Example for Connecting a CE to a VPN Through a GRE Tunnel over a VPN
Networking Requirements
In Figure 1:
PE1 and PE2 reside on a class 1 carrier's MPLS backbone network.
The VPN instance vpn2 belongs to a class 2 carrier's network, and CE1 is directly connected to PE1.
CE2 and CE3 connect to user hosts. CE2 is directly connected to PE2, and CE3 is directly connected to CE1. CE2 and CE3 belong to vpn1 and can reach each other.
Configuration Roadmap
PE1 is indirectly connected to CE3. Therefore, no VPN instance can be bound to the physical interface of PE1. A GRE tunnel is set up between CE3 and PE1 and it traverses vpn2. On PE1, bind the GRE tunnel to vpn1 to connect CE3 to vpn1.
The configuration roadmap is as follows:
Run OSPF process 10 on PE1 and PE2 to implement interworking between them, and enable MPLS.
Configure a VPN instance vpn2 on PE1, and run OSPF process 20 on PE1, CE1, and CE3 to implement interworking among them.
Set up a GRE tunnel between CE3 and PE1. CE3 is connected to PE1 over vpn2, and the interface on PE1 directly connected to CE1 is bound to vpn2. Therefore, the interfaces directly connecting CE3 to CE1 and PE1 to CE1 belong to vpn2. When configuring a GRE tunnel between PE1 and CE3, you need to set a tunnel destination address that belongs to vpn2.
Create vpn1 on PE1 and PE2. On PE1, bind vpn1 to the GRE tunnel interface. On PE2, bind vpn1 to the physical interface connected to CE2.
Run IS-IS on the devices to dynamically calculate routes between the CEs and PEs.
Run BGP on the PEs to implement interworking between CE2 and CE3.
Procedure
- Configure an IP address for each interface.
# Configure CE3.
<HUAWEI> system-view [HUAWEI] sysname CE3 [CE3] vlan batch 10 20 [CE3] interface gigabitethernet 0/0/1 [CE3-GigabitEthernet0/0/1] port link-type access [CE3-GigabitEthernet0/0/1] port default vlan 10 [CE3-GigabitEthernet0/0/1] quit [CE3] interface gigabitethernet 0/0/2 [CE3-GigabitEthernet0/0/2] port link-type trunk [CE3-GigabitEthernet0/0/2] port trunk allow-pass vlan 20 [CE3-GigabitEthernet0/0/2] quit [CE3] interface vlanif 10 [CE3-Vlanif10] ip address 10.1.1.2 24 [CE3-Vlanif10] quit [CE3] interface vlanif 20 [CE3-Vlanif20] ip address 30.1.1.1 24 [CE3-Vlanif20] quit
# Configure CE1.
<HUAWEI> system-view [HUAWEI] sysname CE1 [CE1] vlan batch 10 20 [CE1] interface gigabitethernet 0/0/1 [CE1-GigabitEthernet0/0/1] port link-type trunk [CE1-GigabitEthernet0/0/1] port trunk allow-pass vlan 20 [CE1-GigabitEthernet0/0/1] quit [CE1] interface gigabitethernet 0/0/2 [CE1-GigabitEthernet0/0/2] port link-type trunk [CE1-GigabitEthernet0/0/2] port trunk allow-pass vlan 10 [CE1-GigabitEthernet0/0/2] quit [CE1] interface vlanif 10 [CE1-Vlanif10] ip address 50.1.1.1 24 [CE1-Vlanif10] quit [CE1] interface vlanif 20 [CE1-Vlanif20] ip address 30.1.1.2 24 [CE1-Vlanif20] quit
# Configure IP addresses for interfaces on PE1, except those to be bound to a VPN instance. This is because all configurations on this interface are deleted when bound to a VPN instance.
<HUAWEI> system-view [HUAWEI] sysname PE1 [PE1] vlan batch 10 20 [PE1] interface gigabitethernet 0/0/1 [PE1-GigabitEthernet0/0/1] port link-type trunk [PE1-GigabitEthernet0/0/1] port trunk allow-pass vlan 10 [PE1-GigabitEthernet0/0/1] quit [PE1] interface gigabitethernet 0/0/2 [PE1-GigabitEthernet0/0/2] port link-type trunk [PE1-GigabitEthernet0/0/2] port trunk allow-pass vlan 20 [PE1-GigabitEthernet0/0/2] quit [PE1] interface vlanif 20 [PE1-Vlanif20] ip address 110.1.1.1 24 [PE1-Vlanif20] quit [PE1] interface loopback 1 [PE1-LoopBack1] ip address 1.1.1.9 32 [PE1-LoopBack1] quit
# Configure IP addresses for interfaces on PE2, except those to be bound to a VPN instance. This is because all configurations on this interface are deleted when bound to a VPN instance.
<HUAWEI> system-view [HUAWEI] sysname PE2 [PE2] vlan batch 10 20 [PE2] interface gigabitethernet 0/0/1 [PE2-GigabitEthernet0/0/1] port link-type trunk [PE2-GigabitEthernet0/0/1] port trunk allow-pass vlan 20 [PE2-GigabitEthernet0/0/1] quit [PE2] interface gigabitethernet 0/0/2 [PE2-GigabitEthernet0/0/2] port link-type trunk [PE2-GigabitEthernet0/0/2] port trunk allow-pass vlan 10 [PE2-GigabitEthernet0/0/2] quit [PE2] interface vlanif 20 [PE2-Vlanif20] ip address 110.1.1.2 24 [PE2-Vlanif20] quit [PE2] interface loopback 1 [PE2-LoopBack1] ip address 3.3.3.9 32 [PE2-LoopBack1] quit
# Configure CE2.
<HUAWEI> system-view [HUAWEI] sysname CE2 [CE2] vlan batch 10 20 [CE2] interface gigabitethernet 0/0/1 [CE2-GigabitEthernet0/0/1] port link-type trunk [CE2-GigabitEthernet0/0/1] port trunk allow-pass vlan 10 [CE2-GigabitEthernet0/0/1] quit [CE2] interface gigabitethernet 0/0/2 [CE2-GigabitEthernet0/0/2] port link-type access [CE2-GigabitEthernet0/0/2] port default vlan 20 [CE2-GigabitEthernet0/0/2] quit [CE2] interface vlanif 10 [CE2-Vlanif10] ip address 11.1.1.1 24 [CE2-Vlanif10] quit [CE2] interface vlanif 20 [CE2-Vlanif20] ip address 10.2.1.2 24 [CE2-Vlanif20] quit
- Configure routes between the PEs and enable MPLS.
# On PE1, enable MPLS LDP, and run OSPF process 10 to configure reachable routes between the PEs. LSPs are set up automatically.
[PE1] mpls lsr-id 1.1.1.9 [PE1] mpls [PE1-mpls] lsp-trigger all [PE1-mpls] quit [PE1] mpls ldp [PE1-mpls-ldp] quit [PE1] ospf 10 [PE1-ospf-10] area 0 [PE1-ospf-10-area-0.0.0.0] network 1.1.1.9 0.0.0.0 [PE1-ospf-10-area-0.0.0.0] network 110.1.1.0 0.0.0.255 [PE1-ospf-10-area-0.0.0.0] quit [PE1-ospf-10] quit [PE1] interface vlanif 20 [PE1-Vlanif20] mpls [PE1-Vlanif20] mpls ldp [PE1-Vlanif20] quit
# On PE2, enable MPLS LDP, and run OSPF process 10 to configure reachable routes between the PEs. LSPs are set up automatically.
[PE2] mpls lsr-id 3.3.3.9 [PE2] mpls [PE2-mpls] lsp-trigger all [PE2-mpls] quit [PE2] mpls ldp [PE2-mpls-ldp] quit [PE2] ospf 10 [PE2-ospf-10] area 0 [PE2-ospf-10-area-0.0.0.0] network 3.3.3.9 0.0.0.0 [PE2-ospf-10-area-0.0.0.0] network 110.1.1.0 0.0.0.255 [PE2-ospf-10-area-0.0.0.0] quit [PE2-ospf-10] quit [PE2] interface vlanif 20 [PE2-Vlanif20] mpls [PE2-Vlanif20] mpls ldp [PE2-Vlanif20] quit
- Create a VPN instance vpn2 on PE1 and bind vpn2 to an interface on a class 2 carrier's network.
[PE1] ip vpn-instance vpn2 [PE1-vpn-instance-vpn2] route-distinguisher 100:2 [PE1-vpn-instance-vpn2-af-ipv4] vpn-target 222:2 export-extcommunity [PE1-vpn-instance-vpn2-af-ipv4] vpn-target 222:2 import-extcommunity [PE1-vpn-instance-vpn2-af-ipv4] quit [PE1-vpn-instance-vpn2] quit [PE1] interface vlanif 10 [PE1-Vlanif10] ip binding vpn-instance vpn2 [PE1-Vlanif10] ip address 50.1.1.2 255.255.255.0 [PE1-Vlanif10] quit
- Create a VPN instance vpn1 on PE1 and bind vpn1 to the GRE tunnel.
[PE1] ip vpn-instance vpn1 [PE1-vpn-instance-vpn1] route-distinguisher 100:1 [PE1-vpn-instance-vpn1-af-ipv4] vpn-target 111:1 export-extcommunity [PE1-vpn-instance-vpn1-af-ipv4] vpn-target 111:1 import-extcommunity [PE1-vpn-instance-vpn1-af-ipv4] quit [PE1-vpn-instance-vpn1] quit [PE1] interface tunnel 1 [PE1-Tunnel1] ip binding vpn-instance vpn1 [PE1-Tunnel1] ip address 2.2.2.2 255.255.255.0 [PE1-Tunnel1] quit
- Create a VPN instance vpn1 on PE2 and bind vpn1 to a user-side interface.
[PE2] ip vpn-instance vpn1 [PE2-vpn-instance-vpn1] route-distinguisher 200:1 [PE2-vpn-instance-vpn1-af-ipv4] vpn-target 111:1 export-extcommunity [PE2-vpn-instance-vpn1-af-ipv4] vpn-target 111:1 import-extcommunity [PE2-vpn-instance-vpn1-af-ipv4] quit [PE2-vpn-instance-vpn1] quit [PE2] interface vlanif 10 [PE2-Vlanif10] ip binding vpn-instance vpn1 [PE2-Vlanif10] ip address 11.1.1.2 255.255.255.0 [PE2-Vlanif10] quit
- Configure tunnel interfaces of the GRE tunnel.
# Configure CE3.
[CE3] interface tunnel 1 [CE3-Tunnel1] tunnel-protocol gre [CE3-Tunnel1] source 30.1.1.1 [CE3-Tunnel1] destination 50.1.1.2 [CE3-Tunnel1] ip address 2.2.2.1 24 [CE3-Tunnel1] quit
# Configure PE1.
[PE1] interface tunnel 1 [PE1-Tunnel1] tunnel-protocol gre [PE1-Tunnel1] source 50.1.1.2 [PE1-Tunnel1] destination vpn-instance vpn2 30.1.1.1 [PE1-Tunnel1] quit
- Configure routing protocols on CE3, CE1, and PE1.
# Configure CE3.
[CE3] ospf 20 [CE3-ospf-20] area 0 [CE3-ospf-20-area-0.0.0.0] network 30.1.1.0 0.0.0.255 [CE3-ospf-20-area-0.0.0.0] quit [CE3-ospf-20] quit
# Configure CE1.
[CE1] ospf 20 [CE1-ospf-20] area 0 [CE1-ospf-20-area-0.0.0.0] network 30.1.1.0 0.0.0.255 [CE1-ospf-20-area-0.0.0.0] network 50.1.1.0 0.0.0.255 [CE1-ospf-20-area-0.0.0.0] quit [CE1-ospf-20] quit
# Configure PE1.
[PE1] ospf 20 vpn-instance vpn2 [PE1-ospf-20] area 0 [PE1-ospf-20-area-0.0.0.0] network 50.1.1.0 0.0.0.255 [PE1-ospf-20-area-0.0.0.0] quit [PE1-ospf-20] quit
- Configure IS-IS on CE3 and PE1 to calculate routes between them.
# Configure CE3.
[CE3] isis 50 [CE3-isis-50] network-entity 50.0000.0000.0001.00 [CE3-isis-50] quit [CE3] interface vlanif 10 [CE3-Vlanif10] isis enable 50 [CE3-Vlanif10] quit [CE3] interface tunnel 1 [CE3-Tunnel1] isis enable 50 [CE3-Tunnel1] quit
# Configure PE1.
[PE1] isis 50 vpn-instance vpn1 [PE1-isis-50] network-entity 50.0000.0000.0002.00 [PE1-isis-50] quit [PE1] interface tunnel 1 [PE1-Tunnel1] isis enable 50 [PE1-Tunnel1] quit
- Configure IS-IS on CE2 and PE2 to calculate routes between them.
# Configure CE2.
[CE2] isis 50 [CE2-isis-50] network-entity 50.0000.0000.0004.00 [CE2-isis-50] quit [CE2] interface vlanif 10 [CE2-Vlanif10] isis enable 50 [CE2-Vlanif10] quit [CE2] interface vlanif 20 [CE2-Vlanif20] isis enable 50 [CE2-Vlanif20] quit
# Configure PE2.
[PE2] isis 50 vpn-instance vpn1 [PE2-isis-50] network-entity 50.0000.0000.0003.00 [PE2-isis-50] quit [PE2] interface vlanif 10 [PE2-Vlanif10] isis enable 50 [PE2-Vlanif10] quit
- Set up an MP-IBGP peer relationship between the PEs.
# On PE1, configure an IBGP peer relationship with PE2 using a loopback interface to exchange VPN IPv4 route information.
[PE1] bgp 100 [PE1-bgp] peer 3.3.3.9 as-number 100 [PE1-bgp] peer 3.3.3.9 connect-interface loopback 1 [PE1-bgp] ipv4-family vpnv4 [PE1-bgp-af-vpnv4] peer 3.3.3.9 enable [PE1-bgp-af-vpnv4] quit
# Import IS-IS routes to vpn1.
[PE1-bgp] ipv4-family vpn-instance vpn1 [PE1-bgp-vpn1] import-route isis 50 [PE1-bgp-vpn1] quit [PE1-bgp] quit
# On PE2, configure an IBGP peer relationship with PE1 using a loopback interface to exchange VPN IPv4 route information.
[PE2] bgp 100 [PE2-bgp] peer 1.1.1.9 as-number 100 [PE2-bgp] peer 1.1.1.9 connect-interface loopback 1 [PE2-bgp] ipv4-family vpnv4 [PE2-bgp-af-vpnv4] peer 1.1.1.9 enable [PE2-bgp-af-vpnv4] quit
# Import IS-IS routes to vpn1.
[PE2-bgp] ipv4-family vpn-instance vpn1 [PE2-bgp-vpn1] import-route isis 50 [PE2-bgp-vpn1] quit [PE2-bgp] quit
- Import BGP routes to the IS-IS routing table.
# Configure PE1.
[PE1] isis 50 [PE1-isis-50] import-route bgp [PE1-isis-50] quit
# Configure PE2.
[PE2] isis 50 [PE2-isis-50] import-route bgp [PE2-isis-50] quit
- Verify the configuration.
# After the configuration is complete, CE3 and CE2 have reachable routes to each other. The command output on CE3 is used as an example.
[CE3] display isis peer Peer information for ISIS(50) System Id Interface Circuit Id State HoldTime Type PRI ------------------------------------------------------------------------------- 0000.0000.0002 Tun1 0000000001 Up 26s L1L2 -- Total Peer(s): 1[CE3] display ip routing-table 10.2.1.0 Proto: Protocol Pre: Preference Route Flags: R - relay, D - download to fib, T - to vpn-instance ------------------------------------------------------------------------------ Routing Table : Public Summary Count : 1 Destination/Mask Proto Pre Cost Flags NextHop Interface 10.2.1.0/24 ISIS-L2 15 74 D 2.2.2.2 Tunnel1
Configuration Files
CE3 configuration file
# sysname CE3 # vlan batch 10 20 # isis 50 network-entity 50.0000.0000.0001.00 # interface Vlanif10 ip address 10.1.1.2 255.255.255.0 isis enable 50 # interface Vlanif20 ip address 30.1.1.1 255.255.255.0 # interface GigabitEthernet0/0/1 port link-type access port default vlan 10 # interface GigabitEthernet0/0/2 port link-type trunk port trunk allow-pass vlan 20 # interface Tunnel1 ip address 2.2.2.1 255.255.255.0 tunnel-protocol gre source 30.1.1.1 destination 50.1.1.2 isis enable 50 # ospf 20 area 0.0.0.0 network 30.1.1.0 0.0.0.255 # return
CE1 configuration file
# sysname CE1 # vlan batch 10 20 # interface Vlanif10 ip address 50.1.1.1 255.255.255.0 # interface Vlanif20 ip address 30.1.1.2 255.255.255.0 # interface GigabitEthernet0/0/1 port link-type trunk port trunk allow-pass vlan 20 # interface GigabitEthernet0/0/2 port link-type trunk port trunk allow-pass vlan 10 # ospf 20 area 0.0.0.0 network 30.1.1.0 0.0.0.255 network 50.1.1.0 0.0.0.255 # return
PE1 configuration file
# sysname PE1 # vlan batch 10 20 # ip vpn-instance vpn1 ipv4-family route-distinguisher 100:1 vpn-target 111:1 export-extcommunity vpn-target 111:1 import-extcommunity # ip vpn-instance vpn2 ipv4-family route-distinguisher 100:2 vpn-target 222:2 export-extcommunity vpn-target 222:2 import-extcommunity # mpls lsr-id 1.1.1.9 mpls lsp-trigger all # mpls ldp # isis 50 vpn-instance vpn1 network-entity 50.0000.0000.0002.00 import-route bgp # interface Vlanif10 ip binding vpn-instance vpn2 ip address 50.1.1.2 255.255.255.0 # interface Vlanif20 ip address 110.1.1.1 255.255.255.0 mpls mpls ldp # interface GigabitEthernet0/0/1 port link-type trunk port trunk allow-pass vlan 10 # interface GigabitEthernet0/0/2 port link-type trunk port trunk allow-pass vlan 20 # interface LoopBack1 ip address 1.1.1.9 255.255.255.255 # interface Tunnel1 ip binding vpn-instance vpn1 ip address 2.2.2.2 255.255.255.0 tunnel-protocol gre source 50.1.1.2 destination vpn-instance vpn2 30.1.1.1 isis enable 50 # bgp 100 peer 3.3.3.9 as-number 100 peer 3.3.3.9 connect-interface LoopBack1 # ipv4-family unicast undo synchronization peer 3.3.3.9 enable # ipv4-family vpnv4 policy vpn-target peer 3.3.3.9 enable # ipv4-family vpn-instance vpn1 import-route isis 50 # ospf 10 area 0.0.0.0 network 1.1.1.9 0.0.0.0 network 110.1.1.0 0.0.0.255 # ospf 20 vpn-instance vpn2 area 0.0.0.0 network 50.1.1.0 0.0.0.255 # return
PE2 configuration file
# sysname PE2 # vlan batch 10 20 # ip vpn-instance vpn1 ipv4-family route-distinguisher 200:1 vpn-target 111:1 export-extcommunity vpn-target 111:1 import-extcommunity # mpls lsr-id 3.3.3.9 mpls lsp-trigger all # mpls ldp # isis 50 vpn-instance vpn1 network-entity 50.0000.0000.0003.00 import-route bgp # interface Vlanif10 ip binding vpn-instance vpn1 ip address 11.1.1.2 255.255.255.0 isis enable 50 # interface Vlanif20 ip address 110.1.1.2 255.255.255.0 mpls mpls ldp # interface GigabitEthernet0/0/1 port link-type trunk port trunk allow-pass vlan 20 # interface GigabitEthernet0/0/2 port link-type trunk port trunk allow-pass vlan 10 # interface LoopBack1 ip address 3.3.3.9 255.255.255.255 # bgp 100 peer 1.1.1.9 as-number 100 peer 1.1.1.9 connect-interface LoopBack1 # ipv4-family unicast undo synchronization peer 1.1.1.9 enable # ipv4-family vpnv4 policy vpn-target peer 1.1.1.9 enable # ipv4-family vpn-instance vpn1 import-route isis 50 # ospf 10 area 0.0.0.0 network 3.3.3.9 0.0.0.0 network 110.1.1.0 0.0.0.255 # return
CE2 configuration file
# sysname CE2 # vlan batch 10 20 # isis 50 network-entity 50.0000.0000.0004.00 # interface Vlanif10 ip address 11.1.1.1 255.255.255.0 isis enable 50 # interface Vlanif20 ip address 10.2.1.2 255.255.255.0 isis enable 50 # interface GigabitEthernet0/0/1 port link-type trunk port trunk allow-pass vlan 10 # interface GigabitEthernet0/0/2 port link-type access port default vlan 20 # return