Page 1 Huawei AR1200 Series Enterprise Routers V200R002C01 Configuration Guide - VPN Issue Date 2012-04-20 HUAWEI TECHNOLOGIES CO., LTD.
Page 2 All other trademarks and trade names mentioned in this document are the property of their respective holders. Notice The purchased products, services and features are stipulated by the contract made between Huawei and the customer. All or part of the products, services and features described in this document may not be within the purchase scope or the usage scope.
Page 3: About This Document
Huawei AR1200 Series Enterprise Routers Configuration Guide - VPN About This Document About This Document Intended Audience This document provides the basic concepts, configuration procedures, and configuration examples in different application scenarios of the VPN supported by the AR1200 device.
Page 4: Command Conventions
Huawei AR1200 Series Enterprise Routers Configuration Guide - VPN About This Document Command Conventions The command conventions that may be found in this document are defined as follows. Convention Description Boldface The keywords of a command line are in boldface.
Page 5: Table Of Contents
Huawei AR1200 Series Enterprise Routers Configuration Guide - VPN Contents Contents About This Document........................ii 1 GRE Configuration........................1 1.1 Introduction to GRE............................2 1.2 GRE Features Supported by the AR1200......................2 1.3 Configuring GRE..............................3 1.3.1 Establishing the Configuration Task......................3 1.3.2 Configuring a Tunnel Interface.........................4 1.3.3 Configuring Routes for the Tunnel......................5...
Page 6 Huawei AR1200 Series Enterprise Routers Configuration Guide - VPN Contents 2.1.1 MCE Overview............................42 2.1.2 MCE Functions Supported by the AR1200.....................43 2.2 Configuring a VPN Instance..........................43 2.2.1 Establishing the Configuration Task.......................44 2.2.2 Creating a VPN instance..........................44 2.2.3 Binding an Interface with a VPN Instance....................45 2.2.4 Checking the Configuration........................46...
Page 7 Huawei AR1200 Series Enterprise Routers Configuration Guide - VPN Contents 3.5.1 Establishing the Configuration Task.......................84 3.5.2 Creating a VPN Instance.........................85 3.5.3 Configuring Route Attributes of the VPN Instance.................87 3.5.4 Binding an Interface with the VPN Instance...................89 3.5.5 Configuring MP-IBGP Between Hub-PE and Spoke-PE................89 3.5.6 Configuring Route Exchange Between PE and CE.................90...
Page 8 Huawei AR1200 Series Enterprise Routers Configuration Guide - VPN Contents 3.11.1 Establishing the Configuration Task....................123 3.11.2 Configuring the OSPF Multi-Instance on the PE................124 3.11.3 Configuring the OSPF Multi-Instance on the Multi-Instance CE............125 3.11.4 Canceling the Loop Detection on the Multi-Instance CE..............126 3.11.5 Checking the Configuration.........................126...
Page 9 Huawei AR1200 Series Enterprise Routers Configuration Guide - VPN Contents 3.18.5 Example for Configuring Inter-AS VPN Option B................184 3.18.6 Example for Configuring Inter-AS VPN Option C................190 3.18.7 Example for Configuring Inter-AS VPN Option C (Solution 2)............197 3.18.8 Example for Configuring HoVPN.......................209 3.18.9 Example for Configuring Multi-VPN-Instance CE................216...
Page 10 Huawei AR1200 Series Enterprise Routers Configuration Guide - VPN Contents 5.1 IPSec Overview..............................284 5.2 IPSec Features Supported by the AR1200.....................285 5.3 Establishing an IPSec Tunnel Manually......................286 5.3.1 Establishing the Configuration Task.....................286 5.3.2 Defining Protected Data Flows......................287 5.3.3 Configuring an IPSec Proposal......................288 5.3.4 Configuring an IPSec Policy.........................288...
Page 11 Huawei AR1200 Series Enterprise Routers Configuration Guide - VPN Contents 6.1 DSVPN Overview............................345 6.2 DSVPN Features Supported by the AR1200....................345 6.3 Configuring DSVPN............................346 6.3.1 Establishing the Configuration Task.....................346 6.3.2 Configuring MGRE..........................347 6.3.3 Configuring Tunnel Routes........................347 6.3.4 Configuring NHRP on a Branch......................348 6.3.5 Configuring NHRP on the Central Office.....................349...
Page 12: Gre Configuration
Huawei AR1200 Series Enterprise Routers Configuration Guide - VPN 1 GRE Configuration GRE Configuration About This Chapter Generic Routing Encapsulation (GRE) encapsulates the packets of certain network layer protocols so that the encapsulated packets can be transmitted over the IPv4 network.
Page 13: Introduction To Gre
Huawei AR1200 Series Enterprise Routers Configuration Guide - VPN 1 GRE Configuration 1.1 Introduction to GRE The transmission of packets in a Generic Routing Encapsulation (GRE) tunnel involves two processes: encapsulation and decapsulation. After receiving a packet of a certain network layer protocol that needs to be encapsulated and routed, the system adds a GRE header to the packet, and encapsulates the packet into a packet of another protocol, such as IP.
Page 14: Configuring Gre
Huawei AR1200 Series Enterprise Routers Configuration Guide - VPN 1 GRE Configuration Figure 1-2 Networking diagram of GRE-IPSec tunnel application Internet Remote IPSec tunnel office Corporate GRE tunnel network intranet As shown in Figure 1-2, if the multicast data is transmitted in the IPSec tunnel, establish the GRE tunnel and encapsulate the multicast data with GRE.
Page 15: Configuring A Tunnel Interface
Huawei AR1200 Series Enterprise Routers Configuration Guide - VPN 1 GRE Configuration Data IP address of the tunnel interface Key of the tunnel interface 1.3.2 Configuring a Tunnel Interface After creating a tunnel interface, specify GRE as the encapsulation type, set the tunnel source address or source interface, and set the tunnel destination address.
Page 16: Configuring Routes For The Tunnel
Huawei AR1200 Series Enterprise Routers Configuration Guide - VPN 1 GRE Configuration The new MTU takes effect only after you run the shutdown command and the undo shutdown command on the interface. Step 7 Choose one of the following commands to configure the IP address of the tunnel interface.
Page 17: Optional) Configuring Gre Security Options
Huawei AR1200 Series Enterprise Routers Configuration Guide - VPN 1 GRE Configuration protocol is used, the protocol must be configured on the tunnel interface and the GE interface connected to the PC. Moreover, in the routing table of Router A, the egress with the destination as the network segment where GE 2/0/0 on Router C resides cannot be Tunnel 0/0/1.
Page 18: Checking The Configuration
Huawei AR1200 Series Enterprise Routers Configuration Guide - VPN 1 GRE Configuration The tunnel interface view is displayed. Step 3 Run: gre checksum End-to-end checksum authentication is configured for the tunnel. By default, end-to-end checksum authentication is disabled. Step 4 Run: gre key key-number The key is set for the tunnel interface.
Page 19: Configuring A Gre Tunnel Between Ce And Pe
Huawei AR1200 Series Enterprise Routers Configuration Guide - VPN 1 GRE Configuration Current system time: 2008-03-04 19:17:30 300 seconds input rate 0 bits/sec, 0 packets/sec 300 seconds output rate 0 bits/sec, 0 packets/sec 0 seconds input rate 0 bits/sec, 0 packets/sec...
Page 20: Configuring The Gre Tunnel Interface On Ce
Huawei AR1200 Series Enterprise Routers Configuration Guide - VPN 1 GRE Configuration A GRE tunnel needs to be created between a CE and a PE in the following two cases: A CE interconnects with a PE through the public network.
Page 21: Configuring The Gre Tunnel Interface On Pe
Huawei AR1200 Series Enterprise Routers Configuration Guide - VPN 1 GRE Configuration Step 2 Run: interface tunnel interface-number The tunnel interface is created and the tunnel interface view is displayed. Step 3 Run: tunnel-protocol gre The tunnel is encapsulated as a GRE tunnel.
Page 22 Huawei AR1200 Series Enterprise Routers Configuration Guide - VPN 1 GRE Configuration Procedure Step 1 Run: system-view The system view is displayed. Step 2 Run: interface tunnel interface-number A tunnel interface is created and the tunnel interface view is displayed.
Page 23: Binding The Gre Tunnel With The Vpn To Which Ce Belongs On Pe
Huawei AR1200 Series Enterprise Routers Configuration Guide - VPN 1 GRE Configuration 1.4.4 Binding the GRE Tunnel with the VPN to Which CE belongs on PE Bind the tunnel interface on the PE that connects the CE to a VPN instance. Then, the tunnel interface becomes a VPN interface.
Page 24: Configuring The Keepalive Function
Huawei AR1200 Series Enterprise Routers Configuration Guide - VPN 1 GRE Configuration Procedure Run the display interface tunnel [ interface-number ] command to check the working mode of the tunnel interface. Run the display ip routing-table vpn-instance vpn-instance-name command to check the VPN routing table on the PE.
Page 25: Enabling The Keepalive Function
Huawei AR1200 Series Enterprise Routers Configuration Guide - VPN 1 GRE Configuration Figure 1-4 GRE tunnel supporting Keepalive Internet Destination Source GRE tunnel RouterA RouterB Pre-configuration Tasks Before configuring the Keepalive function, complete the following tasks: Configuring the link layer attributes of the interfaces...
Page 26: Checking The Configuration
Huawei AR1200 Series Enterprise Routers Configuration Guide - VPN 1 GRE Configuration The tunnel is encapsulated with GRE. Step 4 Run: keepalive [ period period [ retry-times retry-times ] ] The Keepalive function is enabled. The GRE tunnel Keepalive function is unidirectional. Therefore, to realize the Keepalive function on both ends, enable the Keepalive function on both ends of a GRE tunnel.
Page 27: Maintaining Gre
Huawei AR1200 Series Enterprise Routers Configuration Guide - VPN 1 GRE Configuration Keepalive Response packets on both the local end and the remote end. If the Keepalive function is successfully configured on the local tunnel interface, the number of sent Keepalive packets or received Keepalive Response packets on the local end is not 0.
Page 28: Debugging Gre
Huawei AR1200 Series Enterprise Routers Configuration Guide - VPN 1 GRE Configuration Procedure Run the display interface tunnel [ interface-number ] command to check the tunnel interface running status. Run the display ip routing-table vpn-instance vpn-instance-name command to check the VPN routing table on the PE.
Page 29 Huawei AR1200 Series Enterprise Routers Configuration Guide - VPN 1 GRE Configuration Figure 1-5 Networking diagram of configuring a static route for GRE RouterB GE1/0/0 GE2/0/0 20.1.1.2/24 30.1.1.1/24 GE1/0/0 GE1/0/0 RouterA RouterC 20.1.1.1/24 30.1.1.2/24 Tunnel GE2/0/0 Tunnel0/0/1 GE2/0/0 Tunnel0/0/1 10.2.1.2/24 10.1.1.2/24...
Page 30 Huawei AR1200 Series Enterprise Routers Configuration Guide - VPN 1 GRE Configuration Assign an IP address to each interface as shown in Figure 1-5. The specific configuration is not mentioned here. Step 2 Configure IGP for the VPN backbone network.
Page 31 Huawei AR1200 Series Enterprise Routers Configuration Guide - VPN 1 GRE Configuration After the configuration, the status of tunnel interfaces goes Up, and the tunnel interfaces can ping each other successfully. Take Router A as an example: [RouterA] ping -a 40.1.1.1 40.1.1.2 PING 40.1.1.2: 56...
Page 32: Example For Configuring A Dynamic Routing Protocol For Gre
Huawei AR1200 Series Enterprise Routers Configuration Guide - VPN 1 GRE Configuration ip address 20.1.1.1 255.255.255.0 interface GigabitEthernet2/0/0 ip address 10.1.1.2 255.255.255.0 interface Tunnel0/0/1 ip address 40.1.1.1 255.255.255.0 tunnel-protocol gre source 20.1.1.1 destination 30.1.1.2 ospf 1 area 0.0.0.0 network 20.1.1.0 0.0.0.255 ip route-static 10.2.1.0 255.255.255.0 Tunnel0/0/1...
Page 33 Huawei AR1200 Series Enterprise Routers Configuration Guide - VPN 1 GRE Configuration Networking Requirements Figure 1-6, Router A, Router B, and Router C belong to the VPN backbone network and OSPF runs between them. GRE is enabled between Router A and Router C for the interworking between PC1 and PC2.
Page 34 Huawei AR1200 Series Enterprise Routers Configuration Guide - VPN 1 GRE Configuration IP addresses of the interfaces on both ends of the GRE tunnel Procedure Step 1 Assign an IP address to each interface. Assign an IP address to each interface as shown in Figure 1-6.
Page 35 Huawei AR1200 Series Enterprise Routers Configuration Guide - VPN 1 GRE Configuration 127.0.0.0/8 Direct 0 127.0.0.1 InLoopBack0 127.0.0.1/32 Direct 0 127.0.0.1 InLoopBack0 PC 1 and PC 2 can ping each other successfully. ----End Configuration Files Configuration file of Router A...
Page 36: Example For Configuring A Gre Tunnel To Transmit Vpn Multicast Data Encrypted With Ipsec
Huawei AR1200 Series Enterprise Routers Configuration Guide - VPN 1 GRE Configuration ospf 1 area 0.0.0.0 network 30.1.1.0 0.0.0.255 ospf 2 area 0.0.0.0 network 40.1.1.0 0.0.0.255 network 10.2.1.0 0.0.0.255 return 1.7.3 Example for Configuring a GRE Tunnel to Transmit VPN...
Page 37 Huawei AR1200 Series Enterprise Routers Configuration Guide - VPN 1 GRE Configuration Create an IPSec tunnel between Router A and Router C to encrypt the GRE encapsulated multicast packets. Data Preparation To complete the configuration, you need the following data:...
Page 38 Huawei AR1200 Series Enterprise Routers Configuration Guide - VPN 1 GRE Configuration [RouterA] interface gigabitethernet 2/0/0 [RouterA-GigabitEthernet2/0/0] pim dm [RouterA-GigabitEthernet2/0/0] igmp enable [RouterA-GigabitEthernet2/0/0] quit [RouterA] interface tunnel0/0/1 [RouterA-Tunnel0/0/1] pim dm [RouterA-Tunnel0/0/1] quit # Configure Router C. [RouterC] multicast routing-enable [RouterC] interface gigabitethernet 2/0/0...
Page 39 Huawei AR1200 Series Enterprise Routers Configuration Guide - VPN 1 GRE Configuration [RouterA] ipsec policy policy1 1 isakmp [RouterA-ipsec-policy-isakmp-policy1-1] security acl 3000 [RouterA-ipsec-policy-isakmp-policy1-1] ike-peer RouterC [RouterA-ipsec-policy-isakmp-policy1-1] proposal p1 [RouterA-ipsec-policy-isakmp-policy1-1] quit [RouterA] interface gigabitethernet 1/0/0 [RouterA-GigabitEthernet1/0/0] ipsec policy policy1 [RouterA-GigabitEthernet1/0/0] quit # Configure Router C.
Page 40 Huawei AR1200 Series Enterprise Routers Configuration Guide - VPN 1 GRE Configuration sa remaining key duration (bytes/sec): 1887434624/3081 max received sequence-number: 32 udp encapsulation used for nat traversal: N [outbound ESP SAs] spi: 1720763150 (0x6690c30e) proposal: ESP-ENCRYPT-DES ESP-AUTH-MD5 sa remaining key duration (bytes/sec): 1887434112/3081...
Page 41 Huawei AR1200 Series Enterprise Routers Configuration Guide - VPN 1 GRE Configuration ipsec policy policy1 1 isakmp security acl 3000 ike-peer Routerc proposal p1 interface GigabitEthernet1/0/0 ip address 20.1.1.1 255.255.255.0 ipsec policy policy1 interface GigabitEthernet2/0/0 ip address 10.1.1.2 255.255.255.0 pim dm...
Page 42: Example For Configuring The Ce To Access A Vpn Through A Gre Tunnel Of The Public Network
Huawei AR1200 Series Enterprise Routers Configuration Guide - VPN 1 GRE Configuration interface GigabitEthernet1/0/0 ip address 30.1.1.2 255.255.255.0 ipsec policy policy1 interface GigabitEthernet2/0/0 ip address 10.2.1.2 255.255.255.0 pim dm igmp enable interface Tunnel0/0/1 ip address 40.1.1.2 255.255.255.0 tunnel-protocol gre source 30.1.1.2 destination 20.1.1.1...
Page 43 Huawei AR1200 Series Enterprise Routers Configuration Guide - VPN 1 GRE Configuration Figure 1-8 Networking diagram in which CEs access a VPN through the GRE tunnel of the public network Loopback1 Loopback1 MPLS GE1/0/0 GE2/0/0 GE1/0/0 GE2/0/0 GE1/0/0 GE2/0/0 GE2/0/0...
Page 44 Huawei AR1200 Series Enterprise Routers Configuration Guide - VPN 1 GRE Configuration Create VPN instances on PE1 and PE2. Then bind the VPN instance on PE1 to the GRE tunnel interface, and bind the VPN instance on PE2 to the connected physical interface of CE2.
Page 45 Huawei AR1200 Series Enterprise Routers Configuration Guide - VPN 1 GRE Configuration [PE2-vpn-instance-vpn1-af-ipv4] vpn-target 111:1 export-extcommunity [PE2-vpn-instance-vpn1-af-ipv4] vpn-target 111:1 import-extcommunity [PE2-vpn-instance-vpn1-af-ipv4] quit [PE2-vpn-instance-vpn1] quit [PE2] interface gigabitethernet2/0/0 [PE2- GigabitEthernet2/0/0] ip binding vpn-instance vpn1 [PE2- GigabitEthernet2/0/0] ip address 11.1.1.2 255.255.255.0 Step 6 Configure the IS-IS route between CE1 and PE1.
Page 46 Huawei AR1200 Series Enterprise Routers Configuration Guide - VPN 1 GRE Configuration [PE1-bgp] ipv4-family vpn-instance vpn1 [PE1-bgp-vpn1] import-route direct [PE1-bgp-vpn1] import-route isis 50 # On PE2, specify PE1 as an IBGP peer, set up the IBGP connection by using the loopback interface, and enable the capability of exchanging VPN IPv4 routing information between PE2 and PE1.
Page 47 Huawei AR1200 Series Enterprise Routers Configuration Guide - VPN 1 GRE Configuration sysname CE1 isis 50 network-entity 50.0000.0000.0001.00 interface GigabitEthernet2/0/0 ip address 30.1.1.1 255.255.255.0 interface GigabitEthernet1/0/0 ip address 21.1.1.2 255.255.255.0 isis enable 50 interface Tunnel0/0/1 ip address 2.2.2.1 255.255.255.0 tunnel-protocol gre source 30.1.1.1...
Page 48 Huawei AR1200 Series Enterprise Routers Configuration Guide - VPN 1 GRE Configuration ip address 1.1.1.9 255.255.255.255 interface Tunnel0/0/1 ip binding vpn-instance vpn1 ip address 2.2.2.2 255.255.255.0 tunnel-protocol gre source 50.1.1.2 destination 30.1.1.1 isis enable 50 bgp 100 peer 3.3.3.9 as-number 100 peer 3.3.3.9 connect-interface LoopBack1...
Page 49: Example For Configuring The Keepalive Function For Gre
Huawei AR1200 Series Enterprise Routers Configuration Guide - VPN 1 GRE Configuration peer 1.1.1.9 as-number 100 peer 1.1.1.9 connect-interface LoopBack1 ipv4-family unicast undo synchronization peer 1.1.1.9 enable ipv4-family vpnv4 policy vpn-target peer 1.1.1.9 enable ipv4-family vpn-instance vpn1 import-route direct import-route isis 50 ospf 10 area 0.0.0.0...
Page 50 Huawei AR1200 Series Enterprise Routers Configuration Guide - VPN 1 GRE Configuration Configuration Roadmap To enable the Keepalive function on one end of the GRE tunnel, run the keepalive command in the tunnel interface view on the end. If the Keepalive function is enabled on the source end, the forwarding function is obligatory, and the Keepalive function is optional for the destination end.
Page 51 Huawei AR1200 Series Enterprise Routers Configuration Guide - VPN 1 GRE Configuration <RouterA> terminal monitor <RouterA> terminal debugging <RouterA> debugging tunnel keepalive May 18 2011 11:36:11.590.1+00:00 AR1220 TUNNEL/7/debug:GRE_KEEP:Judge keepalive finished. Received keepalive detecting packet from peer router. <RouterA> May 18 2011 11:36:11.590.2+00:00 AR1220 TUNNEL/7/debug:GRE_KEEP_NSR: Mainboard u lKeepaliveReceiveOpposite++ then send mbuf to slave when RECEIVE keepalive packe <RouterA>...
Page 52: Mce Configuration
Huawei AR1200 Series Enterprise Routers Configuration Guide - VPN 2 MCE Configuration MCE Configuration About This Chapter Generally, a Customer Edge (CE) can connect to only one Virtual Private Network (VPN). If multiple VPNs need to be divided, multiple CEs are required. The Multi-VPN-Instance CE (MCE) technology enables a CE to be connected to multiple VPNs.
Page 53: Introduction To Mce
Huawei AR1200 Series Enterprise Routers Configuration Guide - VPN 2 MCE Configuration 2.1 Introduction to MCE MCE isolates different services or users by using the route multi-instance on the CE. 2.1.1 MCE Overview MCE isolates different services or users by using the route multi-instance on the CE.
Page 54: Mce Functions Supported By The Ar1200
Huawei AR1200 Series Enterprise Routers Configuration Guide - VPN 2 MCE Configuration An edge router that is located in an SP network. A PE is an edge device in the SP network and is directly connected to the CE and MCE. In an MPLS network, PEs process all VPN services.
Page 55: Establishing The Configuration Task
Huawei AR1200 Series Enterprise Routers Configuration Guide - VPN 2 MCE Configuration 2.2.1 Establishing the Configuration Task Applicable Environment To connect a CE to multiple VPNs and isolate services of these VPNs, you need to configure MCE functions. Before configuring MCE functions, you need to configure VPN instances on an MCE and a PE.
Page 56: Binding An Interface With A Vpn Instance
Huawei AR1200 Series Enterprise Routers Configuration Guide - VPN 2 MCE Configuration NOTE The name of a VPN instance is case-sensitive. For example, "vpn1" and "VPN1" are taken as different VPN instances. Step 3 Run the route-distinguisher route-distinguisher command to configure an RD for the VPN instance.
Page 57: Checking The Configuration
Huawei AR1200 Series Enterprise Routers Configuration Guide - VPN 2 MCE Configuration The interface is bound to the VPN instance. NOTE The running of the ip binding vpn-instance command on an interface can delete the Layer 3 attributes, such as the IP address and routing protocol. If these Layer 3 attributes are still required, you need to configure them again.
Page 58: Optional) Configuring A Static Route Between An Mce And A Site
Huawei AR1200 Series Enterprise Routers Configuration Guide - VPN 2 MCE Configuration Pre-configuration Tasks Before configuring a route multi-instance between an MCE and a site, complete the following task: 2.2 Configuring a VPN Instance Data Preparation To configure a route multi-instance between an MCE and a site, you need the following data.
Page 59: Optional) Configuring Rip Between An Mce And A Site
Huawei AR1200 Series Enterprise Routers Configuration Guide - VPN 2 MCE Configuration Procedure Step 1 Run the system-view command to enter the system view. Step 2 Run the ip route-static vpn-instance vpn-source-name destination-address { mask | mask- length }{ interface-type interface-number [ gateway-address ] | vpn-instance vpn-destination- name gateway-address | gateway-address } [ preference preference ] [ track bfd-session cfg- name ] [ description description ] command to configure a static route to the site.
Page 60: Optional) Configuring Is-Is Between An Mce And A Site
Huawei AR1200 Series Enterprise Routers Configuration Guide - VPN 2 MCE Configuration NOTE In this step, you must specify vpn-instance vpn-instance-name. Step 3 (Optional) Run the import-route { limit limit-number | protocol [ process-id ] [ cost cost | route-policy route-policy-name | tag tag | type type ] } command to import routes from other routing protocols.
Page 61: Configuring A Route Multi-Instance Between An Mce And A Pe
Huawei AR1200 Series Enterprise Routers Configuration Guide - VPN 2 MCE Configuration [MCE] display ip routing-table vpn-instance vpnb Route Flags: R - relay, D - download to fib ------------------------------------------------------------------------------ Routing Tables: vpnb Destinations : 7 Routes : 7 Destination/Mask Proto...
Page 62: Optional) Configuring A Static Route Between An Mce And A Pe
Huawei AR1200 Series Enterprise Routers Configuration Guide - VPN 2 MCE Configuration Data (Optional) RIP process number, address of the network segment where the interface bound to the VPN instance is located, type and process number of the routing protocol run between an MCE and a site, cost...
Page 63: Optional) Configuring Ospf Between An Mce And A Pe
Huawei AR1200 Series Enterprise Routers Configuration Guide - VPN 2 MCE Configuration Context Do as follows on the MCE. You need to perform similar configurations on a PE. For details, refer to manuals of corresponding products. Procedure Step 1 Run the system-view command to enter the system view.
Page 64: Optional) Configuring Is-Is Between An Mce And A Pe
2.4.6 Checking the Configuration Run the display ip routing-table vpn-instance command on the PE, and you can find the routes to the local VPN. Take Huawei Huawei AR1200 Series as an example. The information is displayed as follows: [PE1] display ip routing-table vpn-instance vpnb...
Page 65: Mce Configuration Examples
Huawei AR1200 Series Enterprise Routers Configuration Guide - VPN 2 MCE Configuration 2.5 MCE Configuration Examples This section provides several configuration examples of MCE. 2.5.1 Example for Configuring MCE Networking Requirements As shown in Figure 2-2, the networking is as follows: CE1, CE2, CE3, and CE4 are edge devices of the VPN.
Page 66: Configuration Procedure
Huawei AR1200 Series Enterprise Routers Configuration Guide - VPN 2 MCE Configuration Configuration Roadmap The configuration roadmap is as follows: Create VLANs on the MCE, PE2, CE3, and CE4, and add the interfaces connecting these devices to the VLANs. Create and configure VPN instances on the MCE and PE2.
Page 67 Huawei AR1200 Series Enterprise Routers Configuration Guide - VPN 2 MCE Configuration Create and configure VPN instances. # Create VPN instances on the MCE. [MCE] ip vpn-instance vpna [MCE-vpn-instance-vpna] ipv4-family [MCE-vpn-instance-vpna-af-ipv4] route-distinguisher 100:1 [MCE-vpn-instance-vpna-af-ipv4] quit [MCE-vpn-instance-vpna] quit [MCE] ip vpn-instance vpnb...
Page 68 Huawei AR1200 Series Enterprise Routers Configuration Guide - VPN 2 MCE Configuration [MCE] ospf 100 vpn-instance vpna [MCE-ospf-100] area 0 [MCE-ospf-100-area-0.0.0.0] network 172.19.0.0 0.0.255.255 [MCE-ospf-100-area-0.0.0.0] quit [MCE-ospf-100] quit [MCE] ospf 200 vpn-instance vpnb [MCE-ospf-200] area 0 [MCE-ospf-200-area-0.0.0.0] network 172.18.0.0 0.0.255.255 [MCE-ospf-200-area-0.0.0.0] quit...
Page 69 Huawei AR1200 Series Enterprise Routers Configuration Guide - VPN 2 MCE Configuration [PE1] display ip routing-table vpn-instance vpnb Route Flags: R - relay, D - download to fib ------------------------------------------------------------------------------ Routing Tables: vpnb Destinations : 3 Routes : 3 Destination/Mask Proto...
Page 70 Huawei AR1200 Series Enterprise Routers Configuration Guide - VPN 2 MCE Configuration import-route rip 200 area 0.0.0.0 network 172.16.0.0 0.0.255.255 network 172.18.0.0 0.0.255.255 rip 100 vpn-instance vpna version 2 network 172.17.0.0 import-route ospf 100 rip 200 vpn-instance vpnb version 2 network 172.16.0.0...
Page 71 Huawei AR1200 Series Enterprise Routers Configuration Guide - VPN 2 MCE Configuration network 192.168.1.0 import-route direct return Configuration file of CE4 sysname CE4 vlan batch 20 interface Vlanif20 ip address 172.17.1.1 255.255.0.0 interface Ethernet0/0/1 port trunk allow-pass vlan 20 rip 100 version 2 network 172.17.0.0...
Page 72: Bgp Mpls Ip Vpn Configuration
Huawei AR1200 Series Enterprise Routers Configuration Guide - VPN 3 BGP MPLS IP VPN Configuration BGP MPLS IP VPN Configuration About This Chapter This chapter describes the BGP/MPLS IP VPN configuration, including the introduction to the BGP/MPLS IP VPN, common networking of the BGP/MPLS IP VPN, and configurations to ensure the reliability of the BGP/MPLS IP VPN.
Page 73 Huawei AR1200 Series Enterprise Routers Configuration Guide - VPN 3 BGP MPLS IP VPN Configuration After LDP LSPs are established for the labeled BGP routes of the public network, EBGP connections in multi-hop mode are established between PEs of different ASs to exchange VPNv4 routes.
Page 74: Introduction To Bgp/Mpls Ip Vpn
Huawei AR1200 Series Enterprise Routers Configuration Guide - VPN 3 BGP MPLS IP VPN Configuration 3.1 Introduction to BGP/MPLS IP VPN This section describes the concepts and roles of the PE, P, and CE. BGP/MPLS IP VPN is a PE-based L3VPN technology used in the Provider Provisioned VPN (PPVPN) solution.
Page 75: Configuring A Vpn Instance Enabled With The Ipv4 Address Family
Huawei AR1200 Series Enterprise Routers Configuration Guide - VPN 3 BGP MPLS IP VPN Configuration Basic Networking The AR1200 uses the Multi-protocol Extensions for Border Gateway Protocol (MP-BGP) to achieve the VPN route exchange between PEs. The static route, Routing Information Protocol...
Page 76: Establishing The Configuration Task
Huawei AR1200 Series Enterprise Routers Configuration Guide - VPN 3 BGP MPLS IP VPN Configuration 3.3.1 Establishing the Configuration Task Before configuring a VPN instance enabled with an IPv4 address family, familiarize yourself with the applicable environment, complete the pre-configuration tasks, and obtain the data required for the configuration.
Page 77: Creating A Vpn Instance
Huawei AR1200 Series Enterprise Routers Configuration Guide - VPN 3 BGP MPLS IP VPN Configuration Data (Optional) Tunnel policy 3.3.2 Creating a VPN Instance Configuring a VPN instance is the preliminary step for configuring other VPN attributes. After a VPN instance is configured, a VPN routing and forwarding table is created.
Page 78 Huawei AR1200 Series Enterprise Routers Configuration Guide - VPN 3 BGP MPLS IP VPN Configuration Context Perform the following steps on the PE that is configured with VPN instances. NOTE It is recommended to perform either Step 6 or Step 7.
Page 79: Optional) Configuring Mpls Label Allocation Based On The Vpn Instance Ipv4 Address Family
Huawei AR1200 Series Enterprise Routers Configuration Guide - VPN 3 BGP MPLS IP VPN Configuration NOTE If the routing-table limit command is run, the system gives a prompt when the number of routes injected into the routing table of the VPN instance IPv4 address family exceeds the maximum. If the routing-table...
Page 80: Checking The Configuration
Huawei AR1200 Series Enterprise Routers Configuration Guide - VPN 3 BGP MPLS IP VPN Configuration Step 2 Run: ip vpn-instance vpn-instance-name The VPN instance view is displayed. Step 3 Run: ipv4-family The IPv4 address family is enabled for the VPN instance and the VPN instance IPv4 address family view is displayed.
Page 81: Configuring Basic Bgp/Mpls Ip Vpn
Huawei AR1200 Series Enterprise Routers Configuration Guide - VPN 3 BGP MPLS IP VPN Configuration Run the display ip vpn-instance verbose command. If detailed information about the VPN instance is displayed, it means the configuration succeeded. For example: <Huawei> display ip vpn-instance verbose...
Page 82: Configuring A Vpn Instance
Huawei AR1200 Series Enterprise Routers Configuration Guide - VPN 3 BGP MPLS IP VPN Configuration You can configure MP-IBGP to exchange routes between PEs. To exchange routes between the PE and CE, you can configure static routes, RIP multi-instance, OSPF multi-instance, IS-IS multi-instance, or BGP based on the specific networking situations.
Page 83: Binding An Interface With A Vpn Instance
Huawei AR1200 Series Enterprise Routers Configuration Guide - VPN 3 BGP MPLS IP VPN Configuration Procedure Step 1 For the details, see Configuring VPN Instances. ----End 3.4.3 Binding an Interface with a VPN Instance After associating an interface with a VPN instance, you can change the interface to a VPN interface.
Page 84 Huawei AR1200 Series Enterprise Routers Configuration Guide - VPN 3 BGP MPLS IP VPN Configuration Context By default, no router ID is configured for a BGP VPN instance IPv4 address family, and the BGP router ID is used. This makes different BGP VPN instance IPv4 address families on the same device have the same router ID.
Page 85: Configuring Mp-Ibgp Between Pes
Huawei AR1200 Series Enterprise Routers Configuration Guide - VPN 3 BGP MPLS IP VPN Configuration A router ID or automatic route ID selection is configured for the current BGP VPN instance IPv4 address family. ----End 3.4.5 Configuring MP-IBGP Between PEs By importing extended community attributes to BGP, MP-IBGP can advertise VPNv4 routes between PEs.
Page 86 Huawei AR1200 Series Enterprise Routers Configuration Guide - VPN 3 BGP MPLS IP VPN Configuration Context Select one of the following configurations as required: Configuring EBGP between a PE and a CE Configuring IBGP between a PE and a CE...
Page 87 Huawei AR1200 Series Enterprise Routers Configuration Guide - VPN 3 BGP MPLS IP VPN Configuration (Optional) When the direct route of the local CE needs to be imported to the VPN routing table (for being advertised to the remote PE), you can choose either of the following configurations: –...
Page 88 Huawei AR1200 Series Enterprise Routers Configuration Guide - VPN 3 BGP MPLS IP VPN Configuration CAUTION In the case of multi-homed CE, the BGP AS substitution function may lead to route loops. Perform the following steps on the CE: Run: system-view The system view is displayed.
Page 89 Huawei AR1200 Series Enterprise Routers Configuration Guide - VPN 3 BGP MPLS IP VPN Configuration An AS number for the VPN instance IPv4 address family is specified. During network transfer or service identification, a device needs to be simulated as multiple BGP devices logically.
Page 90 Huawei AR1200 Series Enterprise Routers Configuration Guide - VPN 3 BGP MPLS IP VPN Configuration NOTE For details, see the chapter "IP Static Route Configuration" in the Huawei AR1200 Series Enterprise Routers Configuration Guide - IP Routing. Run: system-view The system view is displayed.
Page 91 Perform the following steps on the PE. The CE is configured with OSPF. The configurations are common, therefore not mentioned here. NOTE For details, see Huawei AR1200 Series Enterprise Routers Configuration Guide - IP Routing. Run: system-view The system view is displayed.
Page 92 Huawei AR1200 Series Enterprise Routers Configuration Guide - VPN 3 BGP MPLS IP VPN Configuration domain-id domain-id [ secondary ] The domain ID is configured. The domain ID can be expressed by an integer or in dotted decimal notation. You can configure two domain IDs for each OSPF process. The domain IDs of different processes are independent of each other.
Page 93 Perform the following steps on the PE. The CE is configured with IS-IS. The configurations are common, therefore not mentioned here. NOTE For details, see Huawei AR1200 Series Enterprise Routers Configuration Guide - IP Routing. Run: system-view The system view is displayed.
Page 94: Checking The Configuration
Huawei AR1200 Series Enterprise Routers Configuration Guide - VPN 3 BGP MPLS IP VPN Configuration The level of the router is configured. By default, the level of a router is Level-1-2. Run: import-route bgp [ cost-type { external | internal } | cost cost | tag tag | route-policy route-policy-name | [ level-1 | level-2 | level-1-2 ] ] The BGP route is imported.
Page 95: Configuring Hub And Spoke
Huawei AR1200 Series Enterprise Routers Configuration Guide - VPN 3 BGP MPLS IP VPN Configuration Procedure Run the display ip routing-table vpn-instance vpn-instance-name command to check routing information about the specified VPN instance IPv4 address family on the PE. Run the display ip routing-table command to check routing information on the CE.
Page 96: Creating A Vpn Instance
Huawei AR1200 Series Enterprise Routers Configuration Guide - VPN 3 BGP MPLS IP VPN Configuration Data Data for configuring a VPN instance: l Name of the VPN instance l (Optional) Description of the VPN instance l RD, VPN target attribute of the VPN instance IPv4 address families...
Page 97 Huawei AR1200 Series Enterprise Routers Configuration Guide - VPN 3 BGP MPLS IP VPN Configuration The name of the VPN instance is case sensitive. For example, vpn1 and VPN1 are considered different VPN instances. Step 3 (Optional) Run: description description-information The description about the VPN instance is configured.
Page 98: Configuring Route Attributes Of The Vpn Instance
Huawei AR1200 Series Enterprise Routers Configuration Guide - VPN 3 BGP MPLS IP VPN Configuration You can define the maximum number of prefixes for a VPN instance IPv4 address family to avoid importing excessive prefixes. Step 9 (Optional) Run: limit-log-interval interval The frequency of displaying logs when the number of routes exceeds the threshold is configured.
Page 99 Huawei AR1200 Series Enterprise Routers Configuration Guide - VPN 3 BGP MPLS IP VPN Configuration The VPN instance IPv4 address family view is displayed. 10. Run: vpn-target vpn-target2 &<1-8> export-extcommunity The VPN target extended community for the VPN instance IPv4 address family is created to advertise the routes of all the Hubs and Spokes.
Page 100: Binding An Interface With The Vpn Instance
Huawei AR1200 Series Enterprise Routers Configuration Guide - VPN 3 BGP MPLS IP VPN Configuration 3.5.4 Binding an Interface with the VPN Instance After associating an interface with a VPN instance, you can change the interface to a VPN interface. As a result, packets that pass through the interface are forwarded based on the forwarding information of the VPN instance, and such Layer 3 attributes as IP address and routing protocol that are configured for the interface are deleted.
Page 101: Configuring Route Exchange Between Pe And Ce
Huawei AR1200 Series Enterprise Routers Configuration Guide - VPN 3 BGP MPLS IP VPN Configuration Perform the following steps on the Hub-PE and Spoke-PE. Procedure Step 1 Run: system-view The system view is displayed. Step 2 Run: bgp as-number The BGP view is displayed.
Page 102 Configuring IGP between the Hub-PE and Hub-CE In this way, instead of BGP, IGP or static routes are adopted between the Spoke-PE and the Spoke-CE. For details, refer to the chapter "BGP/MPLS IP VPN" in the Huawei AR1200 Series Enterprise Routers Feature Desripiton- VPN.
Page 103: Checking The Configuration
Huawei AR1200 Series Enterprise Routers Configuration Guide - VPN 3 BGP MPLS IP VPN Configuration Follow-up Procedure Choose one of the preceding methods as required. For detailed configurations, see Configuring a Routing Protocol Between PE and CE. 3.5.7 Checking the Configuration After Hub and Spoke networking is configured, you can view VPN routing information on the PE or CE.
Page 104: Configuring Inter-As Vpn Option A
Huawei AR1200 Series Enterprise Routers Configuration Guide - VPN 3 BGP MPLS IP VPN Configuration 3.6 Configuring Inter-AS VPN Option A In inter-AS VPN OptionA, an ASBR takes the peer ASBR as its CE and advertises VPNv4 routes to the peer ASBR through EBGP.
Page 105: Establishing Inter-As Vpn Option A
Huawei AR1200 Series Enterprise Routers Configuration Guide - VPN 3 BGP MPLS IP VPN Configuration Data IP address of the PE interface connected with the PE AS number of the PE IP addresses of the interfaces connected the ASBRs Routing protocol configured between the PE and CE: static routes, RIP, OSPF, IS-...
Page 106 Run the display bgp vpnv4all routing-table command on the PE or the ASBR, and you can view the VPNv4 routes on ASBR. <Huawei> display bgp vpnv4 all all routing-table Local AS number : 100 BGP Local router ID is 2.2.2.9 Status codes: * - valid, >...
Page 107: Configuring Inter-As Vpn Option B
Huawei AR1200 Series Enterprise Routers Configuration Guide - VPN 3 BGP MPLS IP VPN Configuration <Huawei> display ip routing-table vpn-instance Route Flags: R - relay, D - download to fib ------------------------------------------------------------------------------ Routing Tables: vpn1 Destinations : 3 Routes : 3...
Page 108: Configuring Mp-Ibgp Between Pes And Asbrs In The Same As
Huawei AR1200 Series Enterprise Routers Configuration Guide - VPN 3 BGP MPLS IP VPN Configuration Data Data for configuring a VPN instance on the PE: l Name of the VPN instance l (Optional) Description of the VPN instance l RD, VPN target attribute of the VPN instance IPv4 address families...
Page 109: Configuring Mp-Ebgp Between Asbrs In Different Ass
Huawei AR1200 Series Enterprise Routers Configuration Guide - VPN 3 BGP MPLS IP VPN Configuration NOTE The 32-bit mask IP addresses of the loopback interfaces must be used to establish the MP-IBGP peer relationship between PEs. This can ensure that the tunnel can be iterated. The route destined to the loopback interface is advertised to the remote PE based on IGP on the MPLS backbone network.
Page 110: Controlling The Receiving And Sending Of Vpn Routes By Using Routing Policies
Huawei AR1200 Series Enterprise Routers Configuration Guide - VPN 3 BGP MPLS IP VPN Configuration The BGP view is displayed. Step 7 Run: peer ipv4-address as-number as-number The peer ASBR is specified as the EBGP peer. Step 8 (Optional) Run: peer { ipv4-address | group-name } ebgp-max-hop [ hop-count ] The maximum number of hops is configured for the EBGP connection.
Page 111 Huawei AR1200 Series Enterprise Routers Configuration Guide - VPN 3 BGP MPLS IP VPN Configuration bgp as-number The BGP view is displayed. Run: ipv4-family vpnv4 [ unicast ] The BGP-VPNv4 address family is displayed. Run: undo policy vpn-target The VPN IPv4 routes are not filtered by the VPN target.
Page 112: Optional) Storing Information About The Vpn Instance On The Asbr
Huawei AR1200 Series Enterprise Routers Configuration Guide - VPN 3 BGP MPLS IP VPN Configuration The BGP-VPNv4 address family is displayed. Run: peer ipv4-address route-policy route-policy-name { export | import } The routing policy is applied to controlling the VPN IPv4 routing information.
Page 113: Optional) Enabling Next-Hop-Based Label Allocation On The Asbr
Huawei AR1200 Series Enterprise Routers Configuration Guide - VPN 3 BGP MPLS IP VPN Configuration The MPLS label is allocated based on the VPN instance IPv4 address family, which ensures that all the routes in a VPN instance use the same MPLS label.
Page 114: Configuring The Routing Protocol Between Ce And Pe
Huawei AR1200 Series Enterprise Routers Configuration Guide - VPN 3 BGP MPLS IP VPN Configuration Step 3 Run: ipv4-family vpnv4 The BGP VPNv4 view is displayed. Step 4 Run: apply-label per-nexthop The next-hop-based label allocation for IPv4 VPN routes is enabled on the ASBR.
Page 115 Run the display bgp vpnv4 all routing-table command on the ASBR. If the VPN IPv4 routes are displayed, the configuration is successful. <Huawei> display bgp vpnv4 all all routing-table Local AS number : 100 BGP Local router ID is 2.2.2.9 Status codes: * - valid, >...
Page 116: Configuring Inter-As Vpn Option C (Solution 1)
Huawei AR1200 Series Enterprise Routers Configuration Guide - VPN 3 BGP MPLS IP VPN Configuration 1.1.1.1/32 Direct 0 127.0.0.1 Ethernet2/0/0 5.5.5.0/24 Static 60 1.1.1.2 Ethernet2/0/0 Run the display mpls lsp command on the ASBR. If information about the LSP and label is displayed, it means that the configuration succeeds.
Page 117: Enabling The Labeled Ipv4 Route Exchange
Huawei AR1200 Series Enterprise Routers Configuration Guide - VPN 3 BGP MPLS IP VPN Configuration Configuring IGP for MPLS backbone networks in each AS to realize IP connectivity of the backbones in one AS Configuring basic MPLS capability and MPLS LDP for the MPLS backbone network...
Page 118 Huawei AR1200 Series Enterprise Routers Configuration Guide - VPN 3 BGP MPLS IP VPN Configuration Procedure Configuring the PE Run: system-view The system view is displayed. Run: bgp as-number The BGP view is displayed. Run: peer ipv4-address label-route-capability The exchange of the labeled IPv4 routes with the ASBR in the same AS is enabled.
Page 119: Configuring A Routing Policy To Control Label Distribution
Huawei AR1200 Series Enterprise Routers Configuration Guide - VPN 3 BGP MPLS IP VPN Configuration By default, BGP peers cannot process labeled IPv4 routes. Run: peer ipv4-address as-number as-number The peer ASBR is specified as the EBGP peer. (Optional) Run: peer { ipv4-address | group-name } ebgp-max-hop [ hop-count ] The maximum number of hops is configured for the EBGP connection.
Page 120: Establishing The Mp-Ebgp Peer Relationship Between Pes
Huawei AR1200 Series Enterprise Routers Configuration Guide - VPN 3 BGP MPLS IP VPN Configuration The IPv4 routes with labels are matched. Run: apply mpls-label The label is allocated to the IPv4 route. Run: quit Return to the system view.
Page 121 Huawei AR1200 Series Enterprise Routers Configuration Guide - VPN 3 BGP MPLS IP VPN Configuration NOTE If you want to use inter-AS TE tunnels to transmit traffic in inter-AS OptionC networking, perform the following steps on PEs, so that the loopback interface IP addresses of PEs used for peer relationship establishment can be advertised to peer PEs.
Page 122: Configuring The Route Exchange Between Ce And Pe
Huawei AR1200 Series Enterprise Routers Configuration Guide - VPN 3 BGP MPLS IP VPN Configuration Run: bgp as-number The BGP view is displayed. Run: ipv4-family vpnv4 [ unicast ] The BGP VPNv4 address family is displayed. Run: peer ipv4-address enable The exchange of VPN IPv4 routes with the peer RR is enabled.
Page 123: Configuring Inter-As Vpn Option C (Solution 2)
Huawei AR1200 Series Enterprise Routers Configuration Guide - VPN 3 BGP MPLS IP VPN Configuration Run the display bgp routing-table label command on the ASBR. If information about the label of the IPv4 route is displayed, the configuration is successful.
Page 124: Establishing The Ebgp Peer Relationship Between Asbrs
Huawei AR1200 Series Enterprise Routers Configuration Guide - VPN 3 BGP MPLS IP VPN Configuration Configuring a name for the prefix list used to filter labeled BGP routes of the public network Data Preparation To configure inter-AS VPN-Option C, you need the following data.
Page 125: Advertising The Routes Of The Pe In The Local As To The Remote Pe
Huawei AR1200 Series Enterprise Routers Configuration Guide - VPN 3 BGP MPLS IP VPN Configuration The view of the interface that connects the remote ASBR is displayed. Run: ip address ip-address { mask | mask-length } The IP address is configured.
Page 126: Enabling The Capability Of Exchanging Labeled Ipv4 Routes
Huawei AR1200 Series Enterprise Routers Configuration Guide - VPN 3 BGP MPLS IP VPN Configuration Return to the system view. The BGP routes are imported to IGP. Perform the following steps on the peer ASBR: Run: system-view The system view is displayed.
Page 127: Establishing An Ldp Lsp For The Labeled Bgp Routes Of The Public Network
Huawei AR1200 Series Enterprise Routers Configuration Guide - VPN 3 BGP MPLS IP VPN Configuration Run: bgp as-number The BGP view is displayed. Run: peer ipv4-address route-policy route-policy-name export The routing policy applied to advertise routes to the remote ASBR is configured.
Page 128: Establishing The Mp-Ebgp Peer Relationship Between Pes
Huawei AR1200 Series Enterprise Routers Configuration Guide - VPN 3 BGP MPLS IP VPN Configuration Procedure An LDP LSP is established for the labeled BGP routes of the public network that is filtered by the IP prefix list. Perform the following steps on ASBRs:...
Page 129: Configuring The Route Exchange Between A Ce And A Pe
Huawei AR1200 Series Enterprise Routers Configuration Guide - VPN 3 BGP MPLS IP VPN Configuration The BGP VPNv4 sub-address family view is displayed. Run: peer ipv4-address enable The VPNv4 route exchange capability with the remote PE is enabled. ----End 3.9.7 Configuring the Route Exchange Between a CE and a PE The routing protocol between a PE and a CE can be BGP, static route, or IGP.
Page 130: Checking The Configuration
Huawei AR1200 Series Enterprise Routers Configuration Guide - VPN 3 BGP MPLS IP VPN Configuration The BGP view is displayed. Run: peer ipv4-address as-number The PE is configured as the peer. (Optional) Run: peer { ipv4-address | group-name } ebgp-max-hop [ hop-count ] The maximum number of hops in the EBGP connection is specified.
Page 131 Huawei AR1200 Series Enterprise Routers Configuration Guide - VPN 3 BGP MPLS IP VPN Configuration Run the display bgp vpnv4 all routing-table command on a PE and an ASBR. The command output shows that BGP VPNv4 routes and BGP VPN instance routes are on the PE, but not on the ASBR.
Page 132: Configuring Hovpn
Huawei AR1200 Series Enterprise Routers Configuration Guide - VPN 3 BGP MPLS IP VPN Configuration 3.10 Configuring HoVPN HoVPN indicates a hierarchical VPN in which multiple PEs play different roles and form a hierarchical structure. With this structure, these PEs function as one PE, and the performance requirements for the PEs are lowered.
Page 133: Advertising Default Routes Of A Vpn Instance
Huawei AR1200 Series Enterprise Routers Configuration Guide - VPN 3 BGP MPLS IP VPN Configuration Step 4 Run: ipv4-family vpnv4 [ unicast ] The BGP VPNv4 sub-address family is displayed. Step 5 Run: peer { ipv4-address | group-name } enable The capability of exchanging BGP VPNv4 routing information with the peer is enabled.
Page 134: Configuring A Multi-Vpn-Instance Ce
Huawei AR1200 Series Enterprise Routers Configuration Guide - VPN 3 BGP MPLS IP VPN Configuration Prerequisites The configurations of the HoVPN function are complete Procedure Run the display ip routing-table command to check the routing table on the CE. ----End Example Run the display ip routing-table on the CE connected with the UPE.
Page 135: Configuring The Ospf Multi-Instance On The Pe
Huawei AR1200 Series Enterprise Routers Configuration Guide - VPN 3 BGP MPLS IP VPN Configuration Configuring the link layer protocol and network layer protocol for LAN interfaces and connecting the LAN to the multi-instance CE (each service using an interface to access the...
Page 136: Configuring The Ospf Multi-Instance On The Multi-Instance Ce
Huawei AR1200 Series Enterprise Routers Configuration Guide - VPN 3 BGP MPLS IP VPN Configuration Step 5 Run: quit The OSPF view is displayed. Step 6 Run: import-route bgp The BGP route is imported. Step 7 Run: quit Return to the system view.
Page 137: Canceling The Loop Detection On The Multi-Instance Ce
Huawei AR1200 Series Enterprise Routers Configuration Guide - VPN 3 BGP MPLS IP VPN Configuration The OSPF area view is displayed. Step 4 Run: network ip-address wildcard-mask The IP address of the interface connected the PE is advertised. NOTE If the multi-instance CE does not learn the routes of a LAN through the OSPF multi-instance of the process, the routes of the LAN need to be imported to the OSPF instances of the process.
Page 138: Connecting Vpn And The Internet
Huawei AR1200 Series Enterprise Routers Configuration Guide - VPN 3 BGP MPLS IP VPN Configuration Example Run the display ip routing-table vpn-instance command on the multi-instance CE to check the VPN routing table. If there are routes to the LAN and the remote nodes for each service, the configuration is successful.
Page 139: Configuring The Static Route On The Ce
Huawei AR1200 Series Enterprise Routers Configuration Guide - VPN 3 BGP MPLS IP VPN Configuration 3.12.2 Configuring the Static Route on the CE This section describes how to configure static routes on CEs to forward packets from the VPN to the Internet.
Page 140: Configuring The Static Route To Vpn On The Device Of The Public Network
Huawei AR1200 Series Enterprise Routers Configuration Guide - VPN 3 BGP MPLS IP VPN Configuration The static route from the VPN to the Internet is configured and the next-hop address is a public network address. ----End 3.12.4 Configuring the Static Route to VPN on the Device of the...
Page 141: Configuring Ip Frr Of A Private Network
Huawei AR1200 Series Enterprise Routers Configuration Guide - VPN 3 BGP MPLS IP VPN Configuration Example Run the display ip routing-table vpn-instance command on the PE. The command output shows that the route to the CE and the route to the destination router in the public network exist in the VPN routing table.
Page 142: Establishing The Configuration Task
Huawei AR1200 Series Enterprise Routers Configuration Guide - VPN 3 BGP MPLS IP VPN Configuration 3.13.1 Establishing the Configuration Task Before configuring IP FRR for the private network, familiarize yourself with the applicable environment, pre-configuration tasks, and required data. This can help you complete the configuration task quickly and accurately.
Page 143: Checking The Configuration
Huawei AR1200 Series Enterprise Routers Configuration Guide - VPN 3 BGP MPLS IP VPN Configuration Step 2 Run: route-policy route-policy-name { permit | deny } node node The routing policy node is created and the routing policy view is displayed.
Page 144: Configuring Vpn Frr
PE, and you can view the backup outgoing interface and the backup next hop of the VPN instance. <Huawei> display ip routing-table vpn-instance vpn1 10.5.1.0 verbose Route Flags: R - relay, D - download to fib ------------------------------------------------------------------------------...
Page 145: Configuring Manual Vpn Frr
Huawei AR1200 Series Enterprise Routers Configuration Guide - VPN 3 BGP MPLS IP VPN Configuration CAUTION Configuring the lsp-trigger command on the P is not recommended when an LSP is created on the VPN backbone network. Use the default configuration on the P. Otherwise, VPN FRR switchback may fail.
Page 146: Checking The Configuration
Huawei AR1200 Series Enterprise Routers Configuration Guide - VPN 3 BGP MPLS IP VPN Configuration The VPN instance view is displayed. Step 6 Run: ipv4-family The VPN instance IPv4 address family view is displayed. Step 7 Run: vpn frr route-policy route-policy-name The VPN FRR is enabled.
Page 147: Configuring The Client Pes To Establish Mp Ibgp Connections With The Rr
Huawei AR1200 Series Enterprise Routers Configuration Guide - VPN 3 BGP MPLS IP VPN Configuration VPN routing information. That is, MP IBGP peers must establish full connections between each other. Suppose there are n PEs (including ASBRs) in an AS, n (n-1)/2 MP IBGP connections need to be established.
Page 148: Configuring The Rr To Establish Mp Ibgp Connections With The Client Pes
Huawei AR1200 Series Enterprise Routers Configuration Guide - VPN 3 BGP MPLS IP VPN Configuration The BGP view is displayed. Step 3 Run: peer ipv4-address as-number as-number The RR is specified as the BGP peer. Step 4 Run: peer ipv4-address connect-interface interface-type interface-number The interface is specified as an interface to establish the TCP connection.
Page 149: Configuring Route Reflection For Bgp Ipv4 Vpn Routes
Huawei AR1200 Series Enterprise Routers Configuration Guide - VPN 3 BGP MPLS IP VPN Configuration The interface is specified as an interface to establish the TCP connection. The interface IP address must be the same as the MPLS LSR ID. It is recommended to specify a loopback interface to establish the TCP connection.
Page 150: Checking The Configuration
Huawei AR1200 Series Enterprise Routers Configuration Guide - VPN 3 BGP MPLS IP VPN Configuration Context Perform the following steps on the RR. Procedure Step 1 Run: system-view The system view is displayed. Step 2 Run: bgp as-number The BGP view is displayed.
Page 151 RR or the Client PEs. <Huawei> display bgp vpnv4 all routing-table peer 2.2.2.9 received-routes BGP Local router ID is 1.1.1.9 Status codes: * - valid, > - best, d - damped,...
Page 152: Configuring Route Reflection To Optimize The Vpn Access Layer
Huawei AR1200 Series Enterprise Routers Configuration Guide - VPN 3 BGP MPLS IP VPN Configuration Peer Members: Peer MsgRcvd MsgSent OutQ Up/Down State PrefRcv 2.2.2.2 0 00:11:12 Established 3.16 Configuring Route Reflection to Optimize the VPN Access Layer If a PE and the connected CEs are in the same AS, you can deploy a BGP route RR to reduce the number of IBGP connections between CEs and facilitate maintenance and management.
Page 153: Configuring All Client Ces To Establish Ibgp Connections With The Rr
Huawei AR1200 Series Enterprise Routers Configuration Guide - VPN 3 BGP MPLS IP VPN Configuration 3.16.2 Configuring All Client CEs to Establish IBGP Connections with the RR This section describes how to configure an IBGP connection between the client (a CE) and the RR to reflect VPNv4 routes.
Page 154: Configuring Route Reflection For The Routes Of The Bgp Vpn Instance
Huawei AR1200 Series Enterprise Routers Configuration Guide - VPN 3 BGP MPLS IP VPN Configuration Run: bgp as-number The BGP view is displayed. Run: ipv4-family vpn-instance vpn-instance-name The BGP VPN instance IPv4 address family view is displayed. Run: group group-name [ internal ] An IBGP peer group is created.
Page 155: Checking The Configuration
Huawei AR1200 Series Enterprise Routers Configuration Guide - VPN 3 BGP MPLS IP VPN Configuration Context Perform the following steps on the RR. Procedure Step 1 Run: system-view The system view is displayed. Step 2 Run: bgp as-number The BGP view is displayed.
Page 156 You can view the routing information advertised by the RR to the Client CE or the routing information advertised by the Client CE to the RR after running the display bgp vpnv4 all routing-table peer command on the RR. <Huawei> display bgp vpnv4 all routing-table peer 2.2.2.9 received-routes Issue 01 (2012-04-20) Huawei Proprietary and Confidential...
Page 157 { advertised-routes | received-routes } command or display bgp vpnv4 all routing-table statistics command on the Client CE. <Huawei> display bgp routing-table peer 1.1.1.1 accepted-routes BGP Local router ID is 10.1.1.2 Status codes: * - valid, > - best, d - damped,...
Page 158: Maintaining Bgp/Mpls Ip Vpn
Huawei AR1200 Series Enterprise Routers Configuration Guide - VPN 3 BGP MPLS IP VPN Configuration 2.2.2.2 0 00:11:12 Established 3.17 Maintaining BGP/MPLS IP VPN This section describes how to maintain the BGP/MPLS IP VPN, which involves L3VPN traffic checking, network connectivity monitoring, BGP connection resetting.
Page 159: Checking The Network Connectivity And Reachability
Huawei AR1200 Series Enterprise Routers Configuration Guide - VPN 3 BGP MPLS IP VPN Configuration Run the display bgp vpnv4 { all | vpn-instance vpn-instance-name } peer [ [ ipv4- address ] verbose ] command to check BGP VPNv4 peer information.
Page 160: Resetting Bgp Statistics Of A Vpn Instance Ipv4 Address Family
VPN on the PE as the source address of the ICMP packet. If no route to the selected address exists on the CE, the ICMP packet sent back from the peer PE is discarded. <Huawei> ping -a 202.38.160.243 -c 8 10.1.1.2 PING 10.1.1.2: 56 data bytes, press CTRL_C to break Reply from 10.1.1.2: bytes=56 Sequence=1 ttl=255 time=32 ms...
Page 161: Configuration Examples
Huawei AR1200 Series Enterprise Routers Configuration Guide - VPN 3 BGP MPLS IP VPN Configuration Procedure Run the refresh bgp vpn-instance vpn-instance-name ipv4-family { all | ipv4-address | group group-name | internal | external } import command in the user view to trigger the inbound soft reset of the VPN instance IPv4 address family's BGP connection.
Page 162 Huawei AR1200 Series Enterprise Routers Configuration Guide - VPN 3 BGP MPLS IP VPN Configuration Figure 3-2 BGP/MPLS IP VPN networking diagram AS: 65410 AS: 65430 VPN-A VPN-A Eth1/0/0 Eth1/0/0 10.3.1.1/24 10.1.1.1/24 Loopback1 2.2.2.9/32 Eth1/0/0 Eth1/0/0 10.3.1.2/24 10.1.1.2/24 Eth2/0/0 Eth1/0/0 172.2.1.1/24...
Page 163 Huawei AR1200 Series Enterprise Routers Configuration Guide - VPN 3 BGP MPLS IP VPN Configuration <Huawei> system-view [Huawei] sysname PE1 [PE1] interface loopback 1 [PE1-LoopBack1] ip address 1.1.1.9 32 [PE1-LoopBack1] quit [PE1] interface ethernet2/0/1 [PE1-Ethernet2/0/1] ip address 172.1.1.1 24 [PE1-Ethernet2/0/1] quit...
Page 164 Huawei AR1200 Series Enterprise Routers Configuration Guide - VPN 3 BGP MPLS IP VPN Configuration 3.3.3.9/32 OSPF 172.1.1.2 Ethernet2/0/1 127.0.0.0/8 Direct 0 127.0.0.1 InLoopBack0 127.0.0.1/32 Direct 0 127.0.0.1 InLoopBack0 172.1.1.0/24 Direct 0 172.1.1.1 Ethernet2/0/1 172.1.1.1/32 Direct 0 127.0.0.1 InLoopBack0 172.2.1.0/24 OSPF 172.1.1.2...
Page 165 Huawei AR1200 Series Enterprise Routers Configuration Guide - VPN 3 BGP MPLS IP VPN Configuration LDP Session(s) in Public Network Codes: LAM(Label Advertisement Mode), SsnAge Unit(DDDD:HH:MM) A '*' before a session means the session is being deleted. ------------------------------------------------------------------------- PeerID Status...
Page 166 Huawei AR1200 Series Enterprise Routers Configuration Guide - VPN 3 BGP MPLS IP VPN Configuration [PE1-vpn-instance-vpna-af-ipv4] vpn-target 111:1 both [PE1-vpn-instance-vpna-af-ipv4] quit [PE1-vpn-instance-vpna] quit [PE1] ip vpn-instance vpnb [PE1-vpn-instance-vpnb] ipv4-family [PE1-vpn-instance-vpnb-af-ipv4] route-distinguisher 100:2 [PE1-vpn-instance-vpnb-af-ipv4] vpn-target 222:2 both [PE1-vpn-instance-vpnb-af-ipv4] quit [PE1-vpn-instance-vpnb] quit...
Page 167 Huawei AR1200 Series Enterprise Routers Configuration Guide - VPN 3 BGP MPLS IP VPN Configuration Log Interval : 5 VPN-Instance Name and ID : vpnb, 2 Interfaces : Ethernet2/0/0 Address family ipv4 Create date : 2009/01/21 11:31:18 Up time : 0 days, 00 hours, 04 minutes and 36 seconds...
Page 168 Huawei AR1200 Series Enterprise Routers Configuration Guide - VPN 3 BGP MPLS IP VPN Configuration Step 6 Verify the configuration. Running the display ip routing-table vpn-instance command on the PE, you can find the route to peer CEs. Use PE1 as an example.
Page 169 Huawei AR1200 Series Enterprise Routers Configuration Guide - VPN 3 BGP MPLS IP VPN Configuration vpn-target 111:1 import-extcommunity ip vpn-instance vpnb ipv4-family route-distinguisher 100:2 vpn-target 222:2 export-extcommunity vpn-target 222:2 import-extcommunity mpls lsr-id 1.1.1.9 mpls mpls ldp interface Ethernet1/0/0 ip binding vpn-instance vpna ip address 10.1.1.2 255.255.255.0...
Page 170 Huawei AR1200 Series Enterprise Routers Configuration Guide - VPN 3 BGP MPLS IP VPN Configuration interface Ethernet2/0/0 ip address 172.2.1.1 255.255.255.0 mpls mpls ldp interface LoopBack1 ip address 2.2.2.9 255.255.255.255 ospf 1 area 0.0.0.0 network 172.1.1.0 0.0.0.255 network 172.2.1.0 0.0.0.255 network 2.2.2.9 0.0.0.0...
Page 171 Huawei AR1200 Series Enterprise Routers Configuration Guide - VPN 3 BGP MPLS IP VPN Configuration peer 10.4.1.1 as-number 65440 import-route direct ospf 1 area 0.0.0.0 network 172.2.1.0 0.0.0.255 network 3.3.3.9 0.0.0.0 return Configuration file of CE1 sysname CE1 interface Ethernet1/0/0 ip address 10.1.1.1 255.255.255.0...
Page 172: Example For Configuring The Bgp As Number Substitution
Huawei AR1200 Series Enterprise Routers Configuration Guide - VPN 3 BGP MPLS IP VPN Configuration peer 10.4.1.2 as-number 100 ipv4-family unicast undo synchronization import-route direct peer 10.4.1.2 enable return 3.18.2 Example for Configuring the BGP AS Number Substitution If two VPN sites have the same AS number, and EBGP connections are established between PEs and CEs, you must enable the AS number substitution function on the PEs that the two VPN sites access.
Page 173 Huawei AR1200 Series Enterprise Routers Configuration Guide - VPN 3 BGP MPLS IP VPN Configuration Configure the BGP AS number substitution on the PE. Data Preparation To configure the BGP AS number substitution, you need the following data: MPLS LSR-IDs of the PE and the P...
Page 174 Huawei AR1200 Series Enterprise Routers Configuration Guide - VPN 3 BGP MPLS IP VPN Configuration 10.1.1.0/24 EBGP 1.1.1.9 GigabitEthernet2/0/0 10.1.1.1/32 EBGP 1.1.1.9 GigabitEthernet2/0/0 10.1.1.2/32 EBGP 1.1.1.9 GigabitEthernet2/0/0 10.2.1.0/24 Direct 10.2.1.2 GigabitEthernet1/0/0 10.2.1.1/32 Direct 10.2.1.1 GigabitEthernet1/0/0 10.2.1.2/32 Direct 127.0.0.1 InLoopBack0 100.1.1.0/24 EBGP 1.1.1.9...
Page 175 Huawei AR1200 Series Enterprise Routers Configuration Guide - VPN 3 BGP MPLS IP VPN Configuration [CE1] ping -a 100.1.1.1 200.1.1.1 PING 200.1.1.1: 56 data bytes, press CTRL_C to break Reply from 200.1.1.1: bytes=56 Sequence=1 ttl=253 time=109 ms Reply from 200.1.1.1: bytes=56 Sequence=2 ttl=253 time=67 ms Reply from 200.1.1.1: bytes=56 Sequence=3 ttl=253 time=66 ms...
Page 176 Huawei AR1200 Series Enterprise Routers Configuration Guide - VPN 3 BGP MPLS IP VPN Configuration ipv4-family unicast undo synchronization peer 3.3.3.9 enable ipv4-family vpnv4 policy vpn-target peer 3.3.3.9 enable ipv4-family vpn-instance vpn1 peer 10.1.1.1 as-number 600 peer 10.1.1.1 substitute-as import-route direct ospf 1 area 0.0.0.0...
Page 177: Example For Configuring Hub And Spoke
Huawei AR1200 Series Enterprise Routers Configuration Guide - VPN 3 BGP MPLS IP VPN Configuration ip address 30.1.1.2 255.255.255.0 mpls mpls ldp interface LoopBack1 ip address 3.3.3.9 255.255.255.255 bgp 100 peer 1.1.1.9 as-number 100 peer 1.1.1.9 connect-interface LoopBack1 ipv4-family unicast undo synchronization peer 1.1.1.9 enable...
Page 178 Huawei AR1200 Series Enterprise Routers Configuration Guide - VPN 3 BGP MPLS IP VPN Configuration Figure 3-4 Hub and Spoke networking diagram AS: 65430 Hub-CE Eth1/0/0 Eth2/0/0 110.1.1.1/24 110.2.1.1/24 Eth2/0/1 Eth1/0/1 110.1.1.2/24 110.2.1.2/24 Hub-PE Eth1/0/0 Eth2/0/0 10.1.1.2/24 11.1.1.2/24 Loopback1 Loopback1 Loopback1 1.1.1.9/32...
Page 179 Huawei AR1200 Series Enterprise Routers Configuration Guide - VPN 3 BGP MPLS IP VPN Configuration MPLS LSR IDs on the PEs The VPN instance name of the Hub-PE and Spoke-PE, RD and the VPN-target Procedure Step 1 Configure IGP to implement the inter-networking between the Hub-PE and the Spoke-PE in the backbone network.
Page 180 Huawei AR1200 Series Enterprise Routers Configuration Guide - VPN 3 BGP MPLS IP VPN Configuration [Spoke-PE2-Ethernet1/0/0] ip binding vpn-instance vpna [Spoke-PE2-Ethernet1/0/0] ip address 120.1.1.2 24 [Spoke-PE2-Ethernet1/0/0] quit # Configure Hub-PE. <Hub-PE> system-view [Hub-PE] ip vpn-instance vpn_in [Hub-PE-vpn-instance-vpn_in] ipv4-family [Hub-PE-vpn-instance-vpn_in-af-ipv4] route-distinguisher 100:21...
Page 181 Huawei AR1200 Series Enterprise Routers Configuration Guide - VPN 3 BGP MPLS IP VPN Configuration [Spoke-CE2-bgp] peer 120.1.1.2 as-number 100 [Spoke-CE2-bgp] import-route direct [Spoke-CE2-bgp] quit # Configure Spoke-PE 2. [Spoke-PE2] bgp 100 [Spoke-PE2-bgp] ipv4-family vpn-instance vpna [Spoke-PE2-bgp-vpna] peer 120.1.1.1 as-number 65420...
Page 182 Huawei AR1200 Series Enterprise Routers Configuration Guide - VPN 3 BGP MPLS IP VPN Configuration After the configuration, run the display bgp peer or display bgp vpnv4 all peer command on each PE device. You can see the BGP peer relationship is set up between the PEs, and the status is Established.
Page 183 Huawei AR1200 Series Enterprise Routers Configuration Guide - VPN 3 BGP MPLS IP VPN Configuration ipv4-family unicast undo synchronization import-route direct peer 100.1.1.2 enable return Configuration file of Spoke-PE 1 sysname Spoke-PE1 ip vpn-instance vpna ipv4-family route-distinguisher 100:1 vpn-target 100:1 export-extcommunity vpn-target 200:1 import-extcommunity mpls lsr-id 1.1.1.9...
Page 184 Huawei AR1200 Series Enterprise Routers Configuration Guide - VPN 3 BGP MPLS IP VPN Configuration mpls ldp interface Ethernet1/0/0 ip binding vpn-instance vpna ip address 120.1.1.2 255.255.255.0 interface Ethernet2/0/0 ip address 11.1.1.1 255.255.255.0 mpls mpls ldp interface LoopBack1 ip address 3.3.3.9 255.255.255.255 bgp 100 peer 2.2.2.9 as-number 100...
Page 185 Huawei AR1200 Series Enterprise Routers Configuration Guide - VPN 3 BGP MPLS IP VPN Configuration undo synchronization import-route direct peer 110.2.1.2 enable peer 110.1.1.2 enable return Configuration file of Hub-PE sysname Hub-PE ip vpn-instance vpn_in ipv4-family route-distinguisher 100:21 vpn-target 100:1 import-extcommunity...
Page 186: Example For Configuring Inter-As Vpn Option A
Huawei AR1200 Series Enterprise Routers Configuration Guide - VPN 3 BGP MPLS IP VPN Configuration import-route direct ospf 1 area 0.0.0.0 network 2.2.2.9 0.0.0.0 network 10.1.1.0 0.0.0.255 network 11.1.1.0 0.0.0.255 return 3.18.4 Example for Configuring Inter-AS VPN Option A After VPN instances are configured on ASBRs, you can implement the OptionA solution to manage VPN routes in VRF-to-VRF mode.
Page 187 Huawei AR1200 Series Enterprise Routers Configuration Guide - VPN 3 BGP MPLS IP VPN Configuration Create the VPN instance on two ASBRs and bind the instance to the interface connected another ASBR. Set up the EBGP peer relationship between ASBRs...
Page 188 Huawei AR1200 Series Enterprise Routers Configuration Guide - VPN 3 BGP MPLS IP VPN Configuration [ASBR2-mpls-ldp] quit [ASBR2] interface gigabitethernet1/0/0 [ASBR2-GigabitEthernet1/0/0] mpls [ASBR2-GigabitEthernet1/0/0] mpls ldp [ASBR2-GigabitEthernet1/0/0] quit # Configure basic MPLS capability on PE2 and enable LDP on the interface connecting ASBR2.
Page 189 Huawei AR1200 Series Enterprise Routers Configuration Guide - VPN 3 BGP MPLS IP VPN Configuration [PE1-bgp-vpn1] quit [PE1-bgp] quit # Configure PE1 to set up the MP-IBGP peer relationship with ASBR1. [PE1] bgp 100 [PE1-bgp] peer 2.2.2.9 as-number 100 [PE1-bgp] peer 2.2.2.9 connect-interface loopback 1 [PE1-bgp] ipv4-family vpnv4 [PE1-bgp-af-vpnv4] peer 2.2.2.9 enable...
Page 190 Huawei AR1200 Series Enterprise Routers Configuration Guide - VPN 3 BGP MPLS IP VPN Configuration # Configure ASBR2. Create a VPN instance and bind it to the interface connected to ASBR1. (ASBR2 regards ASBR1 as its CE after configuration.) [ASBR2] ip vpn-instance vpn1...
Page 191 Huawei AR1200 Series Enterprise Routers Configuration Guide - VPN 3 BGP MPLS IP VPN Configuration round-trip min/avg/max = 78/117/141 ms Run the display ip routing-table vpn-instance command on ASBR to see the information of the VPN routing table. [ASBR1] display ip routing-table vpn-instance vpn1...
Page 192 Huawei AR1200 Series Enterprise Routers Configuration Guide - VPN 3 BGP MPLS IP VPN Configuration interface GigabitEthernet1/0/0 ip address 10.1.1.1 255.255.255.0 bgp 65001 peer 10.1.1.2 as-number 100 ipv4-family unicast undo synchronization import-route direct peer 10.1.1.2 enable return Configuration file of PE1...
Page 193 Huawei AR1200 Series Enterprise Routers Configuration Guide - VPN 3 BGP MPLS IP VPN Configuration vpn-target 1:1 export-extcommunity vpn-target 1:1 import-extcommunity mpls lsr-id 2.2.2.9 mpls mpls ldp interface GigabitEthernet1/0/0 ip address 172.1.1.1 255.255.255.0 mpls mpls ldp interface GigabitEthernet2/0/0 ip binding vpn-instance vpn1 ip address 192.1.1.1 255.255.255.0...
Page 194 Huawei AR1200 Series Enterprise Routers Configuration Guide - VPN 3 BGP MPLS IP VPN Configuration bgp 200 peer 4.4.4.9 as-number 200 peer 4.4.4.9 connect-interface LoopBack1 ipv4-family unicast undo synchronization peer 4.4.4.9 enable ipv4-family vpnv4 policy vpn-target peer 4.4.4.9 enable ipv4-family vpn-instance vpn1 peer 192.1.1.1 as-number 100...
Page 195: Example For Configuring Inter-As Vpn Option B
Huawei AR1200 Series Enterprise Routers Configuration Guide - VPN 3 BGP MPLS IP VPN Configuration return Configuration file of CE2 sysname CE2 interface GigabitEthernet1/0/0 ip address 10.2.1.1 255.255.255.0 bgp 65002 peer 10.2.1.2 as-number 200 ipv4-family unicast undo synchronization import-route direct peer 10.2.1.2 enable...
Page 196 Huawei AR1200 Series Enterprise Routers Configuration Guide - VPN 3 BGP MPLS IP VPN Configuration Configuration Roadmap The configuration roadmap is as follows: Configure IGP on the backbone network to interconnect the ASBR and the PE in the same AS. Set up MPLS LDP LSP between the ASBR and the PE in the same AS.
Page 197 Huawei AR1200 Series Enterprise Routers Configuration Guide - VPN 3 BGP MPLS IP VPN Configuration # Configure ASBR 1. Establish MP-EBGP peer with ASBR 2 and perform no VPN target filtering on the received VPNv4 routes, and then enable ASBR 1 to allocate labels based on the next hop.
Page 198 Huawei AR1200 Series Enterprise Routers Configuration Guide - VPN 3 BGP MPLS IP VPN Configuration *> 10.2.1.0/24 192.1.1.2 200? ----End Configuration Files Configuration file of CE1 sysname CE1 interface GigabitEthernet1/0/0 ip address 10.1.1.1 255.255.255.0 bgp 65001 peer 10.1.1.2 as-number 100...
Page 199 Huawei AR1200 Series Enterprise Routers Configuration Guide - VPN 3 BGP MPLS IP VPN Configuration network 1.1.1.9 0.0.0.0 network 172.1.1.0 0.0.0.255 return Configuration file of ASBR 1 sysname ASBR1 mpls lsr-id 2.2.2.9 mpls mpls ldp interface GigabitEthernet1/0/0 ip address 172.1.1.1 255.255.255.0...
Page 200 Huawei AR1200 Series Enterprise Routers Configuration Guide - VPN 3 BGP MPLS IP VPN Configuration bgp 200 peer 192.1.1.1 as-number 100 peer 4.4.4.9 as-number 200 peer 4.4.4.9 connect-interface LoopBack1 ipv4-family unicast undo synchronization peer 192.1.1.1 enable peer 4.4.4.9 enable ipv4-family vpnv4...
Page 201: Example For Configuring Inter-As Vpn Option C
Huawei AR1200 Series Enterprise Routers Configuration Guide - VPN 3 BGP MPLS IP VPN Configuration network 162.1.1.0 0.0.0.255 return Configuration file of CE2 sysname CE2 interface GigabitEthernet1/0/0 ip address 10.2.1.1 255.255.255.0 bgp 65002 peer 10.2.1.2 as-number 200 ipv4-family unicast undo synchronization import-route direct peer 10.2.1.2 enable...
Page 202 Huawei AR1200 Series Enterprise Routers Configuration Guide - VPN 3 BGP MPLS IP VPN Configuration Configuration Roadmap The configuration roadmap is as follows: Set up the MP-EBGP peer relationship between PEs in different ASs and configure the maximum hops between PEs.
Page 203 Huawei AR1200 Series Enterprise Routers Configuration Guide - VPN 3 BGP MPLS IP VPN Configuration For detailed configurations, see the following configuration files. Step 4 Configure the VPN instance on the PE and configure the CE to access the PE.
Page 204 Huawei AR1200 Series Enterprise Routers Configuration Guide - VPN 3 BGP MPLS IP VPN Configuration [PE1] bgp 100 [PE1-bgp] peer 4.4.4.9 as-number 200 [PE1-bgp] peer 4.4.4.9 connect-interface LoopBack 1 [PE1-bgp] peer 4.4.4.9 ebgp-max-hop 10 [PE1-bgp] ipv4-family vpnv4 [PE1-bgp-af-vpnv4] peer 4.4.4.9 enable...
Page 205 Huawei AR1200 Series Enterprise Routers Configuration Guide - VPN 3 BGP MPLS IP VPN Configuration Configuration Files Configuration file of CE1 sysname CE1 interface GigabitEthernet1/0/0 ip address 10.1.1.1 255.255.255.0 bgp 65001 peer 10.1.1.2 as-number 100 ipv4-family unicast undo synchronization import-route direct peer 10.1.1.2 enable...
Page 206 Huawei AR1200 Series Enterprise Routers Configuration Guide - VPN 3 BGP MPLS IP VPN Configuration network 1.1.1.9 0.0.0.0 network 172.1.1.0 0.0.0.255 return Configuration file of ASBR 1 sysname ASBR1 mpls lsr-id 2.2.2.9 mpls mpls ldp interface GigabitEthernet1/0/0 ip address 172.1.1.1 255.255.255.0...
Page 207 Huawei AR1200 Series Enterprise Routers Configuration Guide - VPN 3 BGP MPLS IP VPN Configuration interface GigabitEthernet2/0/0 ip address 192.1.1.2 255.255.255.0 mpls interface LoopBack1 ip address 3.3.3.9 255.255.255.255 bgp 200 peer 192.1.1.1 as-number 100 peer 4.4.4.9 as-number 200 peer 4.4.4.9 connect-interface LoopBack1...
Page 208: Example For Configuring Inter-As Vpn Option C (Solution 2)
Huawei AR1200 Series Enterprise Routers Configuration Guide - VPN 3 BGP MPLS IP VPN Configuration ipv4-family unicast undo synchronization peer 1.1.1.9 enable peer 3.3.3.9 enable peer 3.3.3.9 label-route-capability ipv4-family vpnv4 policy vpn-target peer 1.1.1.9 enable ipv4-family vpn-instance vpn1 peer 10.2.1.1 as-number 65002...
Page 209 Huawei AR1200 Series Enterprise Routers Configuration Guide - VPN 3 BGP MPLS IP VPN Configuration Figure 3-8 Networking diagram of the inter-AS VPN BGP/MPLS Backbone BGP/MPLS Backbone AS 100 AS 200 Loopback1 Loopback1 2.2.2.9/32 3.3.3.9/32 GE1/0/0 GE1/0/0 GE2/0/0 GE2/0/0 172.1.1.1/24 162.1.1.1/24...
Page 210 Huawei AR1200 Series Enterprise Routers Configuration Guide - VPN 3 BGP MPLS IP VPN Configuration Procedure Step 1 Configure IGP on the MPLS backbone networks of AS100 and AS200. In this manner, PEs within each MPLS backbone network can be interconnected with ASBRs.
Page 211 Huawei AR1200 Series Enterprise Routers Configuration Guide - VPN 3 BGP MPLS IP VPN Configuration [ASBR1-route-policy] if-match mpls-token [ASBR1-route-policy] quit [ASBR1] bgp 100 [ASBR1-bgp] network 1.1.1.9 32 route-policy policy0 [ASBR1-bgp] quit # On ASBR2, advertise the loopback address of PE2 to ASBR1.
Page 212 Huawei AR1200 Series Enterprise Routers Configuration Guide - VPN 3 BGP MPLS IP VPN Configuration [ASBR1-mpls] quit [ASBR1] mpls ldp [ASBR1-mpls-ldp] quit [ASBR1] interface gigabitethernet 1/0/0 [ASBR1-GigabitEthernet1/0/0] mpls [ASBR1-GigabitEthernet1/0/0] mpls ldp [ASBR1-GigabitEthernet1/0/0] quit # Configure basic MPLS functions on ASBR2 and enable LDP on the interface connected with PE2.
Page 213 Huawei AR1200 Series Enterprise Routers Configuration Guide - VPN 3 BGP MPLS IP VPN Configuration A '*' before an LSP means the LSP is not established A '*' before a Label means the USCB or DSCB is stale A '*' before a UpstreamPeer means the session is in GR state A '*' before a NextHop means the LSP is FRR LSP Step 5 Configure the capability of exchanging labeled IPv4 routes on ASBRs.
Page 214 Huawei AR1200 Series Enterprise Routers Configuration Guide - VPN 3 BGP MPLS IP VPN Configuration [PE2-vpn-instance-vpn1-af-ipv4] quit [PE2-vpn-instance-vpn1] quit [PE2] interface gigabitethernet 2/0/0 [PE2-GigabitEthernet2/0/0] ip binding vpn-instance vpn1 [PE2-GigabitEthernet2/0/0] ip address 10.2.1.2 24 [PE2-GigabitEthernet2/0/0] quit After the configuration, run the display ip vpn-instance verbose command on PEs to view the configurations of VPN instances.
Page 215 Huawei AR1200 Series Enterprise Routers Configuration Guide - VPN 3 BGP MPLS IP VPN Configuration [CE1-bgp] import-route direct [CE1-bgp] quit # Configure CE2. [CE2] bgp 65002 [CE2-bgp] peer 10.2.1.2 as-number 200 [CE2-bgp] import-route direct [CE2-bgp] quit # Configure PE1. [PE1] bgp 100 [PE1-bgp] ipv4-family vpn-instance vpn1 [PE1-bgp-vpn1] peer 10.1.1.1 as-number 65001...
Page 216 Huawei AR1200 Series Enterprise Routers Configuration Guide - VPN 3 BGP MPLS IP VPN Configuration Reply from 10.2.1.1: bytes=56 Sequence=5 ttl=252 time=56 ms --- 10.2.1.1 ping statistics --- 5 packet(s) transmitted 5 packet(s) received 0.00% packet loss round-trip min/avg/max = 56/91/106 ms...
Page 217 Huawei AR1200 Series Enterprise Routers Configuration Guide - VPN 3 BGP MPLS IP VPN Configuration interface GigabitEthernet1/0/0 ip address 10.1.1.1 255.255.255.0 bgp 65001 peer 10.1.1.2 as-number 100 ipv4-family unicast undo synchronization import-route direct peer 10.1.1.2 enable return Configuration file of PE1...
Page 218 Huawei AR1200 Series Enterprise Routers Configuration Guide - VPN 3 BGP MPLS IP VPN Configuration lsp-trigger bgp-label-route mpls ldp interface GigabitEthernet1/0/0 ip address 172.1.1.1 255.255.255.0 mpls mpls ldp interface GigabitEthernet2/0/0 ip address 192.1.1.1 255.255.255.0 mpls interface LoopBack1 ip address 2.2.2.9 255.255.255.255 bgp 100 peer 192.1.1.2 as-number 200...
Page 219 Huawei AR1200 Series Enterprise Routers Configuration Guide - VPN 3 BGP MPLS IP VPN Configuration ospf 1 import-route bgp area 0.0.0.0 network 3.3.3.9 0.0.0.0 network 162.1.1.0 0.0.0.255 route-policy policy0 permit node 1 if-match mpls-token route-policy policy1 permit node 1 apply mpls-label...
Page 220: Example For Configuring Hovpn
Huawei AR1200 Series Enterprise Routers Configuration Guide - VPN 3 BGP MPLS IP VPN Configuration ip address 10.2.1.1 255.255.255.0 bgp 65002 peer 10.2.1.2 as-number 200 ipv4-family unicast undo synchronization import-route direct peer 10.2.1.2 enable return 3.18.8 Example for Configuring HoVPN After configuring HoVPN, you can enable multiple PEs to play different roles to form a hierarchical structure.
Page 221 Huawei AR1200 Series Enterprise Routers Configuration Guide - VPN 3 BGP MPLS IP VPN Configuration Configure IGP in the backbone network and ensure the PEs can learn the loopback address from each other. Configure MPLS LSP between PEs. Create the VPN instance on the UPE and set up the EBGP peer relationship between the UPE and the CE1.
Page 222 Huawei AR1200 Series Enterprise Routers Configuration Guide - VPN 3 BGP MPLS IP VPN Configuration # Configure CE1. <Huawei> system-view [Huawei] sysname CE1 [CE1] interface gigabitethernet 1/0/0 [CE1-GigabitEthernet1/0/0] ip address 10.1.1.1 24 [CE1-GigabitEthernet1/0/0] quit [CE1] bgp 65410 [CE1-bgp] peer 10.1.1.2 as-number 100...
Page 223 Huawei AR1200 Series Enterprise Routers Configuration Guide - VPN 3 BGP MPLS IP VPN Configuration <SPE> system-view [SPE] bgp 100 [SPE-bgp] peer 1.1.1.9 as-number 100 [SPE-bgp] peer 1.1.1.9 connect-interface loopback 1 [SPE-bgp] peer 3.3.3.9 as-number 100 [SPE-bgp] peer 3.3.3.9 connect-interface loopback 1 [SPE-bgp] ipv4-family vpnv4 [SPE-bgp-af-vpnv4] peer 1.1.1.9 enable...
Page 224 Huawei AR1200 Series Enterprise Routers Configuration Guide - VPN 3 BGP MPLS IP VPN Configuration Reply from 10.2.1.1: bytes=56 Sequence=3 ttl=253 time=57 ms Reply from 10.2.1.1: bytes=56 Sequence=4 ttl=253 time=66 ms Reply from 10.2.1.1: bytes=56 Sequence=5 ttl=253 time=55 ms --- 10.2.1.1 ping statistics ---...
Page 225 Huawei AR1200 Series Enterprise Routers Configuration Guide - VPN 3 BGP MPLS IP VPN Configuration undo synchronization import-route direct peer 10.1.1.2 enable return Configuration file of UPE sysname UPE ip vpn-instance vpna ipv4-family route-distinguisher 100:1 vpn-target 1:1 export-extcommunity vpn-target 1:1 import-extcommunity mpls lsr-id 1.1.1.9...
Page 226 Huawei AR1200 Series Enterprise Routers Configuration Guide - VPN 3 BGP MPLS IP VPN Configuration interface GigabitEthernet1/0/0 ip address 172.1.1.2 255.255.255.0 mpls mpls ldp interface GigabitEthernet2/0/0 ip address 172.2.1.1 255.255.255.0 mpls mpls ldp interface LoopBack1 ip address 2.2.2.9 255.255.255.255 bgp 100 peer 1.1.1.9 as-number 100...
Page 227: Example For Configuring Multi-Vpn-Instance Ce
Huawei AR1200 Series Enterprise Routers Configuration Guide - VPN 3 BGP MPLS IP VPN Configuration ipv4-family unicast undo synchronization peer 2.2.2.9 enable ipv4-family vpnv4 policy vpn-target peer 2.2.2.9 enable ipv4-family vpn-instance vpna peer 10.2.1.1 as-number 65420 import-route direct ospf 1 area 0.0.0.0...
Page 228 Huawei AR1200 Series Enterprise Routers Configuration Guide - VPN 3 BGP MPLS IP VPN Configuration Figure 3-10 Networking diagram of example for Multi-VPN-Instance CE vpna vpna Eth1/0/0 Eth1/0/0 10.3.1.1/24 10.1.1.1/24 Loopback1 2.2.2.9/32 Eth2/0/1 Eth1/0/0 Eth2/0/0 Eth1/0/0 10.3.1.2/24 10.1.1.2/24 Eth2/0/1 192.1.1.1/24 192.1.1.2/24...
Page 229 Huawei AR1200 Series Enterprise Routers Configuration Guide - VPN 3 BGP MPLS IP VPN Configuration On the MCE, the RIP process numbers used for importing the VPN routes of the CE3 should differ from that of the CE4. Procedure Step 1 Run OSPF on routers of the backbone network to implement internetworking.
Page 230 Huawei AR1200 Series Enterprise Routers Configuration Guide - VPN 3 BGP MPLS IP VPN Configuration [PE1] interface ethernet2/0/0 [PE1-Ethernet2/0/0] ip binding vpn-instance vpnb [PE1-Ethernet2/0/0] ip address 10.2.1.2 24 [PE1-Ethernet2/0/0] quit # Configure PE2. <PE2> system-view [PE2] ip vpn-instance vpna [PE2-vpn-instance-vpna] ipv4-family...
Page 231 Huawei AR1200 Series Enterprise Routers Configuration Guide - VPN 3 BGP MPLS IP VPN Configuration [PE1] display bgp vpnv4 all peer BGP local router ID : 1.1.1.9 Local AS number : 100 Total number of peers : 3 Peers in established state : 3...
Page 232 Huawei AR1200 Series Enterprise Routers Configuration Guide - VPN 3 BGP MPLS IP VPN Configuration [CE3] rip 100 [CE3-rip-100] version 2 [CE3-rip-100] network 10.0.0.0 [CE3-rip-100] import-route direct # Configure CE4. <Huawei> system-view [Huawei] sysname CE4 [CE4] rip 200 [CE4-rip-200] version 2 [CE4-rip-200] network 10.0.0.0...
Page 233 Huawei AR1200 Series Enterprise Routers Configuration Guide - VPN 3 BGP MPLS IP VPN Configuration Reply from 10.3.1.1: bytes=56 Sequence=1 ttl=252 time=125 ms Reply from 10.3.1.1: bytes=56 Sequence=2 ttl=252 time=125 ms Reply from 10.3.1.1: bytes=56 Sequence=3 ttl=252 time=125 ms Reply from 10.3.1.1: bytes=56 Sequence=4 ttl=252 time=125 ms Reply from 10.3.1.1: bytes=56 Sequence=5 ttl=252 time=125 ms...
Page 234 Huawei AR1200 Series Enterprise Routers Configuration Guide - VPN 3 BGP MPLS IP VPN Configuration ip vpn-instance vpna ipv4-family route-distinguisher 100:1 vpn-target 111:1 export-extcommunity vpn-target 111:1 import-extcommunity ip vpn-instance vpnb ipv4-family route-distinguisher 100:2 vpn-target 222:2 export-extcommunity vpn-target 222:2 import-extcommunity mpls lsr-id 1.1.1.9...
Page 235 Huawei AR1200 Series Enterprise Routers Configuration Guide - VPN 3 BGP MPLS IP VPN Configuration ip vpn-instance vpnb ipv4-family route-distinguisher 200:2 vpn-target 222:2 export-extcommunity vpn-target 222:2 import-extcommunity mpls lsr-id 2.2.2.9 mpls mpls ldp interface Ethernet1/0/0 ip address 172.1.1.2 255.255.255.0 mpls...
Page 236 Huawei AR1200 Series Enterprise Routers Configuration Guide - VPN 3 BGP MPLS IP VPN Configuration vpn-target 111:1 export-extcommunity vpn-target 111:1 import-extcommunity ip vpn-instance vpnb ipv4-family route-distinguisher 300:2 vpn-target 222:2 export-extcommunity vpn-target 222:2 import-extcommunity interface Ethernet1/0/0 ip binding vpn-instance vpna ip address 192.1.1.2 255.255.255.0...
Page 237: Example For Connecting Vpn And Internet
Huawei AR1200 Series Enterprise Routers Configuration Guide - VPN 3 BGP MPLS IP VPN Configuration rip 200 version 2 network 10.0.0.0 import-route direct return 3.18.10 Example for Connecting VPN and Internet By configuring a proxy service in the VPN, you can enable the VPN to interconnect with the Internet.
Page 238 Huawei AR1200 Series Enterprise Routers Configuration Guide - VPN 3 BGP MPLS IP VPN Configuration Data Preparation To complete the configuration, you need the following data: MPLS LSR ID on the PEs and the Ps RD of VPN VPN-Target of VPN Procedure Step 1 Configure IGP.
Page 239 Huawei AR1200 Series Enterprise Routers Configuration Guide - VPN 3 BGP MPLS IP VPN Configuration [PE1] display ip vpn-instance Total VPN-Instances configured : 1 VPN-Instance Name Address-family vpn1 ipv4 Run the command display bgp vpnv4 all peer on PE and you can see that the IBGP peer and the EBGP peer are "Estabished".
Page 240 Huawei AR1200 Series Enterprise Routers Configuration Guide - VPN 3 BGP MPLS IP VPN Configuration 10.1.1.2/32 Direct 0 127.0.0.1 InLoopBack0 10.2.1.0/24 IBGP 3.3.3.3 GigabitEthernet2/0/0 10.2.1.1/32 IBGP 3.3.3.3 GigabitEthernet2/0/0 10.2.1.2/32 IBGP 3.3.3.3 GigabitEthernet2/0/0 100.3.1.1/32 EBGP 10.1.1.1 GigabitEthernet1/0/0 Run the display ip routing-table command on PE1 to display that the route to the proxy server exists in the public network routing table, and the IP address of next hop is 10.1.1.1.
Page 241 Huawei AR1200 Series Enterprise Routers Configuration Guide - VPN 3 BGP MPLS IP VPN Configuration peer 10.1.1.2 as-number 100 ipv4-family unicast undo synchronization import-route direct peer 10.1.1.2 enable ip route-static 0.0.0.0 0.0.0.0 10.1.1.2 return Configuration file of PE1 sysname PE1...
Page 242 Huawei AR1200 Series Enterprise Routers Configuration Guide - VPN 3 BGP MPLS IP VPN Configuration mpls lsr-id 2.2.2.2 mpls mpls ldp interface GigabitEthernet1/0/0 ip address 100.1.1.2 255.255.255.0 mpls mpls ldp interface GigabitEthernet2/0/0 ip address 100.2.1.1 255.255.255.0 mpls mpls ldp interface LoopBack1 ip address 2.2.2.2 255.255.255.255...
Page 243: Example For Configuring The Ip Frr Of The Private Network
Huawei AR1200 Series Enterprise Routers Configuration Guide - VPN 3 BGP MPLS IP VPN Configuration area 0.0.0.0 network 3.3.3.3 0.0.0.0 network 100.2.1.0 0.0.0.255 return Configuration file of CE2 sysname CE2 interface GigabitEthernet1/0/0 ip address 10.2.1.1 255.255.255.0 bgp 65420 peer 10.2.1.2 as-number 100...
Page 244 Huawei AR1200 Series Enterprise Routers Configuration Guide - VPN 3 BGP MPLS IP VPN Configuration Configure vpn1 on PE, bind GE1/0/0 and GE2/0/0 with vpn1, and configure OSPF multi- instances. Configure the cost value on GE2/0/0 on PE and RTA to make OSPF choose link A preferentially.
Page 245 Huawei AR1200 Series Enterprise Routers Configuration Guide - VPN 3 BGP MPLS IP VPN Configuration # Configure OSPF multi-instance on PE. [PE] ospf vpn-instance vpn1 [PE-ospf-1] area 0 [PE-ospf-1-area-0.0.0.0] network 10.1.1.0 0.0.0.3 [PE-ospf-1-area-0.0.0.0] network 10.2.1.0 0.0.0.3 Step 4 Configure the cost value on the OSPF interface.
Page 246 Huawei AR1200 Series Enterprise Routers Configuration Guide - VPN 3 BGP MPLS IP VPN Configuration <PE> display ip routing-table vpn-instance vpn1 10.5.1.0 verbose Route Flags: R - relay, D - download to fib ------------------------------------------------------------------------------ Routing Table : vpn1 Summary Count : 1 Destination: 10.5.1.0/24...
Page 247: Example For Configuring Vpn Frr
Huawei AR1200 Series Enterprise Routers Configuration Guide - VPN 3 BGP MPLS IP VPN Configuration sysname CE1 interface GigabitEthernet1/0/0 ip address 10.1.1.2 255.255.255.252 interface GigabitEthernet2/0/0 ip address 10.3.1.1 255.255.255.252 ospf 1 area 0.0.0.0 network 10.1.1.0 0.0.0.3 network 10.3.1.0 0.0.0.3 bfd for_ip_frr bind peer-ip 10.1.1.1 interface GigabitEthernet 1/0/0...
Page 248 Huawei AR1200 Series Enterprise Routers Configuration Guide - VPN 3 BGP MPLS IP VPN Configuration Networking Requirements As shown in Figure 3-13, configure the backup nexthop on PE1 and configure PE3 as the backup of PE2. When some defects occur on PE2, the flow switches onto PE3.
Page 249 Huawei AR1200 Series Enterprise Routers Configuration Guide - VPN 3 BGP MPLS IP VPN Configuration NOTE When RDs are configured for VPN instances, VPN FRR cannot be configured successfully on PE1 if the RDs of PE2 and PE3 are the same, but different from that of PE1.
Page 250 Huawei AR1200 Series Enterprise Routers Configuration Guide - VPN 3 BGP MPLS IP VPN Configuration LSP Information: LDP LSP ---------------------------------------------------------------------- In/Out Label In/Out IF Vrf Name 1.1.1.1/32 3/NULL 2.2.2.2/32 NULL/3 -/P2/0/0 2.2.2.2/32 1025/3 -/P2/0/0 3.3.3.3/32 NULL/3 -/P3/0/0 3.3.3.3/32 1024/3 -/P3/0/0 Step 4 Configure the VPN instances on the PE devices and connect the CE with the PE2 and PE3.
Page 251 Huawei AR1200 Series Enterprise Routers Configuration Guide - VPN 3 BGP MPLS IP VPN Configuration <CE> system-view [CE] bgp 65410 [CE-bgp] peer 10.1.1.2 as-number 100 [CE-bgp] peer 10.2.1.2 as-number 100 [CE-bgp] import-route direct [CE-bgp] network 10.3.1.0 24 [CE-bgp] quit After the configuration, run the display bgp vpnv4 all peer command on the PEs. You can view that the EBGP peer is established between the PEs and the CEs, and the peer status is "Established".
Page 252 Huawei AR1200 Series Enterprise Routers Configuration Guide - VPN 3 BGP MPLS IP VPN Configuration 3.3.3.3 0 00:17:18 Established Step 7 Configure the VPN FRR routing policy. [PE1] ip ip-prefix vpn_frr_list permit 2.2.2.2 32 [PE1] route-policy vpn_frr_rp permit node 10 [PE1-route-policy] if-match ip next-hop ip-prefix vpn_frr_list [PE1-route-policy] apply backup-nexthop 3.3.3.3...
Page 253 Huawei AR1200 Series Enterprise Routers Configuration Guide - VPN 3 BGP MPLS IP VPN Configuration NOTE In this example, both PE2 and PE3 advertise the route 10.3.1.0/24 with the same BGP attribute to PE1. The router ID of PE2 is smaller than that of PE3 so that PE1 preferentially selects the route advertised by PE2, that is, Link_A.
Page 254 Huawei AR1200 Series Enterprise Routers Configuration Guide - VPN 3 BGP MPLS IP VPN Configuration bfd for_ip_frr bind peer-ip 2.2.2.2 discriminator local 10 discriminator remote 20 commit bgp 100 peer 2.2.2.2 as-number 100 peer 2.2.2.2 connect-interface LoopBack1 peer 3.3.3.3 as-number 100 peer 3.3.3.3 connect-interface LoopBack1...
Page 255 Huawei AR1200 Series Enterprise Routers Configuration Guide - VPN 3 BGP MPLS IP VPN Configuration discriminator remote 10 commit bgp 100 peer 1.1.1.1 as-number 100 peer 1.1.1.1 connect-interface LoopBack1 ipv4-family unicast undo synchronization peer 1.1.1.1 enable ipv4-family vpnv4 policy vpn-target peer 1.1.1.1 enable...
Page 256 Huawei AR1200 Series Enterprise Routers Configuration Guide - VPN 3 BGP MPLS IP VPN Configuration ospf 1 area 0.0.0.0 network 100.2.1.0 0.0.0.3 network 3.3.3.3 0.0.0.0 Return Configuration file of the CE sysname CE interface GigabitEthernet1/0/0 ip address 10.1.1.1 255.255.255.252 interface GigabitEthernet2/0/0 ip address 10.2.1.1 255.255.255.252...
Page 257: L2Tp Configuration
Huawei AR1200 Series Enterprise Routers Configuration Guide - VPN 4 L2TP Configuration L2TP Configuration About This Chapter L2TP is a VPN technology that facilitates the tunneling of PPP frames and allows the Layer 2 termination points and PPP session endpoints to reside on different devices.
Page 258: L2Tp Overview
Huawei AR1200 Series Enterprise Routers Configuration Guide - VPN 4 L2TP Configuration 4.1 L2TP Overview The L2TP protocol, which embodies the advantages of L2F and PPTP, is a industry standard on Layer 2 tunnel protocols defined by the IETF. 4.1.1 Introduction to L2TP L2TP messages are used in the maintenance of L2TP tunnels and transmission of PPP frames.
Page 259 Huawei AR1200 Series Enterprise Routers Configuration Guide - VPN 4 L2TP Configuration The three methods to establish an L2TP tunnel are as follows: NAS-initialized: initiated by remote users. The remote user connects to the LAC through Public Switched Telephony Network (PSTN) or Integrated Services Digital Network (ISDN).
Page 260 Huawei AR1200 Series Enterprise Routers Configuration Guide - VPN 4 L2TP Configuration Figure 4-3 Networking diagram of call setup in an L2TP tunnel RADIUS RADIUS RouterA RouterB Server Server (1) call setup (2) PPP LCP setup (3) PAP or CHAP...
Page 261: Configuring Basic L2Tp Functions
Huawei AR1200 Series Enterprise Routers Configuration Guide - VPN 4 L2TP Configuration RouterA transmits the parameters of the CHAP response, response identifier and PPP negotiation to RouterB. 10. RouterB sends an access request to the LNS RADIUS server for authentication.
Page 262: Configuring Basic L2Tp Capability
Huawei AR1200 Series Enterprise Routers Configuration Guide - VPN 4 L2TP Configuration 4.2.2 Configuring Basic L2TP Capability To configure L2TP, you need to enable L2TP, create an L2TP group, and then configure other functions. The specific configuration varies with the role of the device (LAC or LNS).
Page 263: Configuring Lac
Huawei AR1200 Series Enterprise Routers Configuration Guide - VPN 4 L2TP Configuration 4.3 Configuring LAC After being configured as an LAC, a device determines whether the user is an access user and whether to initiate a connection to an LNS.
Page 264: Configuring An L2Tp Connection On Lac Side
Huawei AR1200 Series Enterprise Routers Configuration Guide - VPN 4 L2TP Configuration 4.3.2 Configuring an L2TP Connection on LAC Side After receiving a call from an LAC client, an LAC sends a connection request to an LNS in the configuration sequence of the LNSs. If receiving a response from an LNS, the LNS becomes the peer of the L2TP tunnel.
Page 265 Huawei AR1200 Series Enterprise Routers Configuration Guide - VPN 4 L2TP Configuration Step 2 Run: interface virtual-template vt-number A virtual template interface is created and the virtual template interface view is displayed. Step 3 Configure an IP address for the virtual interface in any of the following methods:...
Page 266: Optional) Configuring Local Authentication On Lac Side
The password in cipher text is more secure. Context NOTE For more information about Authorization, Authentication and Accounting (AAA), refer to the Huawei AR1200 Series Enterprise Routers Configuration Guide - Security. Do as followings on the router:...
Page 267 Huawei AR1200 Series Enterprise Routers Configuration Guide - VPN 4 L2TP Configuration The AAA view is displayed. Run: authentication-scheme authentication-scheme-name An authentication scheme is created and the view of the authentication scheme is displayed. Run: authentication-mode radius The authentication mode is specified as RADIUS.
Page 268: Checking The Configuration
Huawei AR1200 Series Enterprise Routers Configuration Guide - VPN 4 L2TP Configuration Do as follows on the router: Run: system-view The system view is displayed. Run: The AAA view is displayed. Run: domain domain-name The domain is created and the domain view is displayed.
Page 269: Configuring Lns
Huawei AR1200 Series Enterprise Routers Configuration Guide - VPN 4 L2TP Configuration <Huawei> display l2tp tunnel Total tunnel = 1 LocalTID RemoteTID RemoteAddress Port Sessions RemoteName 202.38.160.1 57344 Run the display l2tp session command, and you can view that the L2TP session is established.
Page 270 Huawei AR1200 Series Enterprise Routers Configuration Guide - VPN 4 L2TP Configuration this manner, an L2TP tunnel is established only after authentications on both the LAC and the LNS are successful. The LNS authenticates users in three ways, namely, agent authentication, mandatory CHAP authentication, and LCP re-negotiation.
Page 271: Configuring An L2Tp Connection On Lns
Huawei AR1200 Series Enterprise Routers Configuration Guide - VPN 4 L2TP Configuration Data Number of the L2TP group Number of the virtual template Name of remote end in the tunnel Local user name and password 4.4.2 Configuring an L2TP Connection on LNS After receiving a tunnel setup request from an LAC, an LNS checks the LAC name and allows the LAC to set up an L2TP tunnel if the LAC name is a valid name of the remote end.
Page 272: Allocating Addresses To Access Users
Huawei AR1200 Series Enterprise Routers Configuration Guide - VPN 4 L2TP Configuration Context NOTE For more information about AAA, refer to the Huawei AR1200 Series Enterprise Routers Configuration Guide - Security. Do as follows on LNS: Procedure Step 1 Run: system-view The system view is displayed.
Page 273: Checking The Configuration
LNS is set up, the LNS should assign the IP address for the access user from the address pool of the user domain. Procedure Step 1 For details of the address pool configuration and address assignment, refer to the Huawei AR1200 Series Enterprise Routers Configuration Guide - IP Services and Configuration Guide - Security.
Page 274: Adjusting L2Tp Connection
Huawei AR1200 Series Enterprise Routers Configuration Guide - VPN 4 L2TP Configuration <Huawei> display l2tp-group 1 ----------------------------------------------- L2tp-index GroupType ACCEPT_DIALIN_L2TP TunnelAuth Use tunnel authentication LocalName Encrypt Hello Retransmit Timeout IfIndex 4294967295 SrcIp 255.255.255.255 VtNum RemoteName lac1 ForceChap LcpReg LcpMismatch tunnel each user ----------------------------------------------- 4.5 Adjusting L2TP Connection...
Page 275: Configuring Security Options For L2Tp Connection
Huawei AR1200 Series Enterprise Routers Configuration Guide - VPN 4 L2TP Configuration Data Preparation To adjust the L2TP connection, you need the following data. Data Number of the L2TP group Password for tunnel authentication Interval for sending Hello packets 4.5.2 Configuring Security Options for L2TP Connection To ensure security, you can enable tunnel authentication on both ends, enable tunnel authentication before setting up a tunnel, and transmit AVPs in hidden mode.
Page 276: Configuring L2Tp Connection Parameters
Huawei AR1200 Series Enterprise Routers Configuration Guide - VPN 4 L2TP Configuration Step 5 Run: tunnel avp-hidden The AVP data is transmitted in hidden mode. By default, the AVP data is transmitted in plain text. The function of AVP hidden transmission works only when both ends adopt the tunnel authentication.
Page 277: Monitoring The Running Status Of L2Tp
When an L2TP fault occurs, run the following debugging commands in the user view to debug L2TP and locate the fault. For the procedure of outputting the debugging information, see the chapter "Maintenance and Debugging" in the Huawei AR1200 Series Enterprise Routers Configuration Guide - System Management. Issue 01 (2012-04-20) Huawei Proprietary and Confidential Copyright ©...
Page 278: Configuration Examples
On both the LAC and the LNS, the user name and the password are authenticated locally. NOTE When the AR1200 communicates with a non-Huawei device, configure the AR1200 to invert clock signals transmitted by a synchronous serial interface as required.
Page 279 Create a dial-in connection, and an access number named Huawei1. In addition, receive the address assigned by the LNS server. Enter the user name "vpdnuser@huawei.com" in the dial-up terminal window that pops up, with the password being Hello. Note that the user name and password should have been registered on the LNS server of the company.
Page 280 # Create an L2TP group and configure related attributes. [RouterA] l2tp enable [RouterA] l2tp-group 1 [RouterA-l2tp1] tunnel name LAC [RouterA-l2tp1] start l2tp ip 202.38.160.2 domain huawei.com # Enable the tunnel authentication and set a tunnel authentication password. [RouterA-l2tp1] tunnel authentication [RouterA-l2tp1] tunnel password simple quidway [RouterA-l2tp1] quit # Set the user name and password.
Page 281 Huawei AR1200 Series Enterprise Routers Configuration Guide - VPN 4 L2TP Configuration # # Set the user name and password. Note that the user name and password must be consistent with those set on the LAC side. [RouterB] aaa [RouterB-aaa] local-user vpdnuser@huawei.com password simple Hello [RouterB-aaa] local-user vpdnuser@huawei.com service-type ppp...
Page 282 Huawei AR1200 Series Enterprise Routers Configuration Guide - VPN 4 L2TP Configuration interface Serial1/0/0 link-protocol ip address 202.38.160.1 255.255.255.0 l2tp-group tunnel password simple quidway tunnel name start l2tp ip 202.38.160.2 domain huawei.com return Configuration file of Router B sysname RouterB ip pool network 192.168.0.0 mask...
Page 283: Example For Configuring Nas-Initialized Vpns (Dialup Access)
Huawei AR1200 Series Enterprise Routers Configuration Guide - VPN 4 L2TP Configuration return 4.7.2 Example for Configuring NAS-Initialized VPNs (Dialup Access) This section provides an example for configuring a NAS-initialized VPN with VPN users accessing the NAS through the PSTN or ISDN.
Page 284 LNS device. (In this example, the IP address of the LNS interface connected with the tunnel is 202.38.160.2.) # Define the local device name as A8010, and fulfill the tunnel authentication. The password used in the tunnel authentication is "huawei". NOTE To configure A8010, refer to the corresponding A8010 manuals.
Page 285 Huawei AR1200 Series Enterprise Routers Configuration Guide - VPN 4 L2TP Configuration [RouterA] ip pool 1 [RouterA-ip-pool-1]network 192.168.0.0 mask 24 # Set the user name and password, which must be the same as those set on the user side. [RouterA] aaa...
Page 286: Example For Configuring Client-Initialized Vpns
Huawei AR1200 Series Enterprise Routers Configuration Guide - VPN 4 L2TP Configuration return 4.7.3 Example for Configuring Client-Initialized VPNs This section provides an example for configuring a client-initialized VPN with clients accessing the NAS through the PSTN. Networking Requirements As shown in...
Page 287 Huawei AR1200 Series Enterprise Routers Configuration Guide - VPN 4 L2TP Configuration Number, range, and address mask of the remote address pool Procedure Step 1 Configure the devices on the VPN client side. The L2TP client software must be configured on the host of the VPN client side and users can connect to the Internet by dialing up.
Page 288: Example For Configuring Lac-Auto-Initiated Vpn
Huawei AR1200 Series Enterprise Routers Configuration Guide - VPN 4 L2TP Configuration LocalTID RemoteTID RemoteAddress Port Sessions RemoteName 192.168.0.2 2134 vpdnuser Run the display l2tp session command. You can find that the session is set up. For example: [RouterA] display l2tp session...
Page 289 Configuration Guide - VPN 4 L2TP Configuration NOTE When the AR1200 communicates with a non-Huawei device, configure the AR1200 to invert clock signals transmitted by a synchronous serial interface as required. Figure 4-7 Networking diagram of the LAC-auto-initiated VPN RouterB...
Page 290 # Configure the user name and password, authentication mode, and IP address for the virtual PPP user. [RouterA] interface virtual-template 1 [RouterA-Virtual-Template1] ppp pap local-user huawei password simple 123 [RouterA-Virtual-Template1] ip address 13.1.1.2 255.255.255.0 [RouterA-Virtual-Template1] quit # Configure a private route so that the packets sent to the headquarters are forwarded through L2TP tunnels.
Page 291 OUM!K%F<+$ [Q=^Q`MAF4<1!! local-user huawei service-type ppp interface Virtual-Template1 ppp pap local-user huawei password simple 123 ip address 13.1.1.2 255.255.255.0 l2tp-auto-client enable interface Serial1/0/0 link-protocol ppp ip address 12.1.1.2 255.255.255.0 l2tp-group 1...
Page 292 Huawei AR1200 Series Enterprise Routers Configuration Guide - VPN 4 L2TP Configuration start l2tp ip 12.1.1.1 fullusername huawei ip route-static 192.168.0.0 255.255.255.0 Virtual-Template1 return Configuration file of RouterB sysname RouterB l2tp enable ip pool 1 gateway-list 13.1.1.1 network 13.1.1.0 mask 255.255.255.0...
Page 293: Ipsec Configuration
Huawei AR1200 Series Enterprise Routers Configuration Guide - VPN 5 IPSec Configuration IPSec Configuration About This Chapter IP Security (IPSec) uses data encryption and data source authentication at the IP layer to ensure data confidentiality and integrity and prevent replay of data packets. Internet Key Exchange (IKE) enables key negotiation and security associations (SAs) establishment to simplify use and management of IPSec.
Page 294 Huawei AR1200 Series Enterprise Routers Configuration Guide - VPN 5 IPSec Configuration This section provides several configuration examples of IPSec. Issue 01 (2012-04-20) Huawei Proprietary and Confidential Copyright © Huawei Technologies Co., Ltd.
Page 295: Ipsec Overview
Huawei AR1200 Series Enterprise Routers Configuration Guide - VPN 5 IPSec Configuration 5.1 IPSec Overview The IP Security (IPSec) protocol family is a series of protocols defined by the Internet Engineering Task Force (IETF). This protocol family provides high quality, interoperable, and cryptology-based security for IP packets.
Page 296: Ipsec Features Supported By The Ar1200
Huawei AR1200 Series Enterprise Routers Configuration Guide - VPN 5 IPSec Configuration Figure 5-2 Packet format in tunnel mode Mode tunnel Protocol new IP Header AH raw IP Header TCP Header data new IP raw IP ESP Tail ESP Auth data...
Page 297: Establishing An Ipsec Tunnel Manually
IPSec tunnel parameters and those sent from the remote device. NOTE The Efficient VPN function is used with a license. To use the Efficient VPN function, apply for and purchase the following license from the Huawei local office: AR1200 Value-Added Security Package 5.3 Establishing an IPSec Tunnel Manually You can establish IPSec tunnels manually when the network topology is simple.
Page 298: Defining Protected Data Flows
Huawei AR1200 Series Enterprise Routers Configuration Guide - VPN 5 IPSec Configuration Data Preparation To establish an IPSec tunnel manually, you need the following data. Data Parameters of an advanced ACL IPSec proposal name, security protocol, authentication algorithm of AH,...
Page 299: Configuring An Ipsec Proposal
Huawei AR1200 Series Enterprise Routers Configuration Guide - VPN 5 IPSec Configuration 5.3.3 Configuring an IPSec Proposal An IPSec proposal defines the security protocol, authentication algorithm, encryption algorithm, and packet encapsulation mode. Both ends of a tunnel must use the same IPSec proposal configuration.
Page 300 Huawei AR1200 Series Enterprise Routers Configuration Guide - VPN 5 IPSec Configuration Context CAUTION When configuring SPI, string authentication key (string-key), hexadecimal authentication key (authentication-hex), and hexadecimal encryption key (encryption-hex) on two ends of an IPSec tunnel, ensure that the inbound parameters on the local end are the same as the outbound parameters on the remote end, and the outbound parameters on the local end are the same as the inbound parameters on the remote end.
Page 301: Applying An Ipsec Policy To An Interface
Huawei AR1200 Series Enterprise Routers Configuration Guide - VPN 5 IPSec Configuration NOTE The security protocol must be the same as the security protocol specified in the transform command in 5.3.3 Configuring an IPSec Proposal. If the security protocol specified in transform is ah-esp, both the ah and esp protocols must be configured in the sa spi command.
Page 302: Checking The Configuration
Huawei AR1200 Series Enterprise Routers Configuration Guide - VPN 5 IPSec Configuration Context An interface can use only one IPSec policy. An IPSec policy group that establishes an SA through IKE negotiation can be applied to multiple interfaces, whereas an IPSec policy group that is used to establish an SA manually can be applied only to one interface.
Page 303: Application Environment
Huawei AR1200 Series Enterprise Routers Configuration Guide - VPN 5 IPSec Configuration Application Environment Data flows must be authenticated to ensure data transmission security. In a high security scenario, data flows must be authenticated and encrypted. In such a scenario, configure IPSec on the device that initiates the IPSec service and the device that terminates the IPSec service.
Page 304: Defining Protected Data Flows
Huawei AR1200 Series Enterprise Routers Configuration Guide - VPN 5 IPSec Configuration 5.4.2 Defining Protected Data Flows IPSec can protect different data flows. In real-world applications, configure an ACL to define the protected data flows and apply the ACL to a security policy.
Page 305: Configuring An Ike Peer
Huawei AR1200 Series Enterprise Routers Configuration Guide - VPN 5 IPSec Configuration authentication-method { pre-share | rsa-signature } The authentication method used by an IKE proposal is configured. By default, an IKE proposal uses pre-shared key authentication. Step 5 (Optional) Run: authentication-algorithm { md5 | sha1 | aes_xcbc_mac_96 } The authentication algorithm is configured.
Page 306 Huawei AR1200 Series Enterprise Routers Configuration Guide - VPN 5 IPSec Configuration ike-proposal proposal-number An IKE proposal is configured. Step 5 (Optional) Run: local-id-type { ip | name } The local ID type is configured. By default, the IP address of the local end is used as the local ID.
Page 307: Configuring An Ipsec Proposal
Huawei AR1200 Series Enterprise Routers Configuration Guide - VPN 5 IPSec Configuration interface. The packets received by the remote peer contain the VPN attribute, so you do not need to specify the VPN on the remote peer. Step 12 (Optional) Run: remote-name name The remote host name is configured.
Page 308: Configuring An Ipsec Policy
Huawei AR1200 Series Enterprise Routers Configuration Guide - VPN 5 IPSec Configuration By default, the ESP protocol defined in RFC 2406 is used. Step 4 (Optional) Run: ah authentication-algorithm { md5 | sha1 | sha2-256 | sha2-384 | sha2-512 } The authentication algorithm used by AH is configured.
Page 309: Configuring An Ipsec Policy Template
Huawei AR1200 Series Enterprise Routers Configuration Guide - VPN 5 IPSec Configuration An ACL is applied to the IPSec policy. Step 5 (Optional) Run: sa trigger-mode { auto | traffic-based } The SA triggering mode is configured. After IKE negotiation phase 1 succeeds, the IPSec SA is established in the specified triggering mode.
Page 310: Optional) Setting Optional Parameters
Huawei AR1200 Series Enterprise Routers Configuration Guide - VPN 5 IPSec Configuration Step 2 Run: ipsec policy-template policy-template-name seq-number An IPSec policy template is created. Step 3 (Optional) Run: security acl acl-number An ACL is applied to the IPSec policy template.
Page 311 Huawei AR1200 Series Enterprise Routers Configuration Guide - VPN 5 IPSec Configuration The new global lifetime does not affect the IPSec policies that have their own lifetime or the SAs that have been established. The new global lifetime will be used to establish new SAs during IKE negotiation.
Page 312: Optional) Configuring Route Injection
Huawei AR1200 Series Enterprise Routers Configuration Guide - VPN 5 IPSec Configuration The sequence of payload in DPD packets is configured. Run: dpd type { on-demand | periodic } The DPD mode is configured. ----End 5.4.9 (Optional) Configuring Route Injection Route injection associates route selection with the IPSec tunnel status.
Page 313: Checking The Configuration
Huawei AR1200 Series Enterprise Routers Configuration Guide - VPN 5 IPSec Configuration Only one IPSec policy can be applied to an interface. An IPSec policy can be applied to multiple interfaces. After the configuration is complete, the packets transmitted between two ends of the IPSec tunnel trigger SA establishment through IKE negotiation.
Page 314: Configuring An Ipsec Profile
Huawei AR1200 Series Enterprise Routers Configuration Guide - VPN 5 IPSec Configuration Applicable Environment An IPSec profile simplifies IPSec policy management. After an IPSec profile is applied to an IPSec tunnel interface, only one IPSec tunnel is generated and this tunnel protects all the data flows passing through the IPSec tunnel interface.
Page 315: Configuring An Ipsec Tunnel Interface
Huawei AR1200 Series Enterprise Routers Configuration Guide - VPN 5 IPSec Configuration ipsec profile profile-name An IPSec profile is created and the IPSec profile view is displayed. IPSec profiles can only be applied to IPSec tunnel interfaces. Step 3 Run: proposal proposal-name An IPSec proposal referenced by an IPSec profile is configured.
Page 316 Huawei AR1200 Series Enterprise Routers Configuration Guide - VPN 5 IPSec Configuration Context An IPSec tunnel interface encapsulates the IPSec header into packets. To make a configured IPSec profile take effect, configure an IPSec tunnel interface and apply the IPSec profile to the IPSec tunnel interface.
Page 317: Checking The Configuration
IKE negotiation, Diffie-Hellman key agreement protocol, and IPSec proposal. If the network has hundreds of sites, the IPSec configurations on remote devices are complicated. Huawei provides the Efficient VPN solution, which allows remote branches to easily connect to the enterprise headquarters and releases enterprise administrators from complex manual configurations.
Page 318: Configuring Client Mode
Huawei AR1200 Series Enterprise Routers Configuration Guide - VPN 5 IPSec Configuration Configuring link layer protocol parameters for interfaces to ensure that the link layer protocol status on the interfaces is Up Configuring routes between the source and the destination Data Preparation To configure the Efficient VPN policy, you need the following data.
Page 319 Huawei AR1200 Series Enterprise Routers Configuration Guide - VPN 5 IPSec Configuration (Optional) Run: remote-name name A name is specified for the remote IKE peer. (Optional) Run: authentication-method { pre-share | rsa-signature } An authentication method is specified for the IKE proposal.
Page 320 Huawei AR1200 Series Enterprise Routers Configuration Guide - VPN 5 IPSec Configuration (Optional) Run: dns ip-address secondary The IP address of the secondary DNS server is specified. Run: ip-pool pool-name [ move-to new-position ] The location of the IP address pool is specified in the AAA service scheme.
Page 321: Configuring Network Mode
Huawei AR1200 Series Enterprise Routers Configuration Guide - VPN 5 IPSec Configuration For details, see 5.4.5 Configuring an IPSec Proposal. NOTE l encapsulation-mode must be set to tunnel to establish an IPSec tunnel using the Efficient VPN policy. l The Efficient VPN policy supports only Encapsulating Security Payload (ESP).
Page 322 Huawei AR1200 Series Enterprise Routers Configuration Guide - VPN 5 IPSec Configuration Step 2 Run: acl [ number ] acl-number [ match-order { config | auto } ] An advanced ACL is created and the ACL view is displayed. Step 3 Run: rule The ACL rule is configured in the ACL view.
Page 323 Huawei AR1200 Series Enterprise Routers Configuration Guide - VPN 5 IPSec Configuration A PKI domain is specified. Step 13 (Optional) Run: sa binding vpn-instance vpn-instance-name A VPN instance is specified to bind the IPSec tunnel. NOTE Before executing this command, configure the VPN instance.
Page 324: Verifying The Configuration
Huawei AR1200 Series Enterprise Routers Configuration Guide - VPN 5 IPSec Configuration Step 24 (Optional) Run: quit Return to the system view. Step 25 Run: interface interface-type interface-number The interface view is displayed. Step 26 Run: ipsec efficient-vpn efficient-vpn-name The Efficient VPN policy is applied to the interface.
Page 325: Clearing Ipsec Information
Huawei AR1200 Series Enterprise Routers Configuration Guide - VPN 5 IPSec Configuration Procedure Run the display ipsec sa [ brief | duration | policy policy-name [ seq-number ] | profile profile-name | peerip peer-ip-address ] command to check information about the IPSec...
Page 326: Configuration Examples
Huawei AR1200 Series Enterprise Routers Configuration Guide - VPN 5 IPSec Configuration 5.8 Configuration Examples This section provides several configuration examples of IPSec. 5.8.1 Example for Establishing an SA Manually You can establish security associations (SAs) manually when the network topology is simple.
Page 327 Step 2 Configure ACLs on RouterA and RouterB to define the data flows to be protected. # Configure an ACL on RouterA. [Huawei] acl number 3101 [Huawei-acl-adv-3101] rule permit ip source 10.1.1.0 0.0.0.255 destination 10.1.2.0 0.0.0.255 [Huawei-acl-adv-3101] quit # Configure an ACL on RouterB.
Page 328 Huawei AR1200 Series Enterprise Routers Configuration Guide - VPN 5 IPSec Configuration Transform : esp-new ESP protocol : Authentication SHA1-HMAC-96 Encryption Step 5 Create IPSec policies on RouterA and RouterB. # Create an IPSec policy on RouterA. [Huawei] ipsec policy map1 10 manual...
Page 329 Huawei AR1200 Series Enterprise Routers Configuration Guide - VPN 5 IPSec Configuration [Huawei] interface ethernet 1/0/0 [Huawei-Ethernet1/0/0] ipsec policy map1 [Huawei-Ethernet1/0/0] quit # Apply the IPSec policy to the interface of RouterB. [Huawei] interface ethernet 1/0/0 [Huawei-Ethernet1/0/0] ipsec policy use1...
Page 330: Example For Configuring Ike Negotiation Using Default Settings
Huawei AR1200 Series Enterprise Routers Configuration Guide - VPN 5 IPSec Configuration 202.138.163.1 tunnel remote 202.138.162.1 sa spi inbound esp 54321 sa string-key inbound esp gfedcba sa spi outbound esp 12345 sa string-key outbound esp abcdefg ip route-static 10.1.2.0 255.255.255.0 202.138.163.2...
Page 331 Huawei AR1200 Series Enterprise Routers Configuration Guide - VPN 5 IPSec Configuration Networking Requirements As shown in Figure 5-4, an IPSec tunnel is established between RouterA and RouterB. This IPSec tunnel protects data flows between the subnet of PC A (10.1.1.0/24) and subnet of PC B (10.1.2.0/24).
Page 332 Step 3 Configure ACLs on RouterA and RouterB to define the data flows to be protected. # Configure an ACL on RouterA. [Huawei] acl number 3101 [Huawei-acl-adv-3101] rule permit ip source 10.1.1.0 0.0.0.255 destination 10.1.2.0 0.0.0.255 [Huawei-acl-adv-3101] quit # Configure an ACL on RouterB.
Page 333 Huawei AR1200 Series Enterprise Routers Configuration Guide - VPN 5 IPSec Configuration Step 4 Configure static routes to the peers on RouterA and RouterB. # Configure a static route to the peer on RouterA. In this example, the next hop to PCB is 202.138.163.2.
Page 334 Huawei AR1200 Series Enterprise Routers Configuration Guide - VPN 5 IPSec Configuration IPsec SA local duration(time based): 3600 seconds IPsec SA local duration(traffic based): 1843200 kilobytes SA trigger mode: Automatic Route inject: None Step 7 Apply the IPSec policies to the interfaces of RouterA and RouterB.
Page 335 Huawei AR1200 Series Enterprise Routers Configuration Guide - VPN 5 IPSec Configuration Configuration Files Configuration file of RouterA acl number 3101 rule 5 permit ip source 10.1.1.0 0.0.0.255 destination 10.1.2.0 0.0.0.255 ipsec proposal tran1 ike peer spub pre-shared-key huawei remote-address 202.138.162.1...
Page 336: Example For Configuring Ike Negotiation
Huawei AR1200 Series Enterprise Routers Configuration Guide - VPN 5 IPSec Configuration ipsec policy use1 return 5.8.3 Example for Configuring IKE Negotiation IKE automatically establishes an SA and performs key exchange to improve efficiency of SA establishment and ensure network security.
Page 337 [Huawei-ike-peer-spua] quit Run the display ike peer command on RouterA and RouterB to view the configuration of the IKE peer. Take the display on RouterA as an example. [Huawei] display ike peer name spub verbose ---------------------------------------- Peer name : spub...
Page 338 Step 4 Configure ACLs on RouterA and RouterB to define the data flows to be protected. # Configure an ACL on RouterA. [Huawei] acl number 3101 [Huawei-acl-adv-3101] rule permit ip source 10.1.1.0 0.0.0.255 destination 10.1.2.0 0.0.0.255 [Huawei-acl-adv-3101] quit # Configure an ACL on RouterB.
Page 339 Huawei AR1200 Series Enterprise Routers Configuration Guide - VPN 5 IPSec Configuration [Huawei] display ipsec proposal Number of Proposals: 1 IPsec proposal name: tran1 Encapsulation mode: Tunnel Transform : esp-new ESP protocol : Authentication SHA1-HMAC-96 Encryption Step 7 Create IPSec policies on RouterA and RouterB.
Page 340 Huawei AR1200 Series Enterprise Routers Configuration Guide - VPN 5 IPSec Configuration IPsec policy name: "map1" sequence number: 10 mode: isakmp ----------------------------- Connection id: 3 encapsulation mode: tunnel tunnel local : 202.138.163.1 tunnel remote: 202.138.162.1 [inbound ESP SAs] spi: 1406123142 (0x53cfbc86)
Page 341 Huawei AR1200 Series Enterprise Routers Configuration Guide - VPN 5 IPSec Configuration name remote-name huawei02 local-address 202.138.163.1 remote-address 202.138.162.1 ipsec policy map1 10 isakmp security acl 3101 ike-peer spub proposal tran1 ip route-static 10.1.2.0 255.255.255.0 202.138.163.2 interface Ethernet1/0/0 ip address 202.138.163.1 255.255.255.0...
Page 342: Example For Establishing An Ipsec Tunnel Using An Ipsec Tunnel Interface
Huawei AR1200 Series Enterprise Routers Configuration Guide - VPN 5 IPSec Configuration ip route-static 10.1.1.0 255.255.255.0 202.138.162.2 interface Ethernet1/0/0 ip address 202.138.162.1 255.255.255.0 ipsec policy use1 return 5.8.4 Example for Establishing an IPSec Tunnel Using an IPSec Tunnel Interface An IPSec tunnel can be established using an IPSec tunnel interface. This method simplifies the IPSec configuration, reduces costs between devices on the IPSec network, and makes service application flexible.
Page 343 [Huawei-ike-peer-spua] quit Run the display ike peer command on RouterA and RouterB to view the configuration of the IKE peer. Take the display on RouterA as an example. [Huawei] display ike peer name spub verbose ---------------------------------------- Issue 01 (2012-04-20) Huawei Proprietary and Confidential...
Page 344 Huawei AR1200 Series Enterprise Routers Configuration Guide - VPN 5 IPSec Configuration Peer name : spub Pre-shared-key : huawei proposal Local ID type : Disable DPD mode : Periodic DPD idle time : 30 DPD retransmit interval : 15 DPD retry limit...
Page 345 Huawei AR1200 Series Enterprise Routers Configuration Guide - VPN 5 IPSec Configuration [Huawei-ipsec-profile-profile1] quit Step 7 Apply the IPSec profiles to the interfaces of RouterA and RouterB. # Apply the IPSec profile to the interface of RouterA. [Huawei] interface tunnel 0/0/0 [Huawei-Tunnel0/0/0] ip address 192.168.1.1 24...
Page 346: Example For Establishing An Sa Using Efficient Vpn In Client Mode
Huawei AR1200 Series Enterprise Routers Configuration Guide - VPN 5 IPSec Configuration ipsec profile profile1 ike-peer spub proposal tran1 interface Tunnel0/0/0 ip address 192.168.1.1 255.255.255.0 tunnel-protocol gre source 202.138.163.1 destination 202.138.163.2 ipsec profile profile1 interface Ethernet1/0/0 ip address 202.138.163.1 255.255.255.0...
Page 347 Huawei AR1200 Series Enterprise Routers Configuration Guide - VPN 5 IPSec Configuration Figure 5-7 Networking for Establishing an SA Using Efficient VPN in Client Mode RouterA RouterB Internet Server Remote Eth1/0/0 Eth1/0/0 60.1.1.1/24 60.1.2.1/24 IPSec Tunnel 10.1.1.2/24 10.1.2.2/24 PC A...
Page 348 [Huawei-ipsec-policy-templet-use1-10] ike-peer rut3 [Huawei-ipsec-policy-templet-use1-10] proposal tran1 [Huawei-ipsec-policy-templet-use1-10] sa duration time-based 600000 [Huawei-ipsec-policy-templet-use1-10] quit [Huawei] ipsec policy policy1 10 isakmp template use1 Apply the policy group to the interface. [Huawei] interface ethernet 1/0/0 [Huawei-Ethernet1/0/0] ipsec policy policy1 Step 3 Verify the configuration After the preceding configuration, RouterA can still ping RouterB and the data transmitted between them is encrypted.
Page 349 Huawei AR1200 Series Enterprise Routers Configuration Guide - VPN 5 IPSec Configuration Run the display ike sa command on RouterA, and the following information is displayed: [Huawei] display ike sa v2 Conn-ID Peer Flag(s) Phase --------------------------------------------------------- 60.1.2.1 RD|ST 60.1.2.1 RD|ST...
Page 350 Huawei AR1200 Series Enterprise Routers Configuration Guide - VPN 5 IPSec Configuration Dns server IP : 2.2.2.2, 2.2.2.3 Wins server IP : 3.3.3.2, 3.3.3.3 ----End Configuration Files Configuration file of RouterA ipsec efficient-vpn 2 mode client remote-address 60.1.2.1 v2 pre-shared-key huawei interface Ethernet1/0/0 ip address 60.1.1.1 255.255.255.0...
Page 351: Example For Establishing An Sa Using Efficient Vpn In Network Mode
Huawei AR1200 Series Enterprise Routers Configuration Guide - VPN 5 IPSec Configuration 2.2.2.2 dns 2.2.2.3 secondary ip-pool pooltest wins 3.3.3.2 wins 3.3.3.3 secondary interface Ethernet1/0/0 ip address 60.1.2.1 255.255.255.0 ipsec policy policy1 ip route-static 10.1.1.0 255.255.255.0 60.1.2.2 return 5.8.6 Example for Establishing an SA Using Efficient VPN in...
Page 352 Step 3 Configure ACLs on RouterA and RouterB to define the data flows to be protected. # Configure an ACL on RouterA. [Huawei] acl number 3000 [Huawei-acl-adv-3000] rule 5 permit ip source 10.1.1.0 0.0.0.255 destination 10.1.2.0 0.0.0.255 [Huawei-acl-adv-3000] quit # Configure an ACL on RouterB.
Page 353 Huawei AR1200 Series Enterprise Routers Configuration Guide - VPN 5 IPSec Configuration [Huawei-acl-adv-3000] quit Step 4 Configure the Efficient VPN policies in network mode on RouterA and RouterB. # Configure the Efficient VPN policy in network mode on RouterA. [Huawei] ipsec efficient-vpn easyvpn_1 mode network [Huawei-ipsec-efficient-vpn-easyvpn_1] remote-address 99.1.2.1 v1...
Page 354 Huawei AR1200 Series Enterprise Routers Configuration Guide - VPN 5 IPSec Configuration Max sent sequence-number: 0 UDP encapsulation used for NAT traversal: N [Intbound ESP SAs] SPI: 1488468104 (0x58b83888) Proposal: ESP-ENCRYPT-AES-256 SHA2-512-256 SA remaining key duration (bytes/sec): 1887436800/1845 Max received sequence-number: 0...
Page 355: Dsvpn Configuration
Huawei AR1200 Series Enterprise Routers Configuration Guide - VPN 6 DSVPN Configuration DSVPN Configuration About This Chapter DSVPN can be configured on the source branch, destination branch, and central office routers. 6.1 DSVPN Overview Dynamic Smart Virtual Private Network (DSVPN) is a technology that allows branches to use the NBMA Next Hop Resolution Protocol (NHRP) to dynamically establish data forwarding tunnels in the hub-spoke model.
Page 356: Dsvpn Overview
Huawei AR1200 Series Enterprise Routers Configuration Guide - VPN 6 DSVPN Configuration 6.1 DSVPN Overview Dynamic Smart Virtual Private Network (DSVPN) is a technology that allows branches to use the NBMA Next Hop Resolution Protocol (NHRP) to dynamically establish data forwarding tunnels in the hub-spoke model.
Page 357: Configuring Dsvpn
6 DSVPN Configuration NOTE The DSVPN function is used with a license. To use the DSVPN function, apply for and purchase the following license from the Huawei local office: AR1200 Value-Added Security Package AR1200 DSVPN (Dynamic Smart VPN) Function 6.3 Configuring DSVPN When Dynamic Smart VPN (DSVPN) is configured, IPSec does not need to be configured.
Page 358: Configuring Mgre
Huawei AR1200 Series Enterprise Routers Configuration Guide - VPN 6 DSVPN Configuration 6.3.2 Configuring MGRE To configure MGRE, create a tunnel interface, and configure the tunnel encapsulation mode, IP address, and source address for the tunnel interface. Context After creating a tunnel interface, set the tunnel encapsulation mode to Multipoint GRE (MGRE) and configure a source address for the tunnel interface.
Page 359: Configuring Nhrp On A Branch
A static route must be configured on both the source and destination devices. l Configure dynamic routes. Dynamic routing can be implemented using OSPF, RIP, or BGP. For the configuration of a dynamic routing protocol, see Huawei AR1200 Series Configuration Guide - IP Routing.
Page 360: Configuring Nhrp On The Central Office
Huawei AR1200 Series Enterprise Routers Configuration Guide - VPN 6 DSVPN Configuration Step 5 (Optional) Run: nhrp authentication string The NHRP authentication string is configured. By default, no NHRP authentication string is configured. Step 6 (Optional) Run: nhrp registration interval seconds The NHRP registration interval is configured.
Page 361: Optional) Configuring An Ipsec Profile
Huawei AR1200 Series Enterprise Routers Configuration Guide - VPN 6 DSVPN Configuration Step 4 (Optional) Run: nhrp authentication string The NHRP authentication string is configured. By default, no NHRP authentication string is configured. If the NHRP authentication string is configured only on a branch device but not on the central office device, the NHRP authentication string is not used for authentication.
Page 362 Huawei AR1200 Series Enterprise Routers Configuration Guide - VPN 6 DSVPN Configuration Procedure Step 1 Run: system-view The system view is displayed. Step 2 Run: ipsec profile profile-name An IPSec profile is created and the IPSec profile view is displayed.
Page 363: Checking The Configuration
Huawei AR1200 Series Enterprise Routers Configuration Guide - VPN 6 DSVPN Configuration The tunnel interface is bound to an IPSec profile. ----End 6.3.7 Checking the Configuration After DSVPN is configured, you can view NHRP mapping entries and IPSec profile configuration.
Page 364: Configuration Examples
Huawei AR1200 Series Enterprise Routers Configuration Guide - VPN 6 DSVPN Configuration Procedure Run the reset nhrp statistics interface interface-type interface-number command in the user view to clear the NHRP packet statistics on a specified tunnel interface. ----End 6.5 Configuration Examples This section describes how to configure DSVPN when different routing plans are used.
Page 365 Huawei AR1200 Series Enterprise Routers Configuration Guide - VPN 6 DSVPN Configuration Data Preparation To complete the configuration, you need the following data: Reachable routes between the Routers Source addresses of tunnel interfaces on the Routers Procedure Step 1 Assign an IP address to each interface.
Page 366 Huawei AR1200 Series Enterprise Routers Configuration Guide - VPN 6 DSVPN Configuration Step 4 Configure tunnel interfaces on the Routers and configure NHRP mapping entries of the hub on Spoke1 and Spoke2. # Configure a tunnel interface on the hub.
Page 367 Huawei AR1200 Series Enterprise Routers Configuration Guide - VPN 6 DSVPN Configuration Run the display nhrp peer all command on the hub, and the command output is as follows. [Huawei] display nhrp peer all ------------------------------------------------------------------------------- Protocol-addr Mask NBMA-addr NextHop-addr Type...
Page 368 Huawei AR1200 Series Enterprise Routers Configuration Guide - VPN 6 DSVPN Configuration Tunnel interface: Tunnel0/0/0 Created time : 2011.08.18-16:10:33 Expire time : 2011.08.18-18:10:33 ----End Configuration Files Configuration file of Spoke1 interface Ethernet1/0/0 ip address 44.3.1.2 255.255.255.0 interface Tunnel0/0/0 ip address 172.16.1.101 255.255.255.0...
Page 369: Example For Configuring Dsvpn When Branches Have Only Summarized Routes To The Central Office
Huawei AR1200 Series Enterprise Routers Configuration Guide - VPN 6 DSVPN Configuration area 0.0.0.0 network 44.4.1.0 0.0.0.255 ospf 3 area 0.0.0.0 network 172.16.1.0 0.0.0.255 return 6.5.2 Example for Configuring DSVPN When Branches Have Only Summarized Routes to the Central Office This section describes how to configure DSVPN when branches have only summarized routes to the central office.
Page 370 Huawei AR1200 Series Enterprise Routers Configuration Guide - VPN 6 DSVPN Configuration Data Preparation To complete the configuration, you need the following data: Reachable routes between the Routers Source addresses of tunnel interfaces on the Routers Procedure Step 1 Assign an IP address to each interface.
Page 371 Huawei AR1200 Series Enterprise Routers Configuration Guide - VPN 6 DSVPN Configuration [Huawei-Tunnel0/0/0] ip address 172.16.1.1 255.255.255.0 [Huawei-Tunnel0/0/0] tunnel-protocol gre p2mp [Huawei-Tunnel0/0/0] source ethernet 1/0/0 [Huawei-Tunnel0/0/0] nhrp redirect [Huawei-Tunnel0/0/0] nhrp entry multicast dynamic # Configure a tunnel interface and an NHRP mapping entry of the hub, and enable NHRP shortcut on Spoke1.
Page 372 Huawei AR1200 Series Enterprise Routers Configuration Guide - VPN 6 DSVPN Configuration ------------------------------------------------------------------------------- Tunnel interface: Tunnel0/0/0 Created time : 2008.01.07-18:07:45 Expire time : 2008.01.07-20:07:52 ------------------------------------------------------------------------------- Protocol-addr Mask NBMA-addr NextHop-addr Type Flag ------------------------------------------------------------------------------- 172.16.1.102 44.4.1.2 172.16.1.102 dynamic route tunnel ------------------------------------------------------------------------------- Tunnel interface: Tunnel0/0/0 Created time : 2008.01.07-18:11:51...
Page 373 Huawei AR1200 Series Enterprise Routers Configuration Guide - VPN 6 DSVPN Configuration Configuration Files Configuration file of Spoke1 interface Ethernet1/0/0 ip address 44.3.1.2 255.255.255.0 interface Tunnel0/0/0 ip address 172.16.1.101 255.255.255.0 tunnel-protocol gre p2mp source Ethernet1/0/0 nhrp entry 172.16.1.1 44.1.1.1 register...
Page 374: Ssl Vpn Configuration
Huawei AR1200 Series Enterprise Routers Configuration Guide - VPN 7 SSL VPN Configuration SSL VPN Configuration About This Chapter SSL VPN (Secure Sockets Layer VPN) is a type of secure access VPN technology. Based on the HTTPS protocol, SSL VPN uses the data encryption, user identity authentication, and message integrity check mechanisms of the SSL protocol to help ensure that remote access to enterprise intranets is safe and secure.
Page 375: Ssl Vpn Overview
Huawei AR1200 Series Enterprise Routers Configuration Guide - VPN 7 SSL VPN Configuration 7.1 SSL VPN Overview The SSL VPN (Secure Sockets Layer VPN) technology allows employees, customers, and partners to access the enterprise's intranet through the Internet anytime and anywhere.
Page 376: Ssl Vpn Features Supported By The Ar1200
Huawei AR1200 Series Enterprise Routers Configuration Guide - VPN 7 SSL VPN Configuration 7.2 SSL VPN Features Supported by the AR1200 The AR1200 supports the following SSL VPN features: virtual gateway, basic VPN functions, SSL VPN user management, and SSL VPN services.
Page 377: Configuring Basic Ssl Vpn Functions
For example, the remote terminals are allowed to ping internal servers. SSL VPN License The SSL VPN function is used with a license. To use the SSL VPN function, apply for and purchase the following license from the Huawei local office: AR1200 Value-Added Security Package NOTE The maximum number of online SSL VPN users is limited by the license.
Page 378: Creating A Virtual Gateway
Huawei AR1200 Series Enterprise Routers Configuration Guide - VPN 7 SSL VPN Configuration Pre-configuration Tasks Before configuring basic SSL VPN functions, complete the following tasks: Configuring IP addresses for the interfaces which will be configured as intranet and extranet interfaces...
Page 379: Binding An Aaa Domain To The Virtual Gateway
Huawei AR1200 Series Enterprise Routers Configuration Guide - VPN 7 SSL VPN Configuration Applicable Environment Figure 7-2 Interfaces of a virtual gateway Intranet Extranet interface interface Remote terminal Internet SSL VPN gateway Internal servers When functioning as an SSL VPN gateway, the AR1200 provides two types of interfaces: extranet interface and intranet interface.
Page 380: Enabling Basic Ssl Vpn Functions
An AAA domain is bound to the virtual gateway. By default, no AAA domain is bound to a virtual gateway. For the configuration of an AAA domain, see AAA Configuration in the Huawei AR1200 Series Enterprise Routers Configuration Guide - Security.
Page 381: Checking The Configuration
SSL VPN users that each license support depends on the license level. The AR1200 supports a maximum of two online SSL VPN users without a license. To enable the AR1200 to support more online SSL VPN users, buy licenses from Huawei local office. Configuring the maximum online duration of users If an online user does not use services for a long time, the user still occupies resources.
Page 382 SSL VPN users that each license support depends on the license level. The AR1200 supports a maximum of two online SSL VPN users without a license. To enable the AR1200 to support more online SSL VPN users, buy licenses from Huawei local office. Step 5 (Optional) Run: max-online-time number The maximum online duration of users allowed by the virtual gateway is configured.
Page 383: Configuring Ssl Vpn Services
Huawei AR1200 Series Enterprise Routers Configuration Guide - VPN 7 SSL VPN Configuration Run the display sslvpn gateway [ gateway-name ] command to check the virtual gateway configurations. Run the display sslvpn gateway gateway-name access-user [ user-name ] command to view user information on the virtual gateway.
Page 384: Creating A Virtual Gateway
Huawei AR1200 Series Enterprise Routers Configuration Guide - VPN 7 SSL VPN Configuration Data Name of the virtual gateway SSL VPN service name Service parameters: l Web proxy parameters: Web server's URL l Port forwarding parameters: application server's IP address and port number...
Page 385: Configuring The Port Forwarding Service
Huawei AR1200 Series Enterprise Routers Configuration Guide - VPN 7 SSL VPN Configuration As shown in Figure 7-4, users access the internal Web server through the SSL VPN gateway. The SSL VPN gateway functions as a proxy that forwards data between users and the internal Web server.
Page 386: Configuring The Ip Forwarding Service
Huawei AR1200 Series Enterprise Routers Configuration Guide - VPN 7 SSL VPN Configuration As shown in Figure 7-5, users can access the TCP-based services on the internal network. The typical port forwarding services include Telnet login, desktop sharing, and mailing.
Page 387 Huawei AR1200 Series Enterprise Routers Configuration Guide - VPN 7 SSL VPN Configuration Context Figure 7-6 IP forwarding service network SSL VPN gateway Application server Remote terminal Internet As shown in Figure 7-6, the SSL VPN gateway allows remote terminals to communicate with internal servers at the network layer.
Page 388: Checking The Configuration
Huawei AR1200 Series Enterprise Routers Configuration Guide - VPN 7 SSL VPN Configuration By default, no IP address pool is bound to the IP forwarding service. NOTE If you configure a lease for the IP addresses in the IP address pool, ensure that the lease is longer than the maximum online duration of SSL VPN users.
Page 389 Huawei AR1200 Series Enterprise Routers Configuration Guide - VPN 7 SSL VPN Configuration Networking Environment As shown in Figure 7-7, an enterprise's network connects to the Internet using a Router that functions as an SSL VPN gateway. The marketing personnel on external networks access the enterprise's intranet through the Router.
Page 390 NOTE Choose an AAA domain according to service requirements. For the configuration of an AAA domain, see AAA Configuration in the Huawei AR1200 Series Enterprise Routers Configuration Guide - Security. IP address of extranet interface Ethernet2/0/0: 1.1.1.1/24 IP address of intranet interface Vlanif10: 10.138.10.254/24 IP address pool: 10.139.30.0/24...
Page 391 Huawei AR1200 Series Enterprise Routers Configuration Guide - VPN 7 SSL VPN Configuration # Configure the Web proxy service. [Router] sslvpn gateway market [Router-sslvpn-market] service-type web-proxy resource market_web-proxy [Router-sslvpn-market-wp-res-market_web-proxy] link http://10.138.10.1:80/ [Router-sslvpn-market-wp-res-market_web-proxy] quit # Configure the port forwarding service to allow marketing personnel to access the mail server and share desktop with the internal host 10.138.10.21.
Page 392 Huawei AR1200 Series Enterprise Routers Configuration Guide - VPN 7 SSL VPN Configuration service-type web-proxy resource market_web-proxy link http://10.138.10.1:80/ service-type port-forwarding resource market_port-forwarding server ip-address 10.138.10.3 port 995 server ip-address 10.138.10.21 port 3389 service-type ip-forwarding resource market_ip-forwarding bind ip-pool market_pool route-mode split route-split ip address 10.138.10.64 mask 27...

This manual is also suitable for:

Ar3200 series

Huawei AR1200 series Configuration Manual

About this Document

1 GRE Configuration

2 MCE Configuration

3 BGP MPLS IP VPN Configuration

4 L2TP Configuration

5 Ipsec Configuration

6 DSVPN Configuration

7 SSL VPN Configuration

Quick Links

Related Manuals for Huawei AR1200 series

Summary of Contents for Huawei AR1200 series