote interface.

Take Router A as an example.

[RouterA] display ip routing-tableRoute Flags: R - relay, D - download to fib------------------------------------------------------------------------------Routing Tables: Public Destinations : 8 Routes : 8Destination/Mask Proto Pre Cost Flags NextHop Interface 10.1.1.0/24 Direct 0 0 D 10.1.1.2GigabitEthernet2/0/0 10.1.1.2/32 Direct 0 0 D 127.0.0.1 InLoopBack0 20.1.1.1/32 Direct 0 0 D 127.0.0.1 InLoopBack0 30.1.1.0/24 OSPF 10 2 D 20.1.1.2GigabitEthernet1/0/0 127.0.0.0/8 Direct 0 0 D 127.0.0.1 InLoopBack0 127.0.0.1/32 Direct 0 0 D 127.0.0.1 InLoopBack0

Step 3 Configure the tunnel interface.


[RouterA] interface tunnel 0/0/1[RouterA-Tunnel0/0/1] ip address 40.1.1.1 24

[RouterA-Tunnel0/0/1] source 20.1.1.1[RouterA-Tunnel0/0/1] destination 30.1.1.2



14


22/90


23/90

Configuration Filesl Configuration file of Router A

# sysname RouterA

#interface GigabitEthernet1/0/0 ip address 20.1.1.1 255.255.255.0#interface GigabitEthernet2/0/0 ip address 10.1.1.2 255.255.255.0#interface Tunnel0/0/1 ip address 40.1.1.1 255.255.255.0 tunnel-protocol gre source 20.1.1.1 destination 30.1.1.2#ospf 1 area 0.0.0.0 network 20.1.1.0 0.0.0.255#ip route-static 10.2.1.0 255.255.255.0 Tunnel0/0/1#return

l Configuration file of Router B# sysname RouterB#interface GigabitEthernet1/0/0 ip address 20.1.1.2 255.255.255.0#interface GigabitEthernet2/0/0 ip address 30.1.1.1 255.255.255.0#

ospf 1 area 0.0.0.0 network 20.1.1.0 0.0.0.255 network 30.1.1.0 0.0.0.255#return

l Configuration file of Router C# sysname RouterC#interface GigabitEthernet1/0/0 ip address 30.1.1.2 255.255.255.0#interface GigabitEthernet2/0/0 ip address 10.2.1.2 255.255.255.0#interface Tunnel0/0/1 ip address 40.1.1.2 255.255.255.0 tunnel-protocol gre source 30.1.1.2 destination 20.1.1.1#ospf 1 area 0.0.0.0 network 30.1.1.0 0.0.0.255#ip route-static 10.1.1.0 255.255.255.0 Tunnel0/0/1#return



16


24/90

1.6.2 Example for Configuring a Dynamic Routing Protocol for GREThis section provides an example for configuring a dynamic route for GRE. In this networking,traffic between users is transmitted through a GRE tunnel; a dynamic route is configured between

the device and its connected user.


In Figure 1-6 , Router A, Router B, and Router C belong to the VPN backbone network andOSPF runs between them.

GRE is enabled between Router A and Router C for the interworking between PC1 and PC2.

PC1 takes Router A as its default gateway, and PC2 takes Router C as its default gateway.

OSPF is enabled on the tunnel interface. OSPF process 1 is used for the VPN backbone network

and OSPF process 2 is used for user access.

Figure 1-6 Networking diagram of configuring a dynamic routing protocol for GRE

RouterA RouterC

RouterB

Tunnel0/0/140.1.1.1/24

Tunnel0/0/140.1.1.2/24

10.2.1.1/2410.1.1.1/24

GE2/0/010.1.1.2/24

GE1/0/020.1.1.1/24

GE1/0/020.1.1.2/24

GE1/0/030.1.1.2/24

GE2/0/030.1.1.1/24

GE2/0/010.2.1.2/24

OSPF 1

OSPF 2

PC1 PC2

Tunnel



1. Configure IGP on each router in the backbone network to realize the interworking betweenthese devic es. Here O SPF process 1 is used.

2. Create the GRE tunnel between routers that are connected to PCs.Then routers cancommunicate through the GRE runnel.



17


25/90

3. Configure the dynamic routing protocol on the network segments through which PCs accessthe backbone network. Here OSPF process 2 is used.

Data Preparation


l Source address and destination address of the GRE tunnell IP addresses of the interfaces on both ends of the GRE tunnel

Procedure

Step 1 Assign an IP address to each interface.

Assign an IP address to each interface as shown in Figure 1-6 . The specific configuration is notmentioned here.

Step 2 Configure IGP for the VPN backbone network.

The specific configuration procedures are the same as those in 1.6.1 Example for Configuringa Static Route for GRE and are not mentioned here.

Step 3 Configuring the tunnel interfaces

The specific configuration procedures are the same as those in 1.6.1 Example for Configuringa Static Route for GRE and are not mentioned here.

Step 4 Configure OSPF on the tunnel interfaces.


[RouterA] ospf 2[RouterA-ospf-2] area 0[RouterA-ospf-2-area-0.0.0.0] network 40.1.1.0 0.0.0.255[RouterA-ospf-2-area-0.0.0.0] network 10.1.1.0 0.0.0.255[RouterA-ospf-2-area-0.0.0.0] quit[RouterA-ospf-2] quit

# Configure Router C.

[RouterC] os pf 2[RouterC-ospf-2] area 0[RouterC-ospf-2-area-0.0.0.0] network 40.1.1.0 0.0.0.255[RouterC-ospf-2-area-0.0.0.0] network 10.2.1.0 0.0.0.255[RouterC-ospf-2-area-0.0.0.0] quit[RouterC-osp f-2] quit

Step 5 Verify the configuration.

After the configuration, run the display ip routing-table command on Router A and Router C.You can find the OSPF route to the network segment of the remote user end through the tunnelinterface. Moreover, the next hop to the destination physical add ress (30.1. 1.0/24) of the tunnelis not the tunnel interface.

Take Router A as an example:

[RouterA] display ip routing-tableRoute Flags: R - relay, D - download to fib------------------------------------------------------------------------------Routing Tables: Public

Destinations : 11 Routes : 11Destination/Mask Proto Pre Cost Flags NextHop Interface



18


26/90

10.1.1.0/24 Direct 0 0 D 10.1.1.2GigabitEthernet2/0/0 10.1.1.2/32 Direct 0 0 D 127.0.0.1 InLoopBack0 10.2.1.0/24 OSPF 10 2 D 40.1.1.2 Tunnel0/0/1 20.1.1.0/24 Direct 0 0 D 20.1.1.1GigabitEthernet1/0/0

20.1.1.1/32 Direct 0 0 D 127.0.0.1 InLoopBack0 30.1.1.0/24 OSPF 10 2 D 20.1.1.2GigabitEthernet1/0/0 40.1.1.0/24 Direct 0 0 D 40.1.1.1 Tunnel0/0/1 40.1.1.1/32 Direct 0 0 D 127.0.0.1 InLoopBack0 127.0.0.0/8 Direct 0 0 D 127.0.0.1 InLoopBack0 127.0.0.1/32 Direct 0 0 D 127.0.0.1 InLoopBack0

PC 1 and PC 2 can ping each other successfully.

----End

Configuration Filesl

Configuration file of Router A# sysname RouterA#interface GigabitEthernet1/0/0 ip address 20.1.1.1 255.255.255.0#interface GigabitEthernet2/0/0 ip address 10.1.1.2 255.255.255.0#interface Tunnel0/0/1 ip address 40.1.1.1 255.255.255.0 tunnel-protocol gre source 20.1.1.1 destination 30.1.1.2

#ospf 1 area 0.0.0.0 network 20.1.1.0 0.0.0.255#ospf 2 area 0.0.0.0 network 40.1.1.0 0.0.0.255 network 10.1.1.0 0.0.0.255#return

l Configuration file of Router B# sysname RouterB#interface GigabitEthernet1/0/0 ip address 20.1.1.2 255.255.255.0#interface GigabitEthernet2/0/0 ip address 30.1.1.1 255.255.255.0#ospf 1 area 0.0.0.0 network 20.1.1.0 0.0.0.255 network 30.1.1.0 0.0.0.255#return

l Configuration file of Router C#

sysname RouterC#



19


27/90


28/90


29/90


30/90


31/90

----------------------------- IPsec policy name: "policy1" sequence number: 1 mode: isakmp ----------------------------- connection id: 17

encapsulation mode: tunnel tunnel local : 20.1.1.1 tunnel remote: 30.1.1.2 [inbound ESP SAs] spi: 2970386335 (0xb10c7f9f) proposal: ESP-ENCRYPT-DES ESP-AUTH-MD5 sa remaining key duration (bytes/sec): 1887434624/3081 max received sequence-number: 32 udp encapsulation used for nat traversal: N [outbound ESP SAs] spi: 1720763150 (0x6690c30e) proposal: ESP-ENCRYPT-DES ESP-AUTH-MD5 sa remaining key duration (bytes/sec): 1887434112/3081 max sent sequence-number: 33 udp encapsulation used for nat traversal: N[RouterC] display ike sa Conn-ID Peer VPN Flag(s) Phase --------------------------------------------------------- ---- 20 20.1.1.2 0 RD|ST 1 21 20.1.1.2 0 RD|ST 2

Flag Description: RD--READY ST--STAYALIVE RL--REPLACED FD--FADING TO--TIMEOUT HRT--HEARTBEAT LKG--LAST KNOWN GOOD SEQ NO. BCK--BACKED UP[RouterC] display ips sa===============================Interface: GigabitEthernet1/0/0 path MTU: 1500=============================== ----------------------------- IPsec policy name: "policy1" sequence number: 1

mode: isakmp ----------------------------- connection id: 21 encapsulation mode: tunnel tunnel local : 30.1.1.2 tunnel remote: 20.1.1.1 [inbound ESP SAs] spi: 1720763150 (0x6690c30e) proposal: ESP-ENCRYPT-DES ESP-AUTH-MD5 sa remaining key duration (bytes/sec): 1887434624/3041 max received sequence-number: 32 udp encapsulation used for nat traversal: N [outbound ESP SAs] spi: 2970386335 (0xb10c7f9f) proposal: ESP-ENCRYPT-DES ESP-AUTH-MD5 sa remaining key duration (bytes/sec): 1887434112/3041 max sent sequence-number: 33 udp encapsulation used for nat traversal: N

----End


# sysname RouterA# ike local-name rta# multicast routing-enable

#acl number 3000



24


32/90

rule 5 permit gre source 20.1.1.1 0.0.0.0 destination 30.1.1.2 0.0.0.0#ike peer routerc v1 exchange-mode aggressive pre-shared-key 12345 local-id-type name

remote-name rtc remote-address 30.1.1.2#ipsec proposal p1#ipsec policy policy1 1 isakmp security acl 3000 ike-peer Routerc proposal p1#interface GigabitEthernet1/0/0 ip address 20.1.1.1 255.255.255.0ipsec policy policy1#interface GigabitEthernet2/0/0 ip address 10.1.1.2 255.255.255.0 pim dm igmp enable#interface Tunnel0/0/1 ip address 40.1.1.1 255.255.255.0 tunnel-protocol gre source 20.1.1.1 destination 30.1.1.2 pim dm#ospf 1 area 0.0.0.0 network 20.1.1.1 0.0.0.0#ip route-static 10.2.1.0 255.255.255.0 Tunnel0/0/1

#return

l Configuration file of Router B# sysname RouterB#interface GigabitEthernet1/0/0 ip address 20.1.1.2 255.255.255.0#interface GigabitEthernet2/0/0 ip address 30.1.1.1 255.255.255.0#ospf 1 area 0.0.0.0 network 20.1.1.0 0.0.0.255 network 30.1.1.0 0.0.0.255#return

l Configuration file of Router C# sysname RouterC# ike local-name rtc# multicast routing-enable#acl number 3000 rule 5 permit gre source 30.1.1.2 0.0.0.0 destination 20.1.1.1 0.0.0.0#

ike peer routera v1 exchange-mode aggressive



25


33/90

pre-shared-key 12345 local-id-type name remote-name rta remote-address 20.1.1.1#ipsec proposal p1

#ipsec policy policy1 1 isakmp security acl 3000 ike-peer Routera proposal p1#interface GigabitEthernet1/0/0 ip address 30.1.1.2 255.255.255.0ipsec policy policy1#interface GigabitEthernet2/0/0 ip address 10.2.1.2 255.255.255.0 pim dm igmp enable#interface Tunnel0/0/1 ip address 40.1.1.2 255.255.255.0 tunnel-protocol gre source 30.1.1.2 destination 20.1.1.1 pim dm#ospf 1 area 0.0.0.0 network 30.1.1.2 0.0.0.0#ip route-static 10.1.1.0 255.255.255.0 Tunnel0/0/1#return

1.6.4 Example for Configuring the Keepalive Function for GREThis section provides an example for configuring the Keepalive function of the GRE tunnel. Inthis manner, the VPN does not select the GRE tunnel that cannot reach the remote end, and dataloss can be avoided.

Networking RequirementsAs shown in Figure 1-8 , Router A and Router B are configured with the GRE protocol. The twoends of the GRE tunnel need be configured with the Keepalive function.

Figure 1-8 Networking diagram of configuring the Keepalive function on two ends of a GRE

tunnel

GE1/0/020.1.1.1/24

GE1/0/030.1.1.2/24Internet

GRE Tunnel

Tunnel0/0/140.1.1.1/24

Tunnel0/0/140.1.1.2/24

RouterA RouterB



26


34/90


To enable the Keepalive function on one end of the GRE tunnel, run the keepalive command inthe tunnel interface view on the end.

TIP

If the Keepalive function is enabled on the source end, the forwarding function is obligatory, and theKeepalive function is optional for the destination end.

Data Preparation


l Data for configuring the routing protocol for the backbone network l Source address and destination address of the GRE tunnell Interval for sending Keepalive messages

l Parameters of unreachable timer

Procedure

Step 1 Configure Router A and Router B to implement the interworking between the two devices.

The detailed procedures are not mentioned here.

Step 2 Configure a tunnel on Router A and enable the Keepalive function. system-view[RouterA] interface tunnel 0/0/1[RouterA-Tunnel0/0/1] ip address 40.1.1.1 255.255.255.0[RouterA-Tunnel0/0/1] source 20.1.1.1

[RouterA-Tunnel0/0/1] destination 30.1.1.2[RouterA-Tunnel0/0/1] keepalive period 20 retry-times 3[RouterA-Tunnel0/0/1] quit

Step 3 Configure a tunnel on Router B and enable the Keepalive function. system-view[RouterB] interface tunnel 0/0/1[RouterB-Tunnel0/0/1] ip address 40.1.1.2 255.255.255.0[RouterB-Tunnel0/0/1] source 30.1.1.2[RouterB-Tunnel0/0/1] destination 20.1.1.1[RouterB-Tunnel0/0/1] keepalive period 20 retry-times 3[RouterB-Tunnel0/0/1] quit

Step 4 Verify the configuration.

# The tunnel interface on Router A can successfully ping the tunnel interface on Router B. ping -a 40.1.1.1 40.1.1.2 PING 40.1.1.2: 56 data bytes, press CTRL_C to break Reply from 40.1.1.2: bytes=56 Sequence=1 ttl=255 time=9 ms Reply from 40.1.1.2: bytes=56 Sequence=2 ttl=255 time=7 ms Reply from 40.1.1.2: bytes=56 Sequence=3 ttl=255 time=7 ms Reply from 40.1.1.2: bytes=56 Sequence=4 ttl=255 time=7 ms Reply from 40.1.1.2: bytes=56 Sequence=5 ttl=255 time=7 ms --- 40.1.1.2 ping statistics --- 5 packet(s) transmitted 5 packet(s) received 0.00% packet loss round-trip min/avg/max = 7/7/9 ms

# Enable the debugging of the Keepalive messages on Router A and view information about theKeepalive messages.



27


35/90

terminal monitor terminal debugging debugging tunnel keepaliveMay 18 2011 11:36:11.590.1+00:00 AR1220 TUNNEL/7/debug:GRE_KEEP:Judge keepalivefinished. Received keepalive detecting packet from peer router.

May 18 2011 11:36:11.590.2+00:00 AR1220 TUNNEL/7/debug:GRE_KEEP_NSR: Mainboard ulKeepaliveReceiveOpposite++ then send mbuf to slave when RECEIVE keepalive packet.May 18 2011 11:36:11.590.3+00:00 AR1220 TUNNEL/7/debug:GRE_FWD: Receive peer keepalive on mainboard successfully. Put into decapsulation.May 18 2011 11:36:15.120.1+00:00 AR1220 TUNNEL/7/debug:GRE_KEEP:Judge keepalivefinished. Received keepalive response packet from peer router.May 18 2011 11:36:15.120.2+00:00 AR1220 TUNNEL/7/debug:GRE_FWD: Receive the response keepalive packet on mainboard successfully, keepalive finished.May 18 2011 11:36:15.120.3+00:00 AR1220 TUNNEL/7/debug:GRE_KEEP_NSR: Mainboard send mbuf to slaveboard when RECEIVE response packet.

----End


#sysname RouterA#interface GigabitEthernet1/0/0 ip address 20.1.1.1 255.255.255.0#interface Tunnel0/0/1 ip address 40.1.1.1 255.255.255.0 tunnel-protocol gre source 20.1.1.1 destination 30.1.1.2 keepalive period 20#return

l Configuration file of Router B# sysname RouterB#interface GigabitEthernet1/0/0 ip address 30.1.1.2 255.255.255.0#interface Tunnel0/0/1 ip address 40.1.1.2 255.255.255.0 tunnel-protocol gre source 30.1.1.2 destination 20.1.1.1 keepalive period 20#return



28


36/90

2 MCE ConfigurationAbout This Chapter

Generally, a Customer Edge (CE) can connect to only one Virtual Private Network (VPN). If multiple VPNs need to be divided, multiple CEs are required. The Multi-VPN-Instance CE(MCE) techn ology enables a CE to be connected to multiple VPNs. This isolates services

between diffe rent VPNs and reduces the invest ment on network devices.

2.1 Introducti on to MCEMCE isolates different services or users by using the route multi-instance on the CE.

2.2 Configuring a VPN Instance

This section describes how to configure a VPN instance.2.3 Configuri ng a Route Multi-Instance Between an MCE and a SiteThis section describes how to configure static routes, RIP, OSPF, IS-IS, and BGP between anMCE and a s ite.

2.4 Configuring a Route Multi-Instance Between an MCE and a PEThis section describes how to configure static routes, RIP, OSPF, IS-IS, and BGP between anMCE and a P E.

2.5 MCE Configuration ExamplesThis section provides several configuration examples of MCE.

Huawei AR2200-S Series Enterprise RoutersConfiguration Guide - VPN 2 MCE Configuration


29


37/90

2.1 Introduction to MCEMCE isolates different services or users by using the route multi-instance on the CE.

2.1.1 MCE OverviewMCE isolates different services or users by using the route multi-instance on the CE.

Background

With increasing diversification of user services and higher requirements on the security, multipleVPNs are required in a private network in most cases and services of different VPNs need to beisolated. In this case, using a CE for each VPN increases the device expenditure and maintenance

cost; the security of data cannot be ensured if multiple VPNs share a CE and a route forwardingtable.

As shown in Figure 2-1 , MCE can effectively solve issues of security of the data and network costs in a VPN. MCE isolates services of different VPNs by binding VLANIF interfaces toVPNs, and creating and maintaining an independent multi-VRF table for each VPN.

Figure 2-1 Typical MCE networking diagram

CE

MCE

Serviceprovider'sbackbone

CEVPN 1

Site

SiteSite

Site

VPN 1VPN 2

PEPE

PE

P

P P

PVPN 2

Basic Conceptsl CE

An edge device that is located in a user network. A CE provides interfaces that are directlyconnected to the Service Provider (SP) network. A CE can be a router, a switch, or a host.In most situations, a CE neither senses a VPN nor supports MPLS.

l MCE

A CE configured with MCE functions. An MCE can connect to multiple VPNs whoseservices are isolated completely.



30


38/90

l PE

An edge router that is located in an SP network. A PE is an edge device in the SP network and is directly connected to the CE and MCE. In an MPLS network, PEs process all VPNservices.

l Provider (P)

A backbone router that is located in an SP network. A P device is not directly connectedto CEs. The P devices only need the basic MPLS forwarding capability, withoutmaintaining information about a VPN.

l Site

A group of IP systems with IP connectivity between each other. Their connectivity neednot be implemented through an SP network. The site is connected to the SP network througha CE or an MCE.

2.1.2 MCE Functions Supported by the AR2200-SWhen the AR2200-S functions as an MCE, multiple routing protocols can be run between anMCE and a PE, and between an MCE and a site, including static routes, the Routing InformationProtocol (RIP), the Open Shortest Path First (OSPF), the Intermediate System-to-IntermediateSystem (IS-IS), and BGP.

Multiple Routing Protocols Run Between an MCE and a PE

When the AR2200-S functions as an MCE, multiple routing protocols can be run between theAR2200-S and a PE, including:l Static routesl RIPl OSPFl IS-ISl BGP

Multiple Routing Protocols Run Between an MCE and a Site

When the AR2200-S functions as an MCE, multiple routing protocols can be run between theAR2200-S and a site, including:l

Static routesl RIPl OSPFl IS-ISl BGP

2.2 Configuring a VPN InstanceThis section describes how to configure a VPN instance.



31


39/90

2.2.1 Establishing the Configuration Task


To connect a CE to multiple VPNs and isolate services of these VPNs, you need to configureMCE functions. Before configuring MCE functions, you need to configure VPN instances onan MCE and a PE.


Before configuring a VPN instance, complete the following tasks:l Creating a VLAN on the MCE and adding the interface connecting the site and PE to the

VLANl Creating a VLAN on the PE and adding the sub-interface connecting the MCE to the VLANl

Creating a VLAN on the device connected to the MCE in a site and adding the interfaceconnected to the MCE on the device to the VLAN

Data Preparation

To configure a VPN instance, you need the following data.

No. Data

1 Name of the VPN instance

2 Route Distinguisher (RD) of the VPN instance

3 (Optional) Description of the VPN instance

4 (Optional) Maximum number of routes supported by the VPN instance

5 ID of the VLAN corresponding to the VPN instance

2.2.2 Creating a VPN instance

ContextDo as follows on the MCE.

You need to perform similar configurations on the PE; however, configuration commands andmethods may be different because device manufacturers and types are different. For details, refer to manuals of corresponding products.

Procedure

Step 1 Run the system-view command to enter the system view.

Step 2 Run the ip vpn-instance vpn-instance-name command to create a VPN instance and enter theVPN instance view.



32


40/90


41/90

The interface is bound to the VPN instance.

NOTE

The running of the ip binding vpn-instance command on an interface can delete the Layer 3 attributes,such as the IP address and routing protocol. If these Layer 3 attributes are still required, you need toconfigure them again.An interface cannot be bound to any VPN instance that is not enabled with an address family.

Disabling an address family of a VPN instance deletes the Layer 3 attributes, such as the IP address androuting protocol of the interface bound to the VPN instance. Disabling all address families of a VPN instanceunbinds all bound interfaces from the VPN instance.

Step 4 Run:ip address ip-address { mask | mask-length }

The IP address is configured.

----End

2.2.4 Checking the ConfigurationRun the command display ip vpn-instance [ verbose ] [ vpn-instance-name ] to check the

previous configuration.

If the configuration is correct, you can view:l VPN instance created correctlyl Name of the VPN instancel RDl Descriptionl Maximum number of routes supported by the VPN instancel Interface configured correctly display ip vpn-instance verbose Total VPN-Instances configured : 1

VPN-Instance Name and ID : vpn1 , 1 Create date : 2011/09/10 16:58:42 Up time : 0 days, 21 hours, 42 minutes and 10 seconds Log Interval : 5

2.3 Configuring a Route Multi-Instance Between an MCEand a Site

This section describes how to configure static routes, RIP, OSPF, IS-IS, and BGP between anMCE and a site.

For configuring a route multi-instance between an MCE and a site, 2.3.2 (Optional) Configuringa Static Route Between an MCE and a Site to (Optional) Configuring BGP Between an MCEand a Site are optional and can be configured as required.



To connect a CE to multiple VPNs and isolate services of these VPNs, you need to configureMCE functions. Before configuring MCE functions, you need to perform the task of 2.2



34


42/90

Configuring a VPN Instance on the MCE and PE and then configure a route multi-instance between an MCE and a site.

Pre-configuration TasksBefore configuring a route multi-instance between an MCE and a site, complete the followingtask:l 2.2 Configuring a VPN Instance

Data PreparationTo configure a route multi-instance between an MCE and a site, you need the following data.

No. Data


2 (Optional) Destination address of a static route to the site, name of the destinationVPN instance, mask or mask length, next hop IP address, priority of the route, anddescription of the route

3 (Optional) RIP process number, address of the network segment where the VLANIFinterface bound to the VPN instance is located, type and process number of the routing

protocol run between an MCE and a PE, cost of the imported route, and name of therouting policy during route importing

4 (Optional) OSPF process number, router ID of OSPF, area ID of OSPF, address of the network segment where the VLANIF interface bound to the VPN instance islocated, type and process number of the routing protocol run between an MCE and a

PE, cost of the imported route, metric of the imported route, tag in the external Link State Advertisement (LSA) of the imported route, and name of the routing policyduring route importing

5 (Optional) IS-IS process number, Network Entity Title (NET) of the IS-IS process,number of the VLANIF interface bound to the VPN instance, type and process number of the routing protocol run between an MCE and a PE, type and value of the cost of the imported route, administrative tag of the imported route, and level of the routingtable for storing the imported route

6 (Optional) Autonomous System (AS) number, IP address of the VLANIF interfaceconnecting a CE and an MCE, type and process number of the routing protocol run

between an MCE and a PE, Multi-Exit Discriminator (MED) of the imported route,and name of the routing policy during route importing

2.3.2 (Optional) Configuring a Static Route Between an MCE and aSite


You need to configure only routing protocols on a device in a site.



35


43/90

Procedure


Step 2 Run the ip route-static vpn-instance vpn-source-name destination-address { mask | mask-length }{ interface-type interface-number [ gateway-address ] | vpn-instance vpn-destination-name gateway-address | gateway-address } [ preference preference ] [ track bfd-session cfg-name ] [ description description ] command to configure a static route to the site.

You must specify the next hop address on the local device.

----End

2.3.3 (Optional) Configuring RIP Between an MCE and a Site

Context

Do as follows on the MCE.


Procedure


Step 2 Run the rip [ process-id ] [ vpn-instance vpn-instance-name ] command to create and enable aRIP process used by a VPN instance and enter the RIP view.

Step 3 Run the network network-address command to enable RIP routes on the network segment wherethe IP address of the interface bound to the VPN instance belongs.

Step 4 (Optional) Run the import-route { { static | direct } | { { rip | ospf | isis } [ process-id ] } }[ cost cost | route-policy route-policy-name ] * command to import routes from other routing

protocols.

If another routing protocol is run between an MCE and a PE in this VPN, you need to performthis step.

----End

2.3.4 (Optional) Configuring OSPF Between an MCE and a Site

Context



Procedure


Step 2 Run the ospf [ process-id | router-id router-id | vpn-instance vpn-instance-name ]*

commandto create an OSPF process used by a VPN instance and enter the OSPF view.



36


44/90

NOTE

In this step, you must specify vpn-instance vpn-instance-name .

Step 3 (Optional) Run the import-route { limit limit-number | protocol [ process-id ] [ cost cost |route-policy route-policy-name | tag tag | type type ] * } command to import routes from other routing protocols.If another routing protocol is run between an MCE and a PE in this VPN, you need to performthis step.

Step 4 Run the area area-id command to create an OSPF area and enter the OSPF area view.

Step 5 Run the network address wildcard-mask [ description text ] command to enable OSPF routeson the network segment where the IP address of the interface bound to the VPN instance belongs.

----End

2.3.5 (Optional) Configuring IS-IS Between an MCE and a Site

Context



Procedure


Step 2 Run the interface interface-type interface-number command to enter the view of the interface bound to the VPN instance.

Step 3 Run the isis enable [ process-id ] command to enable IS-IS on the interface.By default, IS-IS is disabled on a VLANIF interface.

Step 4 Run the isis [ process-id ] vpn-instance vpn-instance-name command to create an IS-IS processused by a VPN instance and enter the IS-IS view.

Step 5 Run the network-entity net command to configure an NET.

By default, no NET is configured for an IS-IS process.

Step 6 Run the import-route protocol [ process-id ] [ cost-type { external | internal } | cost cost |tag tag | route-policy route-policy-name | [ level-1 | level-2 | level-1-2 ] ] * command to importroutes from other routing protocols.

If another routing protocol is run between an MCE and a PE in this VPN, you need to performthis step.

----End

2.3.6 Checking the ConfigurationRun the display ip vpn-instance [ verbose ] [ vpn-instance-name ] command on the MCE. If you can view the route to the local VPN in the display, it means that the configuration succeeds.

Take RIP used between an MCE and a site as an example. The information is displayed asfollows:



37


45/90

[MCE] display ip routing-table vpn-instance vpnbRoute Flags: R - relay, D - download to fib------------------------------------------------------------------------------Routing Tables: vpnb Destinations : 7 Routes : 7

Destination/Mask Proto Pre Cost Flags NextHop Interface

172.16.0.0/16 Direct 0 0 D 172.16.1.2 Vlanif10 172.16.1.1/32 Direct 0 0 D 172.16.1.1 Vlanif10 172.16.1.2/32 Direct 0 0 D 127.0.0.1 InLoopBack0 172.18.0.0/16 Direct 0 0 D 172.18.1.2 Vlanif30 172.18.1.1/32 Direct 0 0 D 172.18.1.1 Vlanif30 172.18.1.2/32 Direct 0 0 D 127.0.0.1 InLoopBack0 192.168.0.0/16 RIP 100 1 D 172.16.1.1 Vlanif10

2.4 Configuring a Route Multi-Instance Between an MCEand a PE

This section describes how to configure static routes, RIP, OSPF, IS-IS, and BGP between anMCE and a PE.

For configuring a r oute multi-instance between an MC E and a PE, 2.4.2 (Optional) Configuringa Static Route Between an MCE and a PE to (Optional) Configuring BGP Between an MCEand a PE are optional and can be configured as required.



To connect a CE to multiple VPNs and isolate services of these VPNs, you need to configureMCE functions. Before configuring MCE functions, you need to perform the task of 2.2Configuring a VPN Instance on the MCE and PE and then configure a route multi-instance

between the MCE and PE.


Before configuring a route multi-instance between an MCE and a PE, complete the followingtask:l 2.2 Configuring a VPN Instance

Data Preparation

To configure a route multi-instance between an MCE and a PE, you need the following data.

No. Data


2 (Optional) Destination address of a static route to the PE, name of thedestination VPN instance, mask or mask length, next hop IP address,

priority of the route, and description of the route



38


46/90

No. Data

3 (Optional) RIP process number, address of the network segment wherethe interface bound to the VPN instance is located, type and processnumber of the routing protocol run between an MCE and a site, costof the imported route, and name of the routing policy used during routeimporting

4 (Optional) OSPF process number, router ID of OSPF, area ID of OSPF,address of the network segment where the interface bound to the VPNinstance is located, type and process number of the routing protocolrun between an MCE and a site, cost of the imported route, metric of the imported route, tag in the external LSA of the imported route, andname of the routing policy during route importing

5 (Optional) IS-IS process number, NET of the IS-IS process, number of the interface bound to the VPN instance, type and process number of the routing protocol run between an MCE and a site, type and valueof the cost of the imported route, administrative tag of the importedroute, and level of the routing table for storing the imported route

6 (Optional) AS number, IP address of the interface connecting a CE andan MCE, type and process number of the routing protocol run betweenan MCE and a site, MED of the imported route, and name of the routing

policy during route importing

2.4.2 (Optional) Configuring a Static Route Between an MCE and aPE

Context


You can use a static route on a PE, and can also use RIP, OSPF, IS-IS, or BGP. For details, refer to manuals of corresponding products.

Procedure


Step 2 Run the ip route-static vpn-instance vpn-source-name destination-address { mask | mask-length }{ interface-type interface-number [ gateway-address ] | vpn-instance vpn-destination-name gateway-address | gateway-address } [ preference preference ] [ track bfd-session cfg-name ] [ description description ] command to configure a static route to a PE.

You must specify the next hop address on the local device.

----End

2.4.3 (Optional) Configuring RIP Between an MCE and a PE



39


47/90


You need to perform similar configurations on a PE. For details, refer to manuals of

corresponding products.

Procedure


Step 2 Run the rip [ process-id ] vpn-instance vpn-instance-name command to create and enable aRIP process used by a VPN instance and enter the RIP view.

Step 3 Run the network network-address command to enable RIP routes on the network segment wherethe IP address of the interface bound to the VPN instance belongs.

Step 4 (Optional) Run the import-route { { static | direct } | { { rip | ospf | isis } [ process-id ] } }[ cost cost | route-policy route-policy-name ] * command to import routes from other routing

protocols.

If another routing protocol is run between an MCE and a site in this VPN, you need to performthis step.

----End

2.4.4 (Optional) Configuring OSPF Between an MCE and a PE


You need to perform similar configurations on a PE. For details, refer to manuals of corresponding products.

Procedure


Step 2 Run the ospf [ process-id | router-id router-id | vpn-instance vpn-instance-name ] * commandto create an OSPF process used by a VPN instance and enter the OSPF view.

NOTE

In this step, you must specify vpn-instance vpn-instance-name .

Step 3 (Optional) Run the import-route { limit limit-number | protocol [ process-id ] [ cost cost |route-policy route-policy-name | tag tag | type type ] * } command to import routes from other routing protocols.If another routing protocol is run between an MCE and a site in this VPN, you need to performthis step.

Step 4 Run the area area-id command to create an OSPF area and enter the OSPF area view.

Step 5 Run the network address wildcard-mask [ description text ] command to enable OSPF routeson the network segment where the IP address of the interface bound to the VPN instance belongs.

----End



40


48/90


49/90

2.5 MCE Configuration ExamplesThis section provides several configuration examples of MCE.

2.5.1 Example for Configuring MCE


As shown in Figure 2-2 , the networking is as follows:l CE1, CE2, CE3, and CE4 are edge devices of the VPN.l CE1 and CE3 belong to a VPN instance named vpnb , and CE2 and CE4 belong to a VPN

instance named vpna .l PE1 and PE2 are edge routers of the backbone network. BGP or MPLS IP VPN is configured

on the backbone network between PE1 and PE2.l The MCE functions as a Multi-VPN-Instance CE located in the user network.l RIP is run between the MCE, CE3, and CE4.l OSPF is run between the MCE and PE2.

It is required that route isolation between VPNs be implemented on the MCE and routes of VPNs be advertised to the PE2 through OSPF.

Figure 2-2 Networking diagram for configuring MCE

vpnb

vpna vpna192.168.2.0/24

vpnb192.168.1.0/24

BGP MPLSIP VPN

CE1

CE2 CE4

CE3

MCEPE1PE2

Eth0/0/1Eth0/0/3

Eth0/0/1

Eth0/0/4

Eth0/0/1

VLAN10

VLAN20

VLANIF30172.18.1.2/16

VLANIF40172.19.1.2/16

VLANIF10172.16.1.1/16

VLANIF20172.17.1.1/16

VLANIF10172.16.1.2/16

VLANIF20172.17.1.2/16

VLAN30

VLAN40

172.18.1.1/16GE0/0/1

GE0/0/2172.19.1.1/16

Eth0/0/2



42


50/90



1. Create VLANs on the MCE, PE2, CE3, and CE4, and add the interfaces connecting these

devices to the VLANs.2. Create and configure VPN instances on the MCE and PE2.

3. Configure the OSPF route multi-instance on the MCE and PE2.

4. Configure RIP between the MCE and CE3, and between the MCE and CE4.

Data Preparation


l VLANs between the MCE, PE2, CE3, and CE4, as shown in Figure 2-2l IP addresses of VLANIF interfaces, as shown in Figure 2-2

Configuration Procedure1. Create VLANs on the MCE, PE2, CE3, and CE4, and add the interfaces connecting these

devices to the VLANs.

# Create VLANs on the MCE. system-view[Quidway] sysname MCE[MCE] vlan batch 10 20 30 40

# Add interfaces to the VLANs on the MCE.[MCE] interface ethernet 0/0/1

[MCE-Ethernet0/0/1] port link-type access

[MCE-Ethernet0/0/1] port default vlan 30[MCE-Ethernet0/0/1] quit[MCE] interface ethernet 0/0/2[MCE-Ethernet0/0/2] port link-type access[MCE-Ethernet0/0/2] port default vlan 40[MCE-Ethernet0/0/2] quit[MCE] interface ethernet 0/0/3[MCE-Ethernet0/0/3] port link-type trunk[MCE-Ethernet0/0/3] port trunk allow-pass vlan 10[MCE-Ethernet0/0/3] quit[MCE] interface ethernet 0/0/4[MCE-Ethernet0/0/4] port link-type trunk[MCE-Ethernet0/0/4] port trunk allow-pass vlan 20[MCE-Ethernet0/0/4] quit

# Create a VLAN on CE3. system-view[Quidway] sysname CE3[CE3] vlan 10

# Add an interface to the VLAN on CE3.[CE3-A] interface ethernet 0/0/1[CE3-Ethernet0/0/1] port link-type trunk[CE3-Ethernet0/0/1] port trunk allow-pass vlan 10[CE3-Ethernet0/0/1] quit

# Create a VLAN on CE4.

The configuration on CE4 is similar to that on CE3, and is not mentioned here.

# Add an interface to the VLAN on CE4.

The configuration on CE4 is similar to that on CE3, and is not mentioned here.



43


51/90

2. Create and configure VPN instances.

# Create VPN instances on the MCE.[MCE] ip vpn-instance vpna[MCE-vpn-instance-vpna] ipv4-family[MCE-vpn-instance-vpna-af-ipv4] route-distinguisher 100:1[MCE-vpn-instance-vpna-af-ipv4] quit[MCE-vpn-instance-vpna] quit[MCE] ip vpn-instance vpnb[MCE-vpn-instance-vpnb] ipv4-family[MCE-vpn-instance-vpnb-af-ipv4] route-distinguisher 100:2[MCE-vpn-instance-vpnb-af-ipv4] quit[MCE-vpn-instance-vpnb] quit

# Bind VPN instances to VLANIF interfaces on the MCE and assign IP addresses to theVLANIF interfaces.[MCE] interface vlanif 10[MCE-Vlanif10] ip binding vpn-instance vpnb[MCE-Vlanif10] ip address 172.16.1.2 16[MCE-Vlanif10] quit[MCE] interface vlanif 20[MCE-Vlanif20] ip binding vpn-instance vpna[MCE-Vlanif20] ip address 172.17.1.2 16[MCE-Vlanif20] quit[MCE] interface vlanif 30[MCE-Vlanif30] ip binding vpn-instance vpnb[MCE-Vlanif30] ip address 172.18.1.2 16[MCE-Vlanif30] quit[MCE] interface vlanif 40[MCE-Vlanif40] ip binding vpn-instance vpna[MCE-Vlanif40] ip address 172.19.1.2 16[MCE-Vlanif40] quit

# Create VPN instances on PE2.[PE2] ip vpn-instance vpna[PE2-vpn-instance-vpna] route-distinguisher 100:1

[PE2-vpn-instance-vpna] quit[PE2] ip vpn-instance vpnb[PE2-vpn-instance-vpnb] route-distinguisher 100:2[PE2-vpn-instance-vpnb] quit

# Bind VPN instances to sub-interfaces on PE2 and assign IP addresses to the sub-interfaces.[PE2] interface gigabitethernet 0/0/1[PE2-GigabitEthernet0/0/1] ip binding vpn-instance vpnb[PE2-GigabitEthernet0/0/1] ip address 172.18.1.1 255.255.0.0[PE2-GigabitEthernet0/0/1] quit[PE2] interface gigabitethernet 0/0/2[PE2-GigabitEthernet0/0/2] ip binding vpn-instance vpna[PE2-GigabitEthernet0/0/2] ip address 172.19.1.1 255.255.0.0[PE2-GigabitEthernet0/0/2] quit

3. Configure the OSPF route multi-instance between the MCE and PE2.

# Configure the OSPF route multi-instance on PE2.[PE2] ospf 100 vpn-instance vpna[PE2-ospf-100] vpn-instance-capability simple[PE2-ospf-100] area 0[PE2-ospf-100-area-0.0.0.0] network 172.19.0.0 0.0.255.255[PE2-ospf-100-area-0.0.0.0] quit[PE2-ospf-100] quit[PE2] ospf 200 vpn-instance vpnb[PE2-ospf-100] vpn-instance-capability simple[PE2-ospf-200] area 0[PE2-ospf-200-area-0.0.0.0] network 172.18.0.0 0.0.255.255[PE2-ospf-200-area-0.0.0.0] quit[PE2-ospf-200] quit

# Configure the OSPF route multi-instance on the MCE.



44


52/90

[MCE] ospf 100 vpn-instance vpna[MCE-ospf-100] area 0[MCE-ospf-100-area-0.0.0.0] network 172.19.0.0 0.0.255.255[MCE-ospf-100-area-0.0.0.0] quit[MCE-ospf-100] quit[MCE] ospf 200 vpn-instance vpnb

[MCE-ospf-200] area 0[MCE-ospf-200-area-0.0.0.0] network 172.18.0.0 0.0.255.255[MCE-ospf-200-area-0.0.0.0] quit

4. Configure RIP between the MCE and CE3, and between the MCE and CE4.

# Configure RIP-2 on the MCE.[MCE] rip 100 vpn-instance vpna[MCE-rip-100] version 2[MCE-rip-100] network 172.17.0.0[MCE-rip-100] import-route ospf 100[MCE-rip-100] quit[MCE] rip 200 vpn-instance vpnb[MCE-rip-200] version 2[MCE-rip-200] network 172.16.0.0[MCE-rip-200] import-route ospf 200

# Configure RIP-2 on CE3.[CE3] rip 200[CE3-rip-200] version 2[CE3-rip-200] network 172.16.0.0[CE3-rip-200] network 192.168.1.0[CE3-rip-200] import-route direct

# Configure RIP-2 on CE4.[CE4] rip 100[CE4-rip-100] version 2[CE4-rip-100] network 172.17.0.0[CE4-rip-100] network 192.168.2.0[CE4-rip-100] import-route direct

# Import RIP routes on the MCE.[MCE] ospf 100[MCE-ospf-100] import-route rip 100[MCE-ospf-100] quit[MCE] ospf 200[MCE-ospf-200] import-route rip 200

5. Verify the configuration.

# After the configuration, run the display ip routing-table vpn-instance command on theMCE, and you can view the routes to the local VPN.

Take vpnb as an example:[MCE] display ip routing-table vpn-instance vpnbRoute Flags: R - relay, D - download to fib

------------------------------------------------------------------------------Routing Tables: vpnb Destinations : 7 Routes : 7


172.16.0.0/16 Direct 0 0 D 172.16.1.2 Vlanif10 172.16.1.1/32 Direct 0 0 D 172.16.1.1 Vlanif10 172.16.1.2/32 Direct 0 0 D 127.0.0.1 InLoopBack0 172.18.0.0/16 Direct 0 0 D 172.18.1.2 Vlanif30 172.18.1.1/32 Direct 0 0 D 172.18.1.1 Vlanif30 172.18.1.2/32 Direct 0 0 D 127.0.0.1 InLoopBack0 192.168.0.0/16 RIP 100 1 D 172.16.1.1 Vlanif10

# Run the display ip routing-table vpn-instance command on the PE, and you can viewthe routes to the local VPN.

Take vpnb on PE2 as an example:



45


53/90

[PE1] display ip routing-table vpn-instance vpnbRoute Flags: R - relay, D - download to fib------------------------------------------------------------------------------Routing Tables: vpnb Destinations : 3 Routes : 3


172.18.0.0/16 Direct 0 0 D 172.18.1.1GigabitEthernet0/0/1172.18.1.1/32 Direct 0 0 D 127.0.0.1 InLoopBack0192.168.0.0/16 O_ASE 150 1 D 172.18.1.2GigabitEthernet0/0/1

Configuration Filesl Configuration file of the MCE

# sysname MCE# vlan batch 10 20 30 40#ip vpn-instance vpna ipv4-family route-distinguisher 100:1#ip vpn-instance vpnb ipv4-familyroute-distinguisher 100:2#interface Vlanif10 ip binding vpn-instance vpnb ip address 172.16.1.2 255.255.0.0#interface Vlanif20 ip binding vpn-instance vpna

ip address 172.17.1.2 255.255.0.0#interface Vlanif30 ip binding vpn-instance vpnb ip address 172.18.1.2 255.255.0.0#interface Vlanif40 ip binding vpn-instance vpna ip address 172.19.1.2 255.255.0.0#interface Ethernet0/0/1 port link-type access port default vlan 30#interface Ethernet0/0/2 port link-type access port default vlan 40#interface Ethernet0/0/3 port link-type trunk port trunk allow-pass vlan 10#interface Ethernet0/0/4 port link-type trunk port trunk allow-pass vlan 20#ospf 100 vpn-instance vpna import-route rip 100 area 0.0.0.0 network 172.17.0.0 0.0.255.255 network 172.19.0.0 0.0.255.255

#ospf 200 vpn-instance vpnb



46


54/90

import-route rip 200 area 0.0.0.0 network 172.16.0.0 0.0.255.255 network 172.18.0.0 0.0.255.255#rip 100 vpn-instance vpna

version 2 network 172.17.0.0 import-route ospf 100#rip 200 vpn-instance vpnb version 2 network 172.16.0.0 import-route ospf 200#return

l Configuration file of PE2# sysname PE2#

ip vpn-instance vpna route-distinguisher 100:1#ip vpn-instance vpnb route-distinguisher 100:2#interface GigabitEthernet0/0/1 ip binding vpn-instance vpnb ip address 172.18.1.3 255.255.0.0#interface GigabitEthernet0/0/2ip binding vpn-instance vpna ip address 172.19.1.3 255.255.0.0##ospf 100 vpn-instance vpna vpn-instance-capability simple area 0.0.0.0 network 172.19.0.0 0.0.255.255#ospf 200 vpn-instance vpnb vpn-instance-capability simple area 0.0.0.0 network 172.18.0.0 0.0.255.255#return

NOTE

The following lists only configuration files related to the MCE. For details on configuring BGP or MPLS IP VPN, refer to manuals of corresponding devices.

l Configuration file of CE3# sysname CE3#vlan batch 10#interface Vlanif10 ip address 172.16.1.1 255.255.0.0#interface Ethernet0/0/1 port link-type trunk port trunk allow-pass vlan 10#rip 200

version 2 network 172.16.0.0



47


55/90

network 192.168.1.0 import-route direct#return

l Configuration file of CE4

# sysname CE4#vlan batch 20#interface Vlanif20 ip address 172.17.1.1 255.255.0.0#interface Ethernet0/0/1 port trunk allow-pass vlan 20#rip 100 version 2 network 172.17.0.0 network 192.168.2.0 import-route direct#return



48


56/90

3 IPSec ConfigurationAbout This Chap ter

IP Security (IPSec) uses data encryption and data source authentication at the IP layer to ensuredata confiden tiality and integrity and prevent replay of data packets. Internet Key Exchange(IKE) enable s key negotiation and security associations (SAs) establishment to simplify use andmanagement of IPSec. This chapter describes how to configure IPSec and IKE.

3.1 IPSec Ov erviewThe IP Security (IPSec) protocol family is a series of protocols defined

Date post:	02-Jun-2018
Category:	Documents
Upload:	adrian-carmona
View:	239 times
Download:	0 times

Configuration Guide - VPN(V200R001C01_01)

Documents