H3c-technologies H3C SecPath F1000-E User Manual

i Table of Contents GRE Configuration·················································································································

9 Figure 8 Network diagram for a GRE over IPv4 tunnel Configuration procedure NOTE: Before the configuration, make sure that Device A and Device

10 [DeviceB] interface gigabitethernet 2/1 [DeviceB-GigabitEthernet2/1] ip address 2.2.2.2 255.255.255.0 [DeviceB-GigabitEthernet2/1] quit # Create a

11 Description: Tunnel0 Interface The Maximum Transmit Unit is 1476 Internet Address is 10.1.2.2/24 Primary Encapsulation is TUNNEL, service-loopback

12 Configuration procedure NOTE: Before the configuration, make sure that Device A and Device B are reachable to each other. Step1 Configure Dev

13 [DeviceB-GigabitEthernet2/1] quit # Create an interface named Tunnel 0. [DeviceB] interface tunnel 0 # Configure an IPv4 address for interface Tun

14 Encapsulation is TUNNEL, service-loopback-group ID not set. Tunnel source 2002::2:1, destination 2002::1:1 Tunnel protocol/transport GRE/IPv6

15 Solution: • On Device A and Device C, execute the display ip routing-table command in any view respectively. On Device A, observe whether there

1 Point to Multi-Point GRE Tunnel Configuration This chapter includes these sections: • P2MP GRE Tunnel Overview • Configuring a P2MP GRE Tunnel • Di

2 traditional P2P GRE tunnel mode. Then, a GRE tunnel will be established dynamically between the headquarters and each branch. Operation of a P2MP

3 P2MP GRE Tunnel Backup GRE tunnel backup at a branch Figure 13 GRE tunnel backup at a branch Device BDevice C(Backup gateway)IPv4 networkDevice ATu

1 GRE Configuration This chapter includes these sections: • GRE Overview • Configuring a GRE over IPv4 Tunnel • Configuring a GRE over IPv6 Tunnel •

4 GRE tunnel backup at the headquarters Figure 14 GRE tunnel backup at the headquarters As shown in Figure 14, for higher network reliability, you

5 This not only ensures better cooperation of devices from different vendors, but also helps avoid repetitive investments on branch node devices. •

6 To do… Use the command… Remarks Configure the source address or interface for the tunnel interface source { ip-address | interface-type interface

7 • When configuring a route through the tunnel, you can configure a static route, using the address of the network segment that the original packet

8 Figure 15 Network diagram for basic P2MP GRE tunnel configuration Configuration procedure Step1 Configure Device A # Configure an IP address for

9 [DeviceB–GigabitEthernet1/1] quit # Configure an IP address for interface GigabitEthernet 1/2. [DeviceB] interface gigabitethernet 1/2 [DeviceB–Gig

10 NOTE: To avoid looping, do not configure the tunnel interface of the GRE over IPv4 tunnel as the backup interfaceof the P2MP GRE tunnel interfac

11 # Configure the tunnel encapsulation mode of interface Tunnel 0 as P2MP GRE. [DeviceA-Tunnel0] tunnel-protocol gre p2mp # Configure the mask of th

12 [DeviceC-Tunnel0] ip address 172.168.1.3 255.255.255.0 # Configure the tunnel encapsulation mode of interface Tunnel 0 as GRE over IPv4. [DeviceC-

13 The output information indicates that on Device A there was a tunnel entry to the branch network, and packets to the branch network were forwarded

2 Format of an encapsulated packet Figure 2 shows the format of an encapsulated packet. Figure 2 Format of an encapsulated packet As an example, Fi

14 Figure 17 Network diagram for P2MP GRE tunnel backup at a branch GE1/1GE1/1Device BDevice C(Backup gateway)IPv4 networkDevice AGE1/1GE1/2Tunnel0Tu

15 [DeviceB-Tunnel0] tunnel-protocol gre # Configure the source and destination IP addresses of interface Tunnel 0. [DeviceB-Tunnel0] source 11.1.1.2

16 # On Host B, specify Device C as the default gateway. After the tunnel entry corresponding to Device B ages out, ping Host A from Host B. The ping

i Table of Contents L2TP Configuration················································································································

1 L2TP Configuration This chapter includes these sections: • L2TP Overview • L2TP Configuration Task List • Displaying and Maintaining L2TP • L2TP Co

2 Figure 1 VPDN built by using L2TP PPPoE/ISDNInternetL2TP tunnelRemote userRemote branchLACLNSInternal server A VPDN built by using L2TP comprises

3 L2TP architecture Figure 2 shows the relationship between the PPP frame, control channel, and data channel. PPP frames are transferred over unrelia

4 same tunnel ID but different session IDs are multiplexed to the same tunnel. The tunnel ID and session ID in a header are the intended receiver’s,

5 Figure 6 LAC-auto-initiated tunneling mode L2TP tunnel establishment process Figure 7 shows a typical L2TP network. Figure 7 Typical L2TP network

6 Figure 8 L2TP call setup procedure (1) Call setup(2) PPP LCP setup(3) PAP or CHAP authenticaion(4) Access request(5) Access accept(6) Tunnel setup(

3 GRE Security Options For the purpose of tunnel security, GRE provides two options: tunnel interface key and end-to-end checksum. According to RFC 1

7 14. The RADIUS server authenticates the access request and returns a response if the user passes authentication. 15. The LNS assigns an internal I

8 Task Remarks Enable L2TP Create an L2TP group Configuring Basic L2TP Capability Specify the local name of the tunnel Required Configuring an LAC t

9 To do… Use the command… Remarks Specify the local name of the tunnel tunnel name name Optional The system name of the device is used by default.

10 To do… Use the command… Remarks Specify that AVP data be transferred in hidden mode tunnel avp-hidden Optional By default, AVP data is transferr

11 Configuring an LAC to Establish an L2TP Tunnel To configure an LAC to establish an L2TP tunnel, you need to: • Create a virtual template interfac

12 NOTE: An L2TP tunnel established in LAC-auto-initiated mode exists until you remove the tunnel by using the undol2tp-auto-client enable command.

13 To do… Use the command… Remarks Configure the authentication mode for PPP users ppp authentication-mode { chap | pap } [ [ call-in ] domain isp-

14 virtual template interface is PAP. If the authentication type configured on the virtual template interface is CHAP but that configured on the LAC

15 To do… Use the command… Remarks Enter system view system-view — Enter L2TP group view l2tp-group group-number — Specify the LNS to perform LCP r

16 Specifying to Send ACCM According to RFC 2661, the Asynchronous Control Character Map (ACCM) AVP enables an LNS to inform the LAC of the ACCM that

4 Scope enlargement of a hop-limited protocol such as RIP Figure 5 Network scope enlargement When the hop count between two terminals exceeds 15, t

17 response packet from the peer within a specified period of time, it retransmits the Hello packet. If it receives no response packet from the peer

18 To do… Use the command… Remarks Display information about L2TP sessions display l2tp session Available in any view L2TP Configuration Examples

19 # Create an L2TP group and configure its attributes. [LAC] l2tp-group 1 [LAC-l2tp1] tunnel name LAC [LAC-l2tp1] start l2tp ip 1.1.2.2 fullusername

20 [LNS] dis l2tp tunnel Total tunnel = 1 LocalTID RemoteTID RemoteAddress Port Sessions RemoteName 1 1 1.1.2.1 1701

21 [LNS-isp-system] quit # Enable L2TP. [LNS] l2tp enable # Configure the virtual template interface. [LNS] interface virtual-template 1 [LNS-virtual

22 Configuration Example for LAC-Auto-Initiated VPN Network requirements Create a virtual PPP user on the LAC and configure the LAC to initiate a tun

23 [LNS-l2tp1] tunnel name LNS [LNS-l2tp1] allow l2tp virtual-template 1 remote LAC # Enable tunnel authentication and configure the authentication p

24 Step3 Verify the configurations # On the LNS, perform the display l2tp session command to view the established L2TP session. [LNS] display l2tp se

25 Figure 12 Network diagram for L2TP multi-domain application WANCorporate network 1L2TP tunnelEth1/21.1.2.1/24GE1/11.1.2.2/24LNSLACHost ACorporate

26 # Create the virtual template interfaces and configure CHAP authentication. [LAC] interface virtual-template 100 [LAC-Virtual-Template100] ppp aut

5 Protocols and Standards • RFC 1701 Generic Routing Encapsulation (GRE) • RFC 1702 Generic Routing Encapsulation over IPv4 networks • RFC 2784

27 [LNS-isp-aaa.net] ip pool 1 10.0.1.10 10.0.1.100 [LNS-isp-aaa.net] quit [LNS] domain bbb.net [LNS-isp-bbb.net] authentication ppp local [LNS-isp-b

28 LocalSID RemoteSID LocalTID 17345 4351 1 23914 10923 2 # On the LNS, use the display l2tp tunnel command to check the e

29 Symptom 2: Data transmission fails. A connection is setup but data cannot be transmitted. For example, the LAC and LNS cannot ping each other. Ana

i Table of Contents L3VPN Configuration···············································································································

1 L3VPN Configuration This chapter includes these sections: • L3VPN Overview • L3VPN Configuration Task List • Displaying and Maintaining L3VPN • L3V

2 Figure 1 Network diagram for L3VPN model VPN 1CESite 1VPN 2CECECESite 3VPN 2PEVPN 1Site 2Site 4PEPEPPPP CEs and PEs mark the boundary between the

3 The address spaces of VPNs may overlap. For example, if both VPN 1 and VPN 2 use the addresses on network segment 10.110.10.0/24, address space ove

4 In the simplest case, all users in a VPN form a closed user group. They can forward traffic to each other but cannot communicate with any user outs

5 Figure 3 Network diagram for hub and spoke networking scheme In Figure 3, the spoke sites communicate with each other through the hub site. The a

6 Figure 4 Network diagram for extranet networking scheme CECEPE 1PE 3Site 2Site 1Site 3VPN 1VPN 1VPN 2VPN 1:Import:100:1Export:100:1CEVPN 2:Import:2

6 To do… Use the command… Remarks Configure the key for the GRE tunnel interface gre key key-number Optional By default, no key is configured for a

7 In the OSPF VPN extension application, the VPN backbone is considered the backbone area (area 0). Since OSPF requires that the backbone area must b

8 It is required that each OSPF domain has a configurable domain ID. It is recommended to configure for all OSPF instances in the network related to

9 To do… Use the command… Remarks Enter system view system-view — Create a VPN instance and enter VPN instance view ip vpn-instance vpn-instance-na

10 Follow these steps to configure route related attributes of a VPN instance To do… Use the command… Remarks Enter system view system-view — Enter

11 To do… Use the command… Remarks Create a VPN instance and enter VPN instance view ip vpn-instance vpn-instance-name Required No VPN instance exi

12 Follow these steps to configure RIP between PE and CE: To do… Use the command… Remarks Enter system view system-view — Create a RIP instance bet

13 The domain ID of an OSPF process is included in the routes generated by the process. When an OSPF route is injected into BGP, the OSPF domain ID i

14 To do… Use the command… Remarks Enter system view system-view — Enter BGP view bgp as-number — Configure the PE as the peer peer { group-name |

15 To do… Use the command… Remarks Display information about the forwarding table of a VPN instance display fib vpn-instance vpn-instance-name [ |

16 To do… Use the command… Remarks Clear route flap history information about a BGP peer of a VPN instance reset bgp vpn-instance vpn-instance-name

7 Configuration Procedure Follow these steps to configure a GRE over IPv6 tunnel: To do… Use the command… Remarks Enter system view system-view — E

17 [CE-GigabitEthernet0/0] ip binding vpn-instance CE-VPN1 [CE-GigabitEthernet0/0] ip address 10.1.1.2 255.255.255.0 # Configure interface GigabitEt

8 • For information about commands interface tunnel, tunnel-protocol, source, destination, and encapsulation-limit, see Tunneling Commands in the IP