LTE & DSVPN Configuration PDF

LTE Cellular Interface Configuration
Contents
7.3.3.13 LTE Cellular Interface Configuration
7.3.3.13.1 Introduction to LTE Cellular Interfaces
7.3.3.13.2 Principles
7.3.3.13.2.1 LTE Network Architecture
7.3.3.13.2.2 LTE Hardware and Supported Frequency Bands and Rates
7.3.3.13.2.3 LTE Dial-up Connection Setup
7.3.3.13.2.4 APN
7.3.3.13.3 Configuration Notes
7.3.3.13.4 Applications
7.3.3.13.4.1 LTE Links as Backup WAN Links
7.3.3.13.4.2 LTE Links as Primary WAN Links
7.3.3.13.4.3 VPN Tunnel to the Enterprise Headquarters over an LTE Link
7.3.3.13.4.4 Data Communication and VoIP Communication Using LTE Multi-APN
7.3.3.13.4.5 Accessing Different LTE Networks Using Dual SIM Cards
7.3.3.13.5 Configuration Tasks
7.3.3.13.6 Default Configuration
7.3.3.13.7 Setting Connection Parameters of LTE Cellular Interfaces
7.3.3.13.7.1 (Optional) Configuring the Default APN
7.3.3.13.7.2 Selecting a PLMN
7.3.3.13.7.3 (Optional) Configuring the Service Domain
7.3.3.13.7.4 (Optional) Manually Configuring Frequency Bands
7.3.3.13.7.5 Configuring a Network Connection Mode
7.3.3.13.7.6 Configuring an APN Profile (A Single SIM Card and A Single APN)
7.3.3.13.7.7 Configuring an APN Profile (A Single SIM Card and Dual APNs)
7.3.3.13.7.8 Configuring APN Profiles (Dual SIM Cards and a Single APN)
7.3.3.13.7.9 Configuring the MTU
7.3.3.13.7.10 Checking the Configuration
7.3.3.13.8 Configuring C-DCC for Dial-up Connection
7.3.3.13.9 Configuring PIN Management
7.3.3.13.10 (Optional) Configuring the Function of Receiving and Sending SMS Messages
7.3.3.13.11 (Optional) Configuring the SMS Alarm Function
7.3.3.13.12 Maintaining LTE Cellular Interfaces
7.3.3.13.12.1 Restarting an LTE Modem Manually
7.3.3.13.12.2 Automatically Restarting an LTE Modem
7.3.3.13.12.3 Using an NQA Test Instance to Detect a 3G or LTE Link
7.3.3.13.12.4 Restarting an LTE Modem After Several Consecutive Dial-up Failures
7.3.3.13.12.5 Clearing Statistics on LTE Cellular Interfaces
7.3.3.13.12.6 Enabling the WWAN Log Function
7.3.3.13.13 Configuration Examples
7.3.3.13.13.1 Example for Configuring an LTE Cellular Interface as the Primary Interface to Connect to the
Internet
7.3.3.13.13.2 Example for Configuring an LTE Cellular Interface as the Backup Interface to Connect to the
Internet
7.3.3.13.13.3 Example for Configuring LTE Cellular Interfaces as the Primary/Backup Interfaces to Connect
to the Internet (Using Two 1LTE-L Interfaces Cards)
7.3.3.13.13.4 Configuring LTE Cellular Interfaces to Use the Multi-APN Function for Data and VoIP
Communication
7.3.3.13.13.5 Example for Accessing Different LTE Networks Using Dual SIM Cards
7.3.3.13.14 References
7.3.10.6 DSVPN Configuration
7.3.10.6.1 Overview
7.3.10.6.2.1 Basic Concepts
7.3.10.6.2.2 Basic Principles
7.3.10.6.2.3 DSVPN NAT Traversal
7.3.10.6.2.4 DSVPN Dual-Hub Backup
7.3.10.6.2.5 IPSec-based DSVPN
7.3.10.6.3.1 DSVPN Deployment on a Small- or Medium-sized Network
7.3.10.6.3.2 DSVPN Deployment on a Large-sized Network
7.3.10.6.6 Configuring DSVPN
7.3.10.6.6.1 Configuring mGRE
7.3.10.6.6.2 Configuring Routes
7.3.10.6.6.3 Configuring NHRP
7.3.10.6.6.4 (Optional) Configuring an IPSec Profile
7.3.10.6.7 Maintaining DSVPN
7.3.10.6.7.1 Clearing DSVPN Statistics
7.3.10.6.7.2 Displaying the DSVPN Statistics
7.3.10.6.8.1 Example for Configuring Non-Shortcut Scenario of DSVPN (Static Route)
7.3.10.6.8.2 Example for Configuring Non-Shortcut Scenario of DSVPN (RIP)
7.3.10.6.8.3 Example for Configuring Non-Shortcut Scenario of DSVPN (OSPF)
7.3.10.6.8.4 Example for Configuring Non-Shortcut Scenario of DSVPN (BGP)
7.3.10.6.8.5 Example for Configuring Shortcut Scenario of DSVPN (RIP)
7.3.10.6.8.6 Example for Configuring Shortcut Scenario of DSVPN (OSPF)
7.3.10.6.8.7 Example for Configuring Shortcut Scenario of DSVPN (BGP)
7.3.10.6.8.8 Example for Configuring DSVPN NAT traversal
7.3.10.6.8.9 Example for Configuring Dual-Hub DSVPN
7.3.10.6.8.10 Example for configuring IPSec-based DSVPN
7.3.10.6.8.11 Example for Configuring a Dual-Hub DSVPN Protected by IPSec
7.3.10.6.8.12 Example for Configuring a DSVPN Based on the LTE Dialup Status
7.3.10.6.9 Common Configuration Errors
7.3.10.6.9.1 Spoke Fails to Register with a Hub
7.3.10.6.9.2 Spokes Cannot Communicate with Each Other in the Non-shortcut Scenario
7.3.10.6.9.3 Spokes Cannot Communicate with Each Other in the Shortcut Scenario
7.3.10.6.9.4 Backup Hub Only Forwards Data After the Master Hub Fails
< Home
7.3.3.13 LTE Cellular Interface

Configuration
You can configure Long Term Evolution (LTE) cellular interfaces to transmit voice, video, and
data services over the LTE network.
Introduction to LTE Cellular Interfaces

This section describes the definition, type, and purpose of LTE Cellular Interfaces.
Principles
This section describes the implementation of LTE.
Configuration Notes
This section describes specifications of LTE Cellular Interface.
Applications
This section describes the applicable scenario of LTE Cellular Interfaces.
Configuration Tasks
This section describes configuration tasks of LTE cellular interfaces.
Default Configuration
This section describes the default configuration of LTE cellular interfaces.
Setting Connection Parameters of LTE Cellular Interfaces
Before connecting LTE cellular interfaces to the Internet through the LTE network, you
must set the connection parameters of LTE cellular interfaces.
Configuring C-DCC for Dial-up Connection
To use LTE cellular interfaces to connect to an LTE network, you must configure circular
dial control center (C-DCC) for dial-up connection.
Configuring PIN Management
The personal identification number (PIN) of a SIM card ensures security of the SIM card.
(Optional) Configuring the Function of Receiving and Sending SMS Messages
You can configure the function of receiving and sending short message service (SMS)
messages so that the device and users can exchange SMS messages.
(Optional) Configuring the SMS Alarm Function
After the short message service (SMS) alarm function is configured, a short message with
the specified content can be sent to notify specific users of the service interface status
change.
Maintaining LTE Cellular Interfaces
Maintaining LTE cellular interfaces includes restarting LTE data cards and clearing
statistics.
Configuration Examples
This section provides examples for configuring LTE cellular interfaces, including
networking requirements, networking diagrams, configuration roadmaps, and
configuration procedures.
References
This section lists references of 3G and LTE.
Parent Topic: Interface Management Configuration Guide
Huawei Proprietary and Confidential Copyright © Huawei Technologies Co., Ltd.
Huawei Proprietary and Confidential
Copyright © Huawei Technologies Co., Ltd.
< Previous topic Next topic >
< Home
7.3.3.13.1 Introduction to LTE Cellular

Interfaces
This section describes the definition, type, and purpose of LTE Cellular Interfaces.
Definition
Long Term Evolution (LTE) is a standard developed by the 3rd Generation Partnership Project
(3GPP) for the Universal Mobile Telecommunications System (UMTS).
LTE is improvement over 3G technology, but not equal to 4G technology. LTE is a transition
from 3G to 4G technology. Compared with 3G technology, LTE has the following technical
advantages:
 Higher data transmission rate: LTE provides a downstream peak rate of 100 Mbit/s and
an upstream peak rate of 50 Mbit/s over a 20 MHz bandwidth.
 Improved spectrum efficiency.
 Increased network deployment flexibility: LTE supports bandwidth ranging from 1.25
MHz to 20 MHz.
 QoS guarantee: The LTE system design and strict QoS mechanism ensures better QoS for
delay-sensitive services such as voice over Internet Protocol (VoIP).
 Shorter delay on wireless networks.
 Higher cell edge bit rate: The high bit rate delivers higher performance for users located
on the cell edge.
 Backward compatible: LTE offers compatibility between the existing 3G system and
non-3GPP systems.
An LTE cellular interface is a physical interface supporting Long Term Evolution (LTE)
technology. Compared with 3G technology, LTE technology provides enterprises with the high-
bandwidth wireless WAN access service.
Type
LTE hardware includes the LTE data card, LTE interface card, and LTE model. The device
equipped with the LTE data card or LTE interface card provides LTE cellular interfaces, and
LTE models have LTE cellular interfaces. The LTE data card, LTE interface card, and LTE
model have built-in LTE modem. A LTE cellular interface manages a LTE modem. The LTE
cellular interface uses a LTE modem for wireless data transmission at the physical layer, PPP or
Wireless Wide Area Network (WWAN) at the data link layer, and IP at the network layer.
The device supports the following LTE cellular interface types:
 On the AR1200 series (Except AR1220C, AR1220-8GE), AR2200 series (Except

AR2201-48FE and AR2202-48FE), AR3200 series, and AR3600 series, an LTE cellular
interface can be a USB interface with an external LTE data card or provided by 1LTE-L,
1LTE-LV, and 1LTEC interface cards.
 On the AR120&AR150&AR160&AR200 series, AR2201-48FE, and AR2202-48FE, an
LTE cellular interface can be a USB interface with an external LTE data card. Among the
AR120&AR160 series, the AR121GW-L, AR129GW-L, AR161FG-L, AR169FGW-L,
AR169FGVW-L, AR169G-L, AR161G-L, AR161FGW-La, and AR161FGW-L support
LTE cellular interfaces. When purchasing the AR161FG-L, AR169FGW-L,
AR169FGVW-L, AR169G-L, AR161G-L, AR161FGW-La, and AR161FGW-L, you can
select the LTE cellular interfaces of different types as required.
o When you select the LTE cellular interface supported by the AR121GW-L,
AR129GW-L, AR161FG-L, AR169FGW-L, AR169FGVW-L, AR169G-L,
AR161G-L, AR161FGW-La, and AR161FGW-L, the interface number is Cellular
0/0/0.
o When you select the LTE cellular interface provided by the USB interface with an
external LTE data card, the interface number is Cellular 0/0/1.
In addition, the LTE cellular interface provided by an 1LTE-L interface card can be configured
with two LTE channel interfaces numbered 1 and 2.
NOTE:
You can re-insert an LTE data card into the device 5 seconds after the card is removed. If an
LTE data card cannot be identified after you fast remove and install the card, you must restart the
device.
LTE includes the time division long term evolution (TD-LTE) and frequency-division duplex
long term evolution (FDD-LTE). Among LTE networks, LTE cellular interfaces can only
connect to FDD-LTE and TD-LTE networks. Among 3G networks, LTE cellular interfaces can
only connect to GSM, WCDMA and TD-SCDMA networks, not CDMA2000 networks.
Purpose
LTE technology deployed on routers provides wireless access and interconnection for enterprise
branches or small- and medium-sized enterprises. Compared with 3G technology, LTE
technology provides higher bandwidth on wireless WAN links to transmit more voice, data, and
video services for enterprise users.
Enterprises can use LTE technology to replace or back up wired WAN links such as Ethernet,
digital subscriber line (DSL), frame relay (FR), and integrated services digital network (ISDN)
links. LTE allows flexible, efficient, and fast network deployment, and provides a backup for
wired WAN links on an enterprise network.
Benefits
LTE technology brings users the following benefits:
 Wired WAN link backup: LTE technology backs up wired links such as Ethernet and
DSL, ensuring uninterrupted services if the wired links fail.
 Flexible, efficient, and fast network deployment: LTE technology provides service
coverage even in remote areas and mobile office scenarios.
 Secure virtual private network (VPN) access: An enterprise branch can set up a tunnel
with the enterprise headquarters on LTE links using VPN technologies, such as Generic
Routing Encapsulation (GRE), Layer 2 Tunneling Protocol (L2TP), or Internet Protocol
Security (IPSec) VPN. This tunnel allows the enterprise branch to communicate with the
headquarters in a fast, secure, and efficient way.
 Data services and multimedia services: LTE allows a router to connect to different
gateways using different access point names (APNs). For example, the router can use one
APN to access the Internet, and another APN to access the IP multimedia subsystem
(IMS). QoS settings on the router can be configured to control the quality of data and
multimedia services on the router.
Limitations
Due to limitations in wireless transmission, LTE may be limited in terms of throughput, delay,
and customer requirements:
 Throughput: varies depending on the number of active users and network congestion.
This is a common limitation of wireless networks.
 Delay: varies depending on the quality of network services provided by carriers and may
increase due to network congestion. Compared with wired networks, wireless networks
may cause longer delays.
 Carriers may pose other limitations on LTE.
Parent Topic: LTE Cellular Interface Configuration

Next topic >
< Home
This section describes the implementation of LTE.
LTE Network Architecture

LTE Hardware and Supported Frequency Bands and Rates
LTE Dial-up Connection Setup
APN
< Home
7.3.3.13.2.1 LTE Network Architecture

Different from a traditional 3GPP network, an LTE network uses the single-layer architecture
that combines radio network controller (RNC) nodes and NodeB nodes into E-UTRAN NodeB
(eNodeB) nodes, as shown in Figure 1. The eNodeB nodes complete circuit switching on the base
stations. This single-layer architecture simplifies the network, shortens the system delay, and
reduces the costs in network construction and maintenance.
describes LTE network elements (NEs). A router connects to the LTE network as user
Table 1
equipment (UE).
Figure 1 LTE network architecture

Table 1 LTE NEs
NE Description
PDN gateway Packet data network (PDN) gateway.
The PDN gateway connects UEs to an external

PDN.
Serving gateway Serving gateway (SGW).
The SGW routes and forwards data packets and

manages user mobility as well as mobility
between LTE and other 3GPP technologies.
SGSN Serving GPRS support node (SGSN).
The SGSN is an important part of the packet

switched domain on the General Packet Radio
Service (GPRS), Time Division-Synchronous
Code Division Multiple Access (TD-SCDMA),
and Wideband Code Division Multiple Access
(WCDMA) networks. The SGSN routes and
forwards packets, manages mobility, sessions,
and logical links, performs authentication and
encryption, and generates and exports call
detail records (CDRs).
eNodeB eNodeB connects to the SGW using an S1-UP
interface and communicates with a UE using a
Uu interface, completing protocol processing
on the S1-UP interface and Uu interface
physical layer.
UE User equipment (UE).
On 3G and 4G networks, UEs include mobile

phones, smart terminals, multimedia devices,
and streaming devices.
Parent Topic: Principles
Next topic >
< Home
7.3.3.13.2.2 LTE Hardware and Supported

Frequency Bands and Rates
The router supports the following LTE hardware components:
 USB data card (LTE data card): inserted in the USB interface on the SRU.
 LTE interface card: has built-in LTE modem and is installed in a slot on the router.
NOTE:
Install a SIM card on an LTE modem or interface card before using the LTE feature.
LTE is classified into time division LTE (TD-LTE) and frequency division duplex LTE (FDD-
LTE).
Table 1 lists the frequency bands and rates supported by an LTE interface card (1LTE-L).
Table 1 Frequency bands and rates supported by an LTE interface card

Attribute Description
Frequency bands  GSM/GPRS/EDGE: 850/900/1800/1900 MHz
 WCDMA/HSDPA/HSUPA/HSPA+: band 1/2/5/8
 •LTE FDD: band 1/2/3/5/7/8/20
Rates  GSM CS: upstream 14.4 kbit/s and downstream 14.4 kbit/s
 GPRS: upstream 85.6 kbit/s and downstream 85.6 kbit/s
 EDGE: upstream 236.8 kbit/s and downstream 236.8 kbit/s
 WCDMA CS: upstream 64 kbit/s and downstream 64 kbit/s
 WCDMA PS: upstream 384 kbit/s and downstream 384 kbit/s
 HSPA+: upstream 5.76 Mbit/s and downstream 21.6 Mbit/s
 DC-HSPA+: upstream 5.76 Mbit/s and downstream 42 Mbit/s
 LTE FDD: upstream 50 Mbit/s and downstream 100 Mbit/s
Table 2 lists the frequency bands and rates supported by a USB data card (E392).
Table 2 Frequency bands and rates supported by a USB data card

Frequency bands  EDGE: 850/900/1800/1900 MHz
 UMTS: 900/1800/2100 MHz
 FDD-LTE: 800/1800/2100/2600 MHz
Rates  GPRS: upstream 85.6 kbit/s and downstream 85.6 kbit/s

 EDGE: upstream 236.8 kbit/s and downstream 236.8 kbit/s
 WCDMA CS: upstream 64 kbit/s and downstream 64 kbit/s
 WCDMA PS: upstream 384 kbit/s and downstream 384 kbit/s
 HSPA+: upstream 5.76 Mbit/s and downstream 21.6 Mbit/s
Table 2 Frequency bands and rates supported by a USB data card
 DC-HSPA+: upstream 5.76 Mbit/s and downstream 42 Mbit/s
 LTE FDD: upstream 50 Mbit/s and downstream 100 Mbit/s

< Home
7.3.3.13.2.3 LTE Dial-up Connection Setup

LTE initiates a dial-up connection using circular dial control center (C-DCC). Two dial-up
modes are available:
 Automatic dial-up (permanently online)
The DCC initiates a dial-up connection to the PGW immediately after the router starts.
The dial-up process does not need to be triggered by data packets. If the DCC fails to set
up a connection with the PGW, it retries after an interval.
This mode applies to users who are not charged based on the traffic or time, for example,
users who have subscribed to yearly-package services.
 Dial-on-demand (not permanently online; traffic-triggered connection setup)
The router sets up a connection only when data needs to be transmitted. When no traffic
is transmitted on the connection within a specified period, the router tears down the
connection to save traffic.
This mode applies to users who are charged based on the traffic or time. For example,
users of a traffic-package service can use a certain volume of traffic within a specified
period, and the dial-on-demand model applies to these users.
As shown in Figure 1, when data needs to be transmitted or the dial-up timer expires, the router
uses C-DCC to initiate a dial-up on a cellular interface and enables the LTE modem to connect to
the PGW.
Figure 1 LTE dial-up connection setup
An LTE dial-up connection is set up in the following process:
1. When data needs to be transmitted or the dial-up timer expires, the router uses C-DCC to
initiate a dial-up on a cellular interface. The cellular interface sends a connection setup
request message to the LTE modem.
2. The LTE modem sends a connection setup request message to the PGW. The message
contains user authentication information including the access point name (APN), user
name, and password.
3. The PGW authenticates the user identity. After authentication succeeds, the PGW sets up
a connection with the LTE modem and assigns an IP address to the LTE modem.
4. The LTE modem instructs the cellular interface to go Up physically.
5. The cellular interface negotiates with the LTE modem to obtain an IP address.
6. The cellular interface sets up a connection with the PGW and forwards data services.
NOTE:
The LTE module of the device does not support forwarding of DHCP packets.

< Home
7.3.3.13.2.4 APN
Definition
An access point name (APN) identifies an external packet data network (PDN) that a user needs
to access. Users connect to a PDN using the APN of the PDN. As shown in Figure 1, a router can
connect to the carrier's PDN and the enterprise's gateway using the APNs configured for the
carrier and enterprise. For example, APN1 is used to access the IMS network, and APN2 is used
access the enterprise data gateway.
Figure 1 PDN access using APNs
LTE Multi-APN
In Figure 2, the 1LTE-L interface card on the router supports two APNs that share the same
cellular interface. You need to bind each APN to a cellular channel interface configured on the
cellular interface. Each cellular channel interface is a logical service interface that has its own IP
address, DCC dial-up configuration, and services (such as voice, data, and VPN).
Figure 2 LTE multi-APN networking

The two APNs share uplink bandwidth on the cellular interface. QoS must be configured to
schedule services of the APNs. For example, if one APN is used to transmit voice services and
the other APN is used to transmit data services, voice services must be transmitted with a higher
priority. QoS parameters must be configured on the cellular interface to ensure that voice
services are preferentially scheduled.

< Previous topic
< Home

This section describes specifications of LTE Cellular Interface.
Involved Network Elements
None.
License Support
LTE Cellular Interface is a basic capability of an AR router and is not under license control.
Feature Dependencies and Limitations
In addition to 1LTE-L, 1LTE-LV, and 1LTEC interface cards, Table 1 lists the 3G data card that
can be selected.
Table 1 LTE data card that can be selected

3G Standard 3G Data Card Part Number Firmware Version
LTE E392 51075939 11.433.31.00.000
E8278 51070EYC 21.261.67.00.00
Only the LTE cellular interface Cellular 0/0/0 on the AR161FG-L, AR169FGW-L,
AR169FGVW-L, AR169G-L, AR161G-L, and AR161FGW-L with built-in ME906E modules
supports the multi-APN configuration.
The dual-SIM functions can be configured only on the LTE cellular interface (Cellular 0/0/0)
supported by the AR121GW-L, AR129GW-L, AR161FG-L, AR169FGW-L, AR169FGVW-L,
AR169G-L, AR161G-L, AR161FGW-La, and AR161FGW-L.
LTE interface cards support the multi-APN configuration. LTE interface cards support the dual-
SIM configuration.
NOTE:
The LTE data card used by Huawei devices must be E392 or E8278. Otherwise, configuration
faults may occur.
Authorized frequencies vary according to countries and carriers. When enterprises use LTE data
cards to provide LTE services, check whether the frequencies provided by carriers are the
frequencies supported by LTE data cards.
When the E392 data cards are inserted into two USB interfaces on the device to connect to the
Internet through dual uplinks, the two LTE links formed by the E392 data cards must use PPP as
the link-layer protocol and obtain IP addresses through PPP negotiation.

< Home
This section describes the applicable scenario of LTE Cellular Interfaces.
LTE Links as Backup WAN Links

LTE Links as Primary WAN Links
VPN Tunnel to the Enterprise Headquarters over an LTE Link
Data Communication and VoIP Communication Using LTE Multi-APN
Accessing Different LTE Networks Using Dual SIM Cards
< Home
7.3.3.13.4.1 LTE Links as Backup WAN

Links
An LTE link can function as the backup link of an Ethernet link, xDSL link, or another LTE link.
As shown in Figure 1, an enterprise branch uses a DSL link as the primary link for WAN access.
If the primary link fails, traffic is immediately switched to the LTE link, enhancing reliability of
Internet access from the enterprise branch.
Figure 1 LTE link backing up a DSL link
In Figure 2, an enterprise branch has two LTE links to connect to the headquarters. LTE link 1 is
the primary link and connects to LTE network 1 of Carrier A. LTE link 2 is the backup link and
connects to LTE network 2 of Carrier B. If the primary link fails, traffic is immediately switched
to the backup LTE link, enhancing reliability of Internet access from the enterprise branch.
Figure 2 LTE link backing up another LTE link
Parent Topic: Applications

Next topic >
< Home
7.3.3.13.4.2 LTE Links as Primary WAN

Links
As shown in Figure 1, a remote branch of the enterprise needs to access external networks but
cannot obtain access to the WAN. To meet service transmission requirements, the enterprise
branch uses an LTE link as the primary link to provide the WAN access service for branch user
devices, such as PCs and phones.
Figure 1 LTE link as a primary WAN link

< Home
7.3.3.13.4.3 VPN Tunnel to the Enterprise

Headquarters over an LTE Link
An enterprise branch can dial up to the Internet through an LTE link and set up a tunnel with the
headquarters using such VPN technologies as Generic Routing Encapsulation (GRE), Layer 2
Tunneling Protocol (L2TP), and Internet Protocol Security (IPSec) VPN. This tunnel allows the
enterprise branch to communicate with the headquarters in a fast, secure, and efficient way.
In Figure 1, an enterprise branch dials up to the Internet through an LTE link and sets up an IPSec
VPN tunnel with the headquarters. The tunnel protects traffic between the enterprise branch and
the headquarters.
Figure 1 Communication between the enterprise branch and the headquarters using an IPSec
VPN tunnel

< Home
7.3.3.13.4.4 Data Communication and VoIP
Communication Using LTE Multi-APN
As shown in Figure 1, Router is the egress gateway of an enterprise. Two APN profiles can be
created, each of which is bound to an LTE channel interface. One APN connects to the Internet
for data communication, and the other connects to the IMS for VoIP communication. QoS is
configured to control quality of data and voice services.
Figure 1 LTE multi-APN Scenario

< Home
7.3.3.13.4.5 Accessing Different LTE

Networks Using Dual SIM Cards
As shown in Figure 1, the headquarters and branch of an enterprise are located in different places.
Router is the egress gateway of the branch and connects to the headquarters through an LTE
network (LTE network 1).
To improve data transmission reliability of the LTE link, the branch uses an LTE cellular
interface supporting dual SIM cards. One SIM card functions as the master SIM card to connect
to LTE network 1, the other SIM card functions as the backup SIM card to connect to LTE
network 2. If dial-up fails because the account balance of the master SIM card is insufficient, the
master SIM card is faulty, the LTE link signal quality is poor, or the connected LTE network is
faulty, traffic is automatically switched to the backup SIM card, ensuring uninterrupted
enterprise services.
Figure 1 Networking diagram for accessing different LTE networks using dual SIM cards

< Previous topic
< Home
7.3.3.13.5 Configuration Tasks

This section describes configuration tasks of LTE cellular interfaces.
To configure LTE cellular interfaces, set the interface connection parameters and configure C-
DCC for dial-up connection so that the LTE cellular interfaces can connect to the LTE network.
You can also configure the PIN management function to ensure security of SIM cards.
NOTE:
This chapter describes the connection parameters of LTE cellular interfaces, C-DCC for dial-up
connection, and PIN management. Based on enterprise service requirements, you probably need
to configure PPP, DHCP, DNS, NAT, firewall, and backup interface functions. For details, see
relevant configuration guides.

< Home

This section describes the default configuration of LTE cellular interfaces.
Table 1 lists the default configuration of LTE cellular interfaces.
Table 1 Default configuration of LTE cellular interfaces

Parameter Default Setting
PLMN selection method Automatic selection
< Home
7.3.3.13.7 Setting Connection Parameters of

LTE Cellular Interfaces
Before connecting LTE cellular interfaces to the Internet through the LTE network, you must set
the connection parameters of LTE cellular interfaces.
Pre-configuration Tasks
Before setting the connection parameters of LTE cellular interfaces, complete the following
tasks:
1. Ensuring that an available LTE network covers the required region

2. Buying the LTE service and obtaining SIM cards that support the LTE service from the
carrier
3. Ensuring that the LTE data cards and SIM cards are available
Procedure
Follow the steps to set the connection parameters of LTE cellular interfaces. You can perform
Configuring an APN Profile (A Single SIM Card and A Single APN), Configuring an APN Profile (A Single SIM Card
and Dual APNs), and Configuring APN Profiles (Dual SIM Cards and a Single APN) in any sequence. Other
steps must be performed in sequence.
(Optional) Configuring the Default APN

Selecting a PLMN
(Optional) Configuring the Service Domain
(Optional) Manually Configuring Frequency Bands
Configuring a Network Connection Mode
Configuring an APN Profile (A Single SIM Card and A Single APN)
Configuring an APN Profile (A Single SIM Card and Dual APNs)
Configuring APN Profiles (Dual SIM Cards and a Single APN)
Configuring the MTU
Checking the Configuration
< Home
7.3.3.13.7.1 (Optional) Configuring the

Default APN
Context
Some carriers require that devices connect to LTE networks through the default APN, whereas
other carriers do not have such requirements. You can determine whether to configure the default
APN for an LTE network based on the carrier's requirements. By default, no default APN is
configured for an LTE network.
NOTE:
This configuration is not supported on the LTE data card E8278.
Procedure
1. Run:
system-view
The system view is displayed.
2. Run:
interface cellular interface-number
The LTE cellular interface view is displayed.
3. Run:
profile create lte-default apn [ user username password password authentication-

mode { chap | pap } ]
The default APN is configured for an LTE network.
By default, no default APN is configured for an LTE network.
To delete the default APN configured for an LTE network, run the profile delete lte-default
command.
Parent Topic: Setting Connection Parameters of LTE Cellular Interfaces
Next topic >
< Home
7.3.3.13.7.2 Selecting a PLMN

Context
You can manually select a Public Land Mobile Network (PLMN) for an LTE data card or
configure the data card to automatically select a PLMN.
By default, an LTE data card automatically selects a PLMN. If you have subscribed to LTE
services and obtained the mobile country code (MCC) and mobile network code (MNC), you can
manually select a PLMN.
Procedure
1. Run:
system-view
2. Run:
3. Run:
plmn search
The PLMN is searched for.
4. Configure the PLMN selection mode.

o Run the plmn auto command to configure the data card to automatically select a
PLMN.
o Run the plmn select manual mcc mnc [ fail-over-auto ] command to manually
select a PLMN.
By default, an LTE data card automatically selects a PLMN.

< Home
7.3.3.13.7.3 (Optional) Configuring the

Service Domain
Context
The 3G network supports both the CS domain and PS domain. The LTE network supports only
the PS domain. To prevent services in the CS domain from changing the network from an LTE
network to a 3G network, you can configure an LTE modem to work only in the PS domain
when it connects to an LTE network.
Procedure
1. Run:
system-view
2. Run:
3. Run:
service domain { ps-only | combined }
The service domain is configured for the LTE modem.
By default, an LTE modem works in both the CS domain and PS domain.
NOTE:
You can run the service domain ps-only command to configure an LTE modem to work
only in the PS domain when it connects to an LTE network.

< Home
7.3.3.13.7.4 (Optional) Manually Configuring

Frequency Bands
Context
GSM/WCDMA/LTE networks of network carriers can provide multiple frequency bands for user
access. When the frequency band of a GSM/WCDMA/LTE network changes after LTE cellular
interfaces are connected to the GSM/WCDMA/LTE network, the LTE data card automatically
adjusts the frequency band accordingly, which affects stability of LTE links.
When the frequency band of a GSM/WCDMA/LTE network that you access is fixed, you can set
the frequency band of the GSM/WCDMA/LTE network that LTE cellular interfaces are
connected to. This prevents frequency band changes caused by frequency interference and
ensures LTE link stability.
Procedure
 Manually configuring the frequency band of a GSM network

1. Run:
system-view
2. Run:
3. Run:
band gsm { gsm1800 | gsm1900 | gsm850 | gsm900 }*
The frequency band of the GSM network that LTE cellular interfaces are
connected to is manually configured.
By default, LTE cellular interfaces automatically select a frequency band to

connect to the GSM network.
 Manually configuring the frequency band of a WCDMA network
1. Run:
system-view
2. Run:
3. Run:
band wcdma { wcdma1900 | wcdma2100 | wcdma850 | wcdma900 | AWS }*
The frequency band of the WCDMA network that LTE cellular interfaces are

connect to the WCDMA network.
 Manually configuring the frequency band of an LTE network

1. Run:
system-view
2. Run:
3. Run:
band lte { band1 | band2 | band3 | band4 | band5 | band7 | band8 |

band17 | band20 | band38 | band39 | band40 | band41 }*
The frequency band of the LTE network that LTE cellular interfaces are

connect to the LTE network.

< Home
7.3.3.13.7.5 Configuring a Network

Connection Mode
Context
LTE cellular interfaces can connect to the 3G or LTE network only when the 3G or LTE network
connection mode is configured for an LTE modem based on the type of the network provided by
the carrier. If the 3G or LTE network connection mode configured for an LTE modem is
inconsistent with the network type of the provided by the carrier, configure a correct network
connection mode.
Procedure
1. Run:
system-view
2. Run:
3. Run:
mode lte { auto | gsm-only | lte-only | umts-gsm | umts-only | wcdma-gsm

| wcdma-only }
The 3G or LTE network connection mode is configured for an LTE modem.
By default, the 3G or LTE network connection mode is auto for an LTE modem.

< Home
7.3.3.13.7.6 Configuring an APN Profile (A
Single SIM Card and A Single APN)
Context
An access point name (APN) identifies an external PDN network (for example, the Internet or
IMS network) that users want to access.
You can create an APN profile to configure APN. In the scenario where a single single SIM card
and a single APN are available, create an APN profile and bind the profile to an LTE cellular
interface so that the APN can be used to access the Internet for data communication.
Procedure
1. Create an APN profile.
NOTE:
You are advised to create an APN profile to configure an APN. You are not advised to
run the profile create profile-number { dynamic | static apn } command in the LTE
cellular interface view to configure an APN by creating a 3G modem parameter profile.
a. Run:
system-view
b. Run:
apn profile profile-name
An APN profile is created and the APN profile view is displayed.
By default, no APN profile is created.
c. Run:
apn apn-name
An APN profile is configured.
By default, no APN is configured in the APN profile. During LTE dial-up, apn
profile name specifies an access point name (APN) user name.
NOTE:

APNs are provided by the carrier.

Generally, China Mobile provides the APN CMNET, China Telecom
provides the APN CTLTE, and China Unicom provides the APN 3GNET.
 After an APN is configured, it is permanently recorded in an LTE data
card. If the APN changes, reconfigure it.
d. (Optional) Run:
user name username password { cipher | simple } password

[ authentication-mode { auto | pap | chap } ]
The user name, password, and authentication mode for accessing the external
PDN network are configured.
By default, the user name, password, and authentication mode for accessing an
external PDN network are not configured.
Contact the carrier when configuring the user name, password, and authentication
mode.
NOTE:
 Select a proper authentication mode based on the carrier network. PAP

authentication provides lower security. When you specify auto or pap to
enable the device to use PAP authentication, the password is transmitted in
plain text on the network. This brings potential security risks.
 When you specify simple, the password is saved in plain text in the
configuration, which brings potential security risks. You are advised to
specify cipher to save the password in the cipher text.
e. Run:
quit
Return to the system view.
2. Bind the APN profile to an LTE cellular interface.

a. Run:
b. Run:
apn-profile profile-name [ track nqa { admin-name test-name }&<1-2> ]

The APN profile is bound to the LTE cellular interface.
By default, no APN profile is bound to the LTE cellular interface.
If track nqa is specified, the device performs an NQA probe on the LTE network
when the dial-up initiated through an LTE cellular interface succeeds. The device
terminates the LTE link after three consecutive NQA probe failures. Additionally,
you can run the dialer timer probe-interval command to set the NQA probe interval.

< Home
7.3.3.13.7.7 Configuring an APN Profile (A

Single SIM Card and Dual APNs)
Context
You can create an APN profile to configure APN. In the scenario where a single single SIM card
and dual APNs are available, create two APN profiles and bind the APN profiles respectively to
the two LTE channel interfaces configured for an LTE cellular interface. One APN connects to
the Internet for data communication, and the other connects to the IMS network for VoIP
communication.
Procedure
1. Create an APN profile.

a. Run:
system-view
b. Run:

c. Run:
apn apn-name
An APN profile is configured.
By default, no APN is configured in the APN profile.
NOTE:

APNs are provided by the carrier.

Generally, China Mobile provides the APN CMNET, China Telecom
d. (Optional) Run:

mode.
NOTE:

e. Run:
quit

2. NOTE:
3. You need to repeat this step to create multiple APN profiles for accessing different
external PDN networks.
4. Enable the multi-APN function.
a. Run:
b. Run:
multi-apn enable
The multi-APN function is enabled on the LTE cellular interface.
By default, the multi-APN function is disabled on an LTE cellular interface.
c. Run:
quit
5. Bind the APN profiles to the LTE channel interface interfaces.

a. Run:
The LTE channel interface view is displayed.
b. Run:
apn-profile profile-name [ track nqa { admin-name test-name }&<1-2> ]
The APN profiles are bound to the LTE channel interfaces.
By default, no APN profile is bound to an LTE channel interface.
If track nqa is specified, the device performs an NQA probe on the LTE network
when the dial-up initiated through an LTE channel interface succeeds. The device
terminates the LTE link after three consecutive NQA probe failures. Additionally,
you can run the dialer timer probe-interval command to set the NQA probe interval.
6. NOTE:
7. You need to repeat this step to bind APN profiles to another 3G channel interface.
Follow-up Procedure
The two APNs share uplink bandwidth on the LTE cellular interface. QoS is required to schedule
services based on APNs. For example, if one APN is used to transmit voice services and the
other APN is used to transmit data services, voice services must be transmitted with a higher
priority. You must configure QoS on the LTE cellular interface to ensure that voice services are
preferentially scheduled .For details on how to configure QoS, See Huawei
AR120&AR150&AR160&AR200&AR1200&AR2200&AR3200&AR3600 Series Enterprise
Routers Configuration Guide - QoS

< Home
7.3.3.13.7.8 Configuring APN Profiles (Dual

SIM Cards and a Single APN)
Context
You can create an APN profile to configure an APN. In the scenario where dual SIM cards and a
single APN are available, you can create two APN profiles, bind one to the master SIM card and
the other to the backup SIM card, and bind the two APN profiles to the same LTE cellular
interface. The two SIM cards connect to different LTE networks. If dial-up fails because the
account balance of the master SIM card is insufficient, the master SIM card is faulty, the LTE
link signal quality is poor, or the connected LTE network is faulty, traffic is automatically
switched to the backup SIM card, ensuring uninterrupted enterprise services.
NOTE:
The master and backup SIM cards cannot simultaneously work. Upon a SIM card switchover,
traffic is interrupted for a short period.
Procedure
1. Creating an APN profile

a. Run:
system-view
b. Run:
c. Run:
apn apn-name
The APN is configured.
By default, no APN is configured in the APN profile.
NOTE:
 APNs are provided by the carrier.

 Generally, China Mobile provides the APN CMNET, China Telecom
d. Run:
sim-id sim-id
The SIM card ID is set to specify the master or backup SIM card to which the
APN profile is bound.
The default ID of a SIM card is 1.
sim-id can be 1 or 2.
 The value 1 indicates that the APN profile is bound to the master SIM
card.
 The value 2 indicates that the APN profile is bound to the backup SIM
card.
e. (Optional) Run:

mode.
NOTE:

f. Run:
quit
2. NOTE:
3. After the APN profile to be bound to the master SIM card is created, you need to repeat
Creating an APN profile to create an APN profile to be bound to the backup SIM card.
4. Binding the APN profiles to the LTE cellular interface
a. Run:
b. Run:
apn-profile profile-name priority priority track nqa { admin-name

test-name }&<1-2>
The APN profiles are bound to the LTE cellular interfaces.
By default, no APN profile is bound to the LTE cellular interface.
For the parameter priority, a larger value indicates a higher priority. When dual
SIC cards are available, you are advised to set the priority of the APN profile
bound to the master SIM card to higher than that of the APN profile bound to the
backup SIM card.
NOTE:
After an APN profile is bound to the master SIM card, you need to repeat this step
to bind another APN profile to the backup SIM card.
c. Run:
sim switch rssi-threshold rssi-threshold
The SIM cards are configured with automatic switchover based on the RSSI
threshold.
By default, an LTE cellular interface does not switch between SIM cards based on
the RSSI threshold.
d. (Optional) Run:
sim switch-back enable [ timer time ]
Traffic is automatically switched from the backup SIM card back to the master
SIM card.
By default, traffic on the backup SIM card is not automatically switched back to
the master SIM card.
Follow-up Procedure
When automatic SIM card switchover is not configured or the switchover condition is not met,
you can run the sim switch to sim-id command in the LTE cellular interface view to manually
switch between SIM cards.

< Home
7.3.3.13.7.9 Configuring the MTU

Context
The size of data packets is limited at the network layer. Upon receiving an IP packet to be sent,
the network layer checks to which local interface the packet needs to be sent and obtains the
maximum transmission unit (MTU) configured on the interface. Then the network layer
compares the MTU with the packet length. If the packet length is longer than the MTU, the
network layer disassembles the packet to fragments, each no longer than the MTU.
 If the MTU is too small whereas the packet size is large, the packet is split into many
fragments. Therefore, the packet may be discarded due to insufficient QoS queue length.
 If the MTU is too large, packets are transmitted slowly or even lost.
Procedure
1. Run:
system-view
2. Run:
The LTE cellular interface view or LTE channel interface view is displayed.
3. Run:
mtu mtu
The MTU is configured for the LTE cellular interfaces or LTE channel interfaces.
By default, the MTU is 1500 bytes for the LTE cellular interfaces or LTE channel
interfaces.

< Home

Procedure
 Run the display cellular interface-number { all | hardware | security | network | profile |
radio } command to check information about call sessions on the LTE modem.
 Run the display interface cellular [ interface-number ] command to check the running status
and statistics of LTE cellular interfaces.

< Previous topic
< Home
7.3.3.13.8 Configuring C-DCC for Dial-up

Connection
To use LTE cellular interfaces to connect to an LTE network, you must configure circular dial
control center (C-DCC) for dial-up connection.
Context
Based on different triggering mode, the LTE link dial-up modes can be classified into the
following types:
 Automatic dial-up (permanently online)
The DCC attempts to dial the PGW immediately after the device starts. The dialing
process does not need to be triggered by data packets. If a connection cannot be
established with the PGW, the DCC retries at an interval.
This mode applies to the scenarios in which users are not charged based on traffic or
time. For example, if a yearly-package service is used, users are not charged based on
link traffic or time within the service duration.
 Dial-on-demand (not permanently online; link establishment triggered by traffic)
The device triggers link establishment only when data needs to be transferred. When the
time during which no traffic is transmitted on the link exceeds the timeout duration, the
device disconnects the link to reduce traffic volume.
This mode applies to the scenarios in which users are charged based on traffic or time.
For example, if a traffic-package service is used, users are allowed to use certain traffic
within the service duration.
Based on different link-layer protocols used by an LTE link, the LTE link dial-up modes can be
classified into the following types:
 PPP dial-up: In this mode, PPP is used as the link-layer protocol and the LTE link obtains
an IP address through PPP negotiation (configured using the ip address ppp-negotiate
command).
 WWAN dial-up: In this mode, WWAN is used as the link-layer protocol and the LTE
link dynamically obtains an IP address (configured using the ip address negotiate
command).
Before configuring C-DCC for dial-up connection, complete the following tasks:
1. Setting connection parameters of LTE cellular interfaces

2. Obtaining dialer numbers from the carrier
Procedure
1. Configure a dialer control list.
NOTE:
Configures on-demand dialing.
a. Run:
system-view
b. Run:
dialer-rule
The dialer rule view is displayed.
c. Run:
dialer-rule dialer-rule-number { acl { acl-number | name acl-name } |

ip { deny | permit } | ipv6 { deny | permit } }
A dialer control list is specified for a dialer access group to define conditions for
initiating calls.
d. Run:
quit
2. Enable C-DCC.
a. Run:

An LTE cellular or LTE channel interface is created and the interface view is
displayed.
When the multi-APN function is configured, the LTE channel interface view is
displayed; otherwise, the LTE cellular interface view is displayed.
b. Run:
dialer enable-circular
C-DCC is enabled, the dialer number and IP address assigns automatically.
By default, the C-DCC function is disabled on an interface.
c. Run:
dialer-group group-number
The dialer access group is configured for the dialer interface.
By default, no dialer group is configured.
NOTE:
Make sure that the value of group-number in the dialer-group command is the same
as that of dialer-rule-number in the dialer-rule command.
d. (Optional) Run:
rssi-threshold rssi-threshold
The received signal strength indicator (RSSI) threshold is set for successfully
establishing LTE links.
By default, an LTE data card does not establish an LTE link based on the RSSI
threshold.
3. Obtain IP addresses.
o When two LTE data cards are used to connect to the Internet through dual
uplinks, the LTE links use the PPP dial-up mode.
a. Run:
ip address ppp-negotiate
The local interfaces are configured to obtain IP addresses assigned by the

peer through PPP negotiation.
o For other scenarios, the WWAN dial-up mode is used.
Run:
ip address negotiate
The LTE cellular interfaces or LTE channel interfaces are configured to

dynamically obtain IP addresses.
4. Run:
dialer number dial-number [ autodial ]
A dialer number is configured.
Obtain the dialer number from the carrier.
The autodial parameter indicates the automatic dial-up mode. By default, the automatic
dial-up interval is 300 seconds. You can run the dialer timer autodial command to set the
automatic dial-up interval. If the autodial parameter is not specified in the command, the
dial-on-demand mode is used.
5. Run:
quit
6. Run:
ip route-static 0.0.0.0 0 { nexthop-address | interface-type interface-

number } [ preference preference ]
A default route is Configured.
radio } command to check information about all call sessions on the LTE data card.

< Home
7.3.3.13.9 Configuring PIN Management
The personal identification number (PIN) of a SIM card ensures security of the SIM card.
Context
A PIN identifies the user of the SIM card and prevents unauthorized access to the SIM card.
If a user enters incorrect PINs three consecutive times, the PIN is locked to protect security of
the SIM card. To unlock the PIN, enter the PIN unblocking key (PUK).
NOTE:
A PIN is a decimal integer of 4 to 8 digits. Obtain the initial PIN from the carrier.
PUKs are provided by carriers. If a user enters incorrect PUKs ten consecutive times, the SIM
card is permanently locked and the user needs to obtain a new one from the carrier.
Procedure
 Enabling PIN authentication
PIN authentication prevents unauthorized users from using a SIM card. A user can use an
LTE modem only after the PIN is authenticated. If PIN authentication is disabled, anyone
can use the SIM card.
1. Run:
system-view
2. Run:
3. Run:
pin verification enable [ auto ]
PIN authentication is enabled for an LTE modem.
By default, PIN authentication is disabled.

In this step, you must enter a PIN to enable PIN authentication for the LTE
modem.
 Authenticating a PIN
After PIN authentication is enabled for an LTE modem, the PIN must be authenticated
every time you start the SIM card. If PIN authentication fails, the LTE modem cannot
provide data communication functions.
1. Run:
system-view
2. Run:
3. Run:
pin verify [ auto ]
The PIN is authenticated.
In this step, you must enter the PIN. When the message "PIN has been verified
successfully." is displayed, the PIN has been authenticated.
 Changing a PIN
After PIN authentication is enabled, you are advised to change the PIN periodically to
improve the SIM card security.
1. Run:
system-view
2. Run:

3. Run:
pin modify
The PIN is changed.
In this step, you must enter the old PIN and enter a new PIN twice. When the
message "PIN has been changed successfully." is displayed, the PIN has been
changed.
 Using the PUK to unlock a SIM card

1. Run:
system-view
2. Run:
3. Run:
pin unlock
The PUK is configured to unlock the SIM card.
In this step, you must enter the PUK and enter a new PIN twice. When the
message "Warning: PIN will be unlocked and changed. Continue? [Y/N]:" is
displayed, enter Y. When the message "PIN has been unlocked and changed
successfully." is displayed, the SIM card has been unlocked.
radio } command to check information about all call sessions on the LTE modem.

< Home
7.3.3.13.10 (Optional) Configuring the
Function of Receiving and Sending SMS
Messages
You can configure the function of receiving and sending short message service (SMS) messages
so that the device and users can exchange SMS messages.
Context
The device can use the SMS to send SMS messages to users and save SMS messages received
from users in the SIM card. You can check received SMS messages on the device. If the number
of SMS messages saved in the SIM card exceeds the maximum number, you can delete the SMS
messages.
Procedure
 Sending SMS messages
The device can use the SMS to send SMS messages to a user with a specified mobile
number. You need to specify the short message center (SMC) number when configuring
the device to send SMS messages.
1. Run:
system-view
2. Run:
sms send interface cellular interface-number destination-telephone-number
An SMS message is sent to a specified destination number.
3. Run:
The cellular interface view is displayed.
4. Run:
sms service-center-address service-center-number

The SMC number is configured on the cellular interface.
By default, no SMC number is configured on the cellular interface.
 Receiving SMS messages
The device saves SMS messages received from users in the SIM card. You can check and
delete received SMS messages.
o Check received SMS messages.
Run:
display sms interface cellular interface-number { brief | id sms-id |

verbose }
Received SMS messages are displayed.
o Delete received SMS messages.

1. Run:
system-view
2. Run:
sms delete interface cellular interface-number { sms-id | all }
SMS messages saved in the SIM card are deleted.
 Run the display sms interface cellular interface-number statistics command to check
statistics about SMS messages.

< Home
7.3.3.13.11 (Optional) Configuring the SMS

Alarm Function
After the short message service (SMS) alarm function is configured, a short message with the
specified content can be sent to notify specific users of the service interface status change.
Context
The device can send short messages to users' mobile phones through SMS.
In the scenario of active/standby interface backup, when the active and standby links are
switched, the active/standby interface status changes. Users can view the alarm on the device to
know the interface status change. If users want to sense the interface status change anytime and
anywhere, configure the SMS alarm function on the service interface. After the function is
configured, the alarm with the interface status change is sent to users in a short message.
For example, a user connects to the Internet through an ADSL interface (active link) and a
cellular interface (standby link). When the active link is faulty and services are switched to the
standby link after the SMS alarm function is configured, a short message can be immediately
sent to specific users. When the standby link is working properly and services are not switched
back to the active link within the specified time, a short message can be sent to specific users
again. If services are switched back to the active link within the specified time, no short message
needs to be sent again.
Procedure
1. Configure an SMS service pool.
An SMS service pool contains the preset SMS services, user phone numbers specified to
receive short messages, and short message content.
a. Run:
system-view
b. Run:
sms-pool
The SMS service pool view is displayed.
c. Run:
sms item item-id telephone-number tel-number &<1-3> content
The phone numbers specified to receive short messages, and short message
content are configured in the SMS service pool.
By default, no SMS service is configured in the SMS service pool.
A maximum of 20 SMS services can be configured in an SMS service pool. Each

SMS service can be preset with 3 phone numbers. Each short message can contain
at most 160 characters. The short message content is configured to end with %.
d. Run:
quit
2. Configure the SMS alarm function.
Configure the SMS alarm function, specify the triggering condition for sending short
message, and invoke the preset SMS service in the SMS service pool to send specified
short messages to specific users.
a. Run:
system-view
b. Run:
c. Run:
sms send-item item-id track-interface { up | down } [ after time ]
The preset short message is sent to specific users when the LTE cellular interface
status changes.
By default, the SMS alarm function is not configured on an interface.
If after time is not configured, a short message is sent immediately when the
interface status changes. If after time is configured, a short message is sent only
when the interface status changes and remains unchanged within the value of
time. This configuration prevents the device from frequently sending short
messages when frequent Up/Down status changes occur on an interface.
NOTE:
Before running this command, ensure that the SMS service with a specified ID is
configured using the sms item command.
Currently, the SMS alarm function can be configured on interfaces only when
cellular, ATM, and serial interfaces are used as the active and standby interfaces.
This command can be run on each interface at most four times, and the latest
configuration does not override the previous ones.
d. Run:
sms service-center-address service-center-number
The SMS center number is configured on the LTE cellular interface.
By default, no SMS center number is configured on a cellular interface.
 Run the display sms send-history command to view records of sent short messages saved in
the memory.

< Home
7.3.3.13.12 Maintaining LTE Cellular

Interfaces
Maintaining LTE cellular interfaces includes restarting LTE data cards and clearing statistics.
Restarting an LTE Modem Manually

Automatically Restarting an LTE Modem
Using an NQA Test Instance to Detect a 3G or LTE Link
Restarting an LTE Modem After Several Consecutive Dial-up Failures
Clearing Statistics on LTE Cellular Interfaces
Enabling the WWAN Log Function
< Home
7.3.3.13.12.1 Restarting an LTE Modem
Manually
Context
An LTE modem restarts automatically when it detects an exception. If the LTE modem cannot
automatically restart, you can manually restart it.
NOTE:
The SIM card is not hot swappable. To ensure that the installed SIM card works properly,
manually restart the LTE modem after hot swapping the SIM card.
Procedure
1. Run:
system-view
2. Run:
3. Run:
modem reboot
The LTE modem is manually restarted.
NOTE:
After you manually restart the LTE modem, the services on the LTE cellular interface are
interrupted.
Parent Topic: Maintaining LTE Cellular Interfaces

Next topic >
< Home
7.3.3.13.12.2 Automatically Restarting an
LTE Modem
Context
When an LTE modem is not attached to a Packet Switch (PS) domain, you can configure an LTE
modem to automatically restart and set the interval at which the LTE modem automatically
restarts. Then the LTE modem automatically restarts and starts dialing until it is attached to a PS
domain.
Procedure
1. Run:
system-view
2. Run:
3. Run:
packet-service recover interval
An LTE modem is configured to automatically restart and the interval at which an LTE
modem automatically restarts is set.
By default, an LTE modem does not automatically restart.

< Home
7.3.3.13.12.3 Using an NQA Test Instance to

Detect a 3G or LTE Link
Context
When a 3G or LTE link is unstable because of weak 3G or LTE signals or interference, you may
fail to access external networks through the 3G or LTE link even if the dialup succeeds. To solve
this problem, configure the device to use an NQA test instance to detect the 3G or LTE link
status. When the 3G or LTE link is unstable, the device triggers an action to recover the 3G or
LTE link.
Procedure
1. Run:
system-view
2. Run:
3. Run:
modem auto-recovery track nqa admin-name test-name [ probe-cycle [ seconds ]

period ]
The device is configured to use an NQA test instance to detect a 3G or LTE link.
By default, a device does not use an NQA test instance to detect a 3G or LTE link.
NOTE:
Only V200R007C00 supports the seconds parameter.
The NQA test instance used in this step must be an ICMP NQA test instance. For details
about how to configure such a test instance, see Configuring an ICMP Test Instance in the
Huawei AR120&AR150&AR160&AR200&AR1200&AR2200&AR3200&AR3600 Series
Enterprise Routers Configuration Guide - Network Management Configuration.
4. Run:
modem auto-recovery track action { plmn-search | modem-reboot | redial } fail-

times times
The maximum number of 3G or LTE detection failures in an NQA test instance is set.
When the number of consecutive 3G or LTE link detection failures in an NQA test
instance reaches the maximum value, the device triggers an action to recover the 3G or
LTE link.
By default, the maximum number of 3G or LTE link detection failures in an NQA test
instance is not configured. That is, the device does not trigger an action to recover a 3G
or LTE link when 3G or LTE link detection fails for several consecutive times.
NOTE:
Only V200R007C00 supports the redial parameter.

< Home
7.3.3.13.12.4 Restarting an LTE Modem After

Several Consecutive Dial-up Failures
Context
When the dial-up initiated through an LTE cellular interface fails multiple times, you can set the
maximum number of dial-up failures. When the number of consecutive dial-up failures reaches
the maximum value, the device restarts the LTE modem so that the fault can be rectified
automatically.
Procedure
1. Run:
system-view
2. Run:
The LTE cellular interface is displayed.
3. Run:
modem auto-recovery dial action modem-reboot fail-times fail-times times

The maximum number of dial-up failures is set. When the number of consecutive dial-up
failures reaches the maximum value, the device restarts the LTE modem.
NOTE:
The maximum number of dial-up failures less than 8 is recommended.

< Home
7.3.3.13.12.5 Clearing Statistics on LTE

Cellular Interfaces
Context
To monitor the status of an LTE cellular interface or locate faults on the interface, collect traffic
statistics about the interface. Before collecting traffic statistics on an LTE cellular interface
within a period, delete the existing traffic statistics on this interface.
NOTICE:
Interface traffic statistics cannot be restored after being cleared. Exercise caution when you run
the reset counters interface cellular [ interface-number ] command.
Procedure
 Run the reset counters interface cellular [ interface-number ] command to clear the statistics
on the current LTE cellular interface.

< Home
7.3.3.13.12.6 Enabling the WWAN Log

Function
Context
To view changes of the LTE signal strength, cell ID or network type in WWAN logs, you can
enable the WWAN log function.
Procedure
1. Run:
system-view
2. Run:
cellular log enable
The WWAN log function is enabled.
By default, the WWAN log function is disabled.
After enabling the WWAN log function, you can view changes of the LTE signal
strength, cell ID or network type in WWAN logs.
o When the LTE signal strength changes, the device records the
WWAN/5/WWAN_SINR_NORMAL or WWAN/5/WWAN_SINR_WEAK
log.
o When the cell ID changes, the device records the WWAN/5/WWAN_CELLID
log.
o When the network type changes, the device records the
WWAN/5/WWAN_NETWORK log.
NOTE:
Only V200R007C00 supports the WWAN/5/WWAN_SINR_NORMAL or

WWAN/5/WWAN_SINR_WEAK log.
3. (Optional) Run:
cellular log sinr-threshold sinr-threshold
The SINR threshold used to determine the LTE signal strength is set.
By default, the SINR threshold used to determine the LTE signal strength is 10 dB.
You can perform this step to change the SINR threshold used to determine the LTE
signal strength.
o If the strength of received LTE signals is greater than the SINR threshold 10
consecutive times, and the signal strength becomes normal, the device records the
WWAN/5/WWAN_SINR_NORMAL log.
o If the strength of received LTE signals is not greater than the SINR threshold 10
consecutive times, and the signal strength becomes weak, the device records the
WWAN/5/WWAN_SINR_WEAK log.
NOTE:
Only V200R007C00 supports this step.

< Previous topic
< Home

This section provides examples for configuring LTE cellular interfaces, including networking
requirements, networking diagrams, configuration roadmaps, and configuration procedures.
Example for Configuring an LTE Cellular Interface as the Primary Interface to Connect to the Internet
Example for Configuring an LTE Cellular Interface as the Backup Interface to Connect to the Internet
Example for Configuring LTE Cellular Interfaces as the Primary/Backup Interfaces to Connect to the Internet
(Using Two 1LTE-L Interfaces Cards)
Configuring LTE Cellular Interfaces to Use the Multi-APN Function for Data and VoIP Communication
Example for Accessing Different LTE Networks Using Dual SIM Cards
< Home
7.3.3.13.13.1 Example for Configuring an

LTE Cellular Interface as the Primary
Interface to Connect to the Internet
Networking Requirements
A remote branch of the enterprise needs to exchange large volumes of service traffic with
external networks, but it cannot obtain the wired WAN access service. As shown in Figure 1, the
branch uses the Router as the egress gateway and uses an LTE cellular interface to connect to the
Internet through the LTE network, meeting service transmission requirements.
The branch intranet is on the network segment 192.168.100.0/24 and all hosts join VLAN 10.
The branch requires that the Router should assign IP addresses to branch intranet users and the
users access external networks.
The branch has subscribed to a yearly-package service and connects to the Internet in dial-
automatic mode. The branch obtains the following information from the carrier:
 APN: ltenet
 Dialer number: *99#
Figure 1 Networking diagram of configuring an LTE cellular interface as the primary interface
to connect to the Internet
Configuration Roadmap
The configuration roadmap is as follows:
1. Set the connection parameters of the LTE cellular interface.

2. Configure C-DCC for dial-up connection so that the LTE cellular interface can connect to
the LTE network.
3. Configure the enterprise intranet and configure the Router to assign IP addresses to
branch intranet users.
4. Configure the NAT function to allow branch intranet users to access external networks.
5. Configure a default route and specify the LTE cellular interface as the outbound interface
so that traffic from the branch intranet is forwarded to the Internet through the LTE
cellular interface.
NOTE:
Run dialer enable-circular, the dialer number and IP address assigns automatically, a dialer
control list not required.
Procedure
1. Set the connection parameters of the LTE cellular interface.
# Create an APN profile.

<Huawei> system-view
[Huawei] sysname Router
[Router] apn profile lteprofile
[Router-apn-profile-lteprofile] apn ltenet
[Router-apn-profile-lteprofile] quit
# Configure a network connection mode.
[Router] interface cellular 0/0/0

[Router-Cellular0/0/0] mode lte auto
# Bind the APN profile to the LTE cellular interface.
[Router-Cellular0/0/0] dialer enable-circular

[Router-Cellular0/0/0] apn-profile ltenet
[Router-Cellular0/0/0] shutdown
[Router-Cellular0/0/0] undo shutdown
[Router-Cellular0/0/0] quit
2. Configure C-DCC for dial-up connection.
# Configure a dialer control list.
[Router] dialer-rule
[Router-dialer-rule] dialer-rule 1 ip permit
[Router-dialer-rule] quit
# Obtain IP addresses dynamically.

[Router-Cellular0/0/0] ip address negotiate
# Associate Cellular0/0/0 to the dialer control list.
[Router-Cellular0/0/0] dialer-group 1
NOTE:
Ensure that the group-number value in the dialer-group command is the same as the
dialer-rule-number value in the dialer-rule command.
# Configure the dialer number.
[Router-Cellular0/0/0] dialer number *99# autodial

3. Configure the enterprise intranet.
# Create VLAN 10 and add Ethernet 2/0/0 to VLAN 10.

[Router] vlan 10
[Router-vlan10] quit
[Router] interface ethernet 2/0/0
[Router-Ethernet2/0/0] port link-type trunk
[Router-Ethernet2/0/0] port trunk allow-pass vlan 10
[Router-Ethernet2/0/0] quit
# Enable DHCP.
[Router] dhcp enable
# Create a global address pool.
[Router] ip pool 4gpool

[Router-ip-pool-4gpool] network 192.168.100.0 mask 255.255.255.0
[Router-ip-pool-4gpool] gateway-list 192.168.100.1
[Router-ip-pool-4gpool] quit
# Configure the interface to work in global address pool mode.
[Router] interface vlanif 10

[Router-Vlanif10] ip address 192.168.100.1 255.255.255.0
[Router-Vlanif10] dhcp select global
[Router-Vlanif10] quit
4. Configure the NAT function.

5. [Router] acl number 3002
6. [Router-acl-adv-3002] rule 5 permit ip source 192.168.100.0 0.0.0.255
7. [Router-acl-adv-3002] quit
8. [Router] interface cellular 0/0/0
9. [Router-Cellular0/0/0] nat outbound 3002
10. Configure a default route and specify Cellular0/0/0 as the outbound interface.
[Router] ip route-static 0.0.0.0 0 cellular 0/0/0
11. Verify the configuration.
# View the interface status and traffic statistics. The command output shows that if traffic
is forwarded through the interface, both the physical layer status and link layer status of
the interface are Up and the IP address dynamically obtained by the interface is
20.1.1.2/24.
[Router] display interface cellular 0/0/0

Cellular0/0/0 current state : UP
Line protocol current state : UP
Description:HUAWEI, AR Series, Cellular0/0/0 Interface
Route Port,The Maximum Transmit Unit is 1500, Hold timer is 10(sec)
Internet Address is 20.1.1.2/24
Current system time: 2011-06-08 11:35:23
Modem State: Present
Last 300 seconds input rate 555 bytes/sec 4440 bits/sec 12 packets/sec
Last 300 seconds output rate 11230 bytes/sec 89840 bits/sec 311
packets/sec
Input: 210 packets, 87205 bytes
Unicast: 200, Ununicast:
10
Output:225340 packets, 6760917 bytes
Unicast: 225300, Ununicast:
40
Input bandwidth utilization : 0.01%
Output bandwidth utilization : 0.01%
# View information about all call sessions on the LTE data card. The following command
output shows that the APN is ltenet, the network type is Automatic, and the network
connection mode is LTE(LTE).
<Huawei> display cellular 0/0/0 all

Modem State:
Hardware Information.
=====================
Model = E392
Modem Firmware Version = 11.833.15.00.000
Hardware Version = CD2E392UM
Integrate circuit card identity (ICCID) = 98681011274300909893
International Mobile Subscriber Identity (IMSI) = 460016002731442
International Mobile Equipment Identity (IMEI) = 861230010006485
Factory Serial Number (FSN) = T2Y01A9211900298
Modem Status = Online
Profile Information.
====================
Profile 1 = ACTIVE
--------
PDP Type = IPv4, Header Compression = OFF
Data Compression = OFF
Access Point Name (APN) = ltenet
Packet Session Status = Active
* - Default profile
Network Information.
====================
Current Service Status = Service available
Current Service = Combined
Packet Service = Attached
Packet Session Status = Active
Current Roaming Status = Home
Network Selection Mode = Automatic
Network Connection Mode = Automatic
Current Network Connection = LTE(LTE)
Mobile Country Code (MCC) = 460
Mobile Network Code (MNC) = 01
Mobile Operator Information = "CHN-CULTE"
Cell ID = 55924
Upstream Bandwidth = 50mbps
Downstream Bandwidth = 100mbps
Radio Information.
==================
Current Band = AUTO
Current RSSI = -55 dBm
Modem Security Information.
===========================
PIN Verification = Disabled
PIN Status = Ready
Number of Retries remaining = 3
SIM Status = OK
Example
 Configuration file of the Router

 #
 sysname Router
 #
 vlan batch 10
 #
 dhcp enable
 #
 acl number 3002
 rule 5 permit ip source 192.168.100.0 0.0.0.255
 #
 ip pool 4gpool
 gateway-list 192.168.100.1
 network 192.168.100.0 mask 255.255.255.0
 #
 interface Vlanif10
 ip address 192.168.100.1 255.255.255.0
 dhcp select global
 #
 interface Ethernet2/0/0
 port link-type trunk
 port trunk allow-pass vlan 10
 #
 interface Cellular0/0/0
 dialer enable-circular
 dialer-group 1
 apn-profile lteprofile
 dialer number *99# autodial
 nat outbound 3002
 ip address negotiate
 #
 dialer-rule
 dialer-rule 1 ip permit
 #
 apn profile lteprofile
 apn ltenet
 #
 ip route-static 0.0.0.0 0.0.0.0 Cellular0/0/0
 #
return
Parent Topic: Configuration Examples
Next topic >
< Home
7.3.3.13.13.2 Example for Configuring an

LTE Cellular Interface as the Backup
Interface to Connect to the Internet
As shown in Figure 1, Router is the egress gateway of the enterprise, and the VDSL interface
functions as the primary interface to connect to the Internet.
To ensure reliable access, the enterprise requires that the LTE cellular interface should function
as a backup interface to connect enterprise users to the Internet when the primary interface is
faulty.
NOTE:
The following figure shows only the access-side networking. Deploy devices on the aggregation
and core networks according to site requirements.
Figure 1 Networking diagram of configuring an LTE cellular links as the backup interface to
connect to the Internet

1. Configure the enterprise intranet and configure the Router as the enterprise's egress
gateway to assign IP addresses to enterprise intranet users.
2. Configure the VDSL interface as the uplink primary interface.
3. Configure the LTE cellular interface as the uplink backup interface.
4. Configure a default route so that traffic from the enterprise intranet is transmitted to the
Internet through the VDSL or LTE cellular interface.
Procedure

2. <Huawei> system-view
3. [Huawei] sysname Router
4. [Router] vlan 10
5. [Router-vlan10] quit
6. [Router] dhcp enable
7. [Router] interface vlanif 10
8. [Router-Vlanif10] ip address 192.168.100.1 255.255.255.0
9. [Router-Vlanif10] dhcp select global
10. [Router-Vlanif10] quit
11. [Router] ip pool lan
12. [Router-ip-pool-lan] gateway-list 192.168.100.1
13. [Router-ip-pool-lan] network 192.168.100.0 mask 24
14. [Router-ip-pool-lan] quit
15. [Router] interface ethernet 2/0/0
16. [Router-Ethernet2/0/0] port link-type hybrid
17. [Router-Ethernet2/0/0] port hybrid pvid vlan 10
18. [Router-Ethernet2/0/0] port hybrid untagged vlan 10
19. Configure the VDSL interface as the uplink primary interface.
NOTE:
This example only describes the configuration of the uplink primary interface. For details
about other uplink devices, see the related manuals.
[Router] acl number 3002

[Router-acl-adv-3002] rule 5 permit ip source 192.168.100.0 0.0.0.255
[Router-acl-adv-3002] quit
[Router] interface virtual-template 10
[Router-Virtual-Template10] ip address ppp-negotiate
[Router-Virtual-Template10] nat outbound 3002
[Router-Virtual-Template10] quit
[Router] interface atm 1/0/0
[Router-Atm1/0/0] pvc voip 1/35
[Router-atm-pvc-Atm1/0/0-1/35-voip] map ppp virtual-template 10
[Router-atm-pvc-Atm1/0/0-1/35-voip] quit
[Router-Atm1/0/0] standby interface cellular 0/0/0
[Router-Atm1/0/0] quit
20. Configure the LTE cellular interface as the uplink backup interface.
# In this example, set the dialer number to *99#.
# Use the APN specified by the carrier. In this example, set the APN to ltenet.
NOTE:
Before configuring the backup interface, ensure that the LTE data cards and SIM cards
are available.
This example only describes the configuration of the uplink backup interface. For details
about other uplink devices, see the related manuals.
[Router] apn profile ltenet
[Router-apn-profile-ltenet] quit
[Router-Cellular0/0/0] dialer timer idle 50
[Router-Cellular0/0/0] nat outbound 3002
[Router-Cellular0/0/0] apn-profile ltenet
[Router-Cellular0/0/0] shutdown
[Router-Cellular0/0/0] undo shutdown
21. Configuring a default route.

22. [Router] ip route-static 0.0.0.0 0.0.0.0 virtual-template 10
preference 40
[Router] ip route-static 0.0.0.0 0.0.0.0 cellular 0/0/0 preference 80
# After the configuration is complete, run the display standby state command on the
Router to check the status of the primary and backup interfaces. The command output
shows that ATM1/0/0 is in Up state and Cellular0/0/0 is in Standby state.
[Router] display standby state

Interface Interfacestate Backupstate Backupflag Pri
Loadstate
ATM1/0/0 UP MUP MU
Cellular0/0/0 STANDBY STANDBY BU 0
Backup-flag meaning:
M---MAIN B---BACKUP V---MOVED U---USED
D---LOAD P---PULLED
-----------------------------------------------------------------------
-----
Below is track BFD information:
Bfd-Name Bfd-State BackupInterface State
-----------------------------------------------------------------------
-----
Below is track IP route information:
Destination/Mask Route-State BackupInterface State
-----------------------------------------------------------------------
-----
Below is track NQA Information:
Instance Name BackupInterface State
# Run the shutdown command on ATM1/0/0 to simulate a link fault. Run the display
standby state command on the Router to check the status of the primary and backup
interfaces. The command output shows that ATM1/0/0 is in Down state and Cellular0/0/0
is in Up state, indicating that the backup interface has started.
[Router-Atm1/0/0] shutdown
[Router-Atm1/0/0] quit
[RouterA] display standby state
Loadstate
ATM1/0/0 DOWN MDOWN MU
Cellular0/0/0 UP UP BU 0
D---LOAD P---PULLED
-----------------------------------------------------------------------
-----
-----------------------------------------------------------------------
-----
-----------------------------------------------------------------------
-----
Configuration Files
 #
 sysname Router
 #
 vlan batch 10
 #
 dhcp enable
 #
 acl number 3002
 #
 apn profile ltenet
 #
 ip pool lan
 gateway-list 192.168.100.1
 network 192.168.100.0 mask 255.255.255.0
 #
 ip address 192.168.100.1 255.255.255.0
 #
 port hybrid pvid vlan 10
 port hybrid untagged vlan 10
 #
 dialer-group 1
 apn-profile ltenet
 dialer timer idle 50
 #
 interface Atm1/0/0
 pvc voip 1/35
 map ppp Virtual-Template10
 standby interface Cellular0/0/0
 #
 interface Virtual-Template10
 ip address ppp-negotiate
 #
 dialer-rule
 #
 ip route-static 0.0.0.0 0.0.0.0 Virtual-template10 preference 40
 ip route-static 0.0.0.0 0.0.0.0 Cellular0/0/0 preference 80
 #
return
< Home
7.3.3.13.13.3 Example for Configuring LTE

Cellular Interfaces as the Primary/Backup
Interfaces to Connect to the Internet (Using
Two 1LTE-L Interfaces Cards)
A remote branch of the enterprise needs to exchange large volumes of service traffic with
external networks, but it cannot obtain the wired WAN access service. As shown in Figure 1, the
branch uses the RouterA as the egress gateway and uses an LTE cellular interface Cellular1/0/0
to connect to the Internet through LTE network 1, meeting service transmission requirements.
The enterprise leases a link connected to the Internet through LTE network 2 as the backup link,
so the backup link can transmit services when Cellular1/0/0 or LTE network 1 is faulty.
NOTE:
This example applies to the scenario where two 1LTE-L interface cards are used or one 1LTE-L
interface card and one E392 data card are used to connect to the Internet through dual uplinks. In
this scenario, two LTE links both use the WWAN dial-up mode.
In this example:
 For LTE network 1, the connection mode is LTE, the APN is ltenet1, and the dialer
number is *99#.
 For LTE network 2, the connection mode is AUTO, the APN is ltenet2, and the dialer
number is *98#.
Set the connection parameters based on the site requirements.

Figure 1 Networking diagram of configuring LTE cellular interfaces as the primary/backup
interfaces to connect to the Internet
1. Configure Cellular1/0/0 on RouterA to connect RouterA to the Internet through LTE

network 1.
2. Configure Cellular2/0/0 on RouterA to connect RouterA to the Internet through LTE
network 2.
3. Configure Cellular2/0/0 as the backup interface of Cellular1/0/0 so that traffic can be
switched to Cellular2/0/0 when Cellular1/0/0 is faulty.
4. Configure C-DCC to dial up to the Internet through the primary or backup link.
5. Configure a static route for communication at the network layer.
Procedure
1. Configure Cellular1/0/0.
[Huawei] sysname RouterA
[RouterA] apn profile ltenet1
[RouterA-apn-profile-ltenet1] quit
[RouterA] interface cellular 1/0/0

[RouterA-Cellular1/0/0] ip address negotiate

[RouterA-Cellular1/0/0] mode lte lte-only
# Bind the APN profile to Cellular1/0/0.
[RouterA-Cellular1/0/0] dialer enable-circular

[RouterA-Cellular1/0/0] apn-profile ltenet1
[RouterA-Cellular1/0/0] shutdown
[RouterA-Cellular1/0/0] undo shutdown
[RouterA-Cellular1/0/0] quit
2. Configure Cellular2/0/0.
[RouterA] apn profile ltenet2

[RouterA-apn-profile-ltenet2] quit

[RouterA-Cellular2/0/0] ip address negotiate
[RouterA-Cellular2/0/0] mode lte auto
# Bind the APN profile to Cellular2/0/0.
[RouterA-Cellular2/0/0] dialer enable-circular

[RouterA-Cellular2/0/0] apn-profile ltenet2
[RouterA-Cellular2/0/0] undo shutdown
3. Configure Cellular2/0/0 as the backup interface of Cellular1/0/0.

4.
5. [RouterA] interface cellular 1/0/0
6. [RouterA-Cellular1/0/0] standby interface cellular 2/0/0
7. Configure C-DCC.
# Create dialer access group 1 and configure a dialer rule in the group.
[RouterA] dialer-rule
[RouterA-dialer-rule] dialer-rule 1 ip permit
[RouterA-dialer-rule] quit
# Enable C-DCC on Cellular1/0/0.

[RouterA-Cellular1/0/0] dialer-group 1
[RouterA-Cellular1/0/0] dialer timer autodial 60
[RouterA-Cellular1/0/0] dialer number *99# autodial
# Enable C-DCC on Cellular2/0/0.

[RouterA-Cellular2/0/0] dialer-group 1
[RouterA-Cellular2/0/0] dialer timer autodial 60
[RouterA-Cellular2/0/0] dialer number *98# autodial
8. Configure a static route.

9.
10. [RouterA] ip route-static 0.0.0.0 0.0.0.0 cellular 1/0/0 preference 40
11. [RouterA] ip route-static 0.0.0.0 0.0.0.0 cellular 2/0/0 preference 80
# After the configuration is complete, run the display standby state command on the
RouterA to check the status of the primary and backup interfaces. The command output
shows that Cellular1/0/0 is in Up state and Cellular2/0/0 is in Standby state.

Loadstate
Cellular1/0/0 UP MUP MU
Cellular2/0/0 STANDBY STANDBY BU 0
D---LOAD P---PULLED
-----------------------------------------------------------------------
-----
-----------------------------------------------------------------------
-----
-----------------------------------------------------------------------
-----
# Run the shutdown command on Cellular1/0/0 to simulate a link fault. Run the display
standby state command on the RouterA to check the status of the primary and backup
interfaces. The command output shows that Cellular1/0/0 is in Down state and
Cellular2/0/0 is in Up state, indicating that the backup interface has started.
Loadstate
Cellular1/0/0 DOWN MDOWN MU
Cellular2/0/0 UP UP BU 0
D---LOAD P---PULLED
-----------------------------------------------------------------------
-----
-----------------------------------------------------------------------
-----
-----------------------------------------------------------------------
-----
Configuration Files
 Configuration file of RouterA


 #
 sysname RouterA
 #
 apn profile ltenet1
 apn profile ltenet2
 #
 dialer-group 1
 apn-profile ltenet1
 dialer timer autodial 60
 stanby interface Cellular2/0/0
 #
 dialer-group 1
 apn-profile ltenet2
 #
 dialer-rule
 #
 #
return
< Home
7.3.3.13.13.4 Configuring LTE Cellular

Interfaces to Use the Multi-APN Function for
Data and VoIP Communication
A remote branch of the enterprise cannot obtain wired WAN access service, and needs to
exchange heavy traffic with the headquarters. The branch wants to communicate with the
headquarters through the Internet. In addition, the branch also wants to exchange voice services
with the headquarters at a low cost, so VoIP communication needs to be used.
The branch intranet is on the network segment 192.168.100.0/24 and all hosts join VLAN 10.
The branch requires that the Router should assign IP addresses to branch intranet users and the
users access external networks.
A remote branch of the enterprise cannot obtain the wired WAN access service to provide data
and VoIP communication. As shown in Figure 1, the branch uses the Router as the egress gateway
and uses an LTE cellular interface to connect to the PGW through the LTE network, meeting
service transmission requirements. The PGW connects to the Internet through the Internet
gateway and connects to the IMS network through the IMS gateway.
Figure 1 Networking diagram of configuring LTE cellular interfaces to use the multi-APN
function for data and VoIP communication
The enterprise can use the multi-APN function of LTE cellular interfaces to implement data and
VoIP communication. Two LTE channel interfaces can be configured for an LTE cellular
interface. You can bind two APN profiles respectively to the two LTE channel interfaces. One
APN connects to the Internet for data communication, and the other connects to the IMS network
for VoIP communication. The PGW assigns an IP address to each LTE channel interface of the
LTE cellular interface.
 Create two APN profiles. One profile is named the APN connecting to the Internet, and
the other is named the APN connecting to the IMS network.
 Configure an LTE cellular interface, configure a network connection mode for the
interface, and enable the multi-APN function.
 Configure C-DCC for dial-up connection on the LTE cellular interface.
 Bind the APN profiles to the LTE cellular interface.
 Configure the enterprise intranet and configure the Router to assign IP addresses to
branch intranet users.
 Configure the NAT function and set the IP address of the LTE channel interface as the
public IP address of the enterprise branch.
 Configure a default route and specify the LTE channel interface as the outbound interface
so that traffic from the branch intranet can be forwarded to the LTE network through the
LTE channel interface.
Procedure
1. Configure APN profiles.
# Configure an APN profile named datanet to connect to the Internet.

[Router] apn profile datanet
[Router-apn-profile-datanet] user name lte-example password cipher
123456 authentication-mode chap
[Router-apn-profile-datanet] apn data
[Router-apn-profile-datanet] quit
# Configure an APN profile named voicenet to connect to the IMS network.
[Router] apn profile voicenet

[Router-apn-profile-voicenet] apn voice
[Router-apn-profile-voicenet] quit
2. Configure an LTE cellular interface.

# Enable the multi-APN function on the LTE cellular interface.
[Router-Cellular1/0/0] multi-apn enable

3. Configure C-DCC for dial-up connection on the LTE cellular interface.
# Configure C-DCC for dial-up connection on LTE channel interface 1 and bind the APN
profile datanet to LTE channel interface 1.
[Router] interface cellular 1/0/0:1

[Router-Cellular1/0/0:1] ip address negotiate
[Router-Cellular1/0/0:1] dialer enable-circular
[Router-Cellular1/0/0:1] dialer-group 1
[Router-Cellular1/0/0:1] dialer timer autodial 20
[Router-Cellular1/0/0:1] dialer number *99# autodial
[Router-Cellular1/0/0:1] apn-profile datanet
[Router-Cellular1/0/0:1] shutdown
[Router-Cellular1/0/0:1] undo shutdown
[Router-Cellular1/0/0:1] quit
# Configure C-DCC for dial-up connection on LTE channel interface 2 and bind the APN
profile voicenet to LTE channel interface 2.
[Router] interface cellular 1/0/0:2
[Router-Cellular1/0/0:2] ip address negotiate
[Router-Cellular1/0/0:2] dialer enable-circular
[Router-Cellular1/0/0:2] dialer-group 1
[Router-Cellular1/0/0:2] dialer timer autodial 20
[Router-Cellular1/0/0:2] dialer number *99# autodial
[Router-Cellular1/0/0:2] apn-profile voicenet
[Router-Cellular1/0/0:2] shutdown
[Router-Cellular1/0/0:2] undo shutdown
[Router] vlan 10
# Enable DHCP.
[Router] ip pool 4gpool

[Router-ip-pool-4gpool] network 192.168.100.0 mask 255.255.255.0
[Router-ip-pool-4gpool] gateway-list 192.168.100.1
[Router-ip-pool-4gpool] quit


9. [Router] interface cellular 1/0/0:1
10. [Router-Cellular1/0/0:1] nat outbound 3002
11. [Router-Cellular1/0/0:1] quit
12. [Router] interface cellular 1/0/0:2
13. [Router-Cellular1/0/0:2] nat outbound 3002
14. Configure a default route and specify the LTE channel interfaces as the outbound
interfaces.
15. [Router] ip route-static 1.1.1.0 255.255.255.0 cellular 0/0/0:1
[Router] ip route-static 2.2.2.0 255.255.255.0 cellular 0/0/0:2
# After the configuration is complete, traffic of the branch intranet is transmitted to the
LTE network through the LTE cellular interface and the branch users can exchange both
data and VoIP services through the LTE cellular interface.
Example

 #
 sysname Router
 #
 vlan batch 10
 #
 dhcp enable
 #
 acl number 3002
 #
 apn profile datanet
 apn data
 user name lte-example password
cipher %^%#Xhc5=7"mU5o)7]/JST4$8\0CD`~a{O0Z~p+YWvY~%^%# authentication-
mode chap
 apn profile voicenet
 apn voice
 #
 mode lte auto
 multi-apn enable
 #
 interface Cellular1/0/0:1
 dialer-group 1
 apn-profile datanet
 #
 interface Cellular1/0/0:2
 dialer-group 1
 apn-profile voicenet
 #
 #
 ip address 192.168.100.1 255.255.255.0
 #
 ip pool 4gpool
 gateway-list 192.168.100.1
 network 192.168.100.0 mask 255.255.255.0
 #
 dialer-rule
 #
 ip route-static 1.1.1.0 255.255.255.0 Cellular1/0/0:1
 ip route-static 2.2.2.0 255.255.255.0 Cellular1/0/0:2
 #
return
< Home
7.3.3.13.13.5 Example for Accessing Different

LTE Networks Using Dual SIM Cards
As shown in Figure 1, the headquarters and branch of an enterprise are located in different places.
Router is the egress gateway of the branch and connects to the headquarters through an LTE
network (LTE network 1).
To improve data transmission reliability of the LTE link, the branch uses an LTE cellular
interface supporting dual SIM cards. One SIM card functions as the master SIM card to connect
to LTE network 1, the other SIM card functions as the backup SIM card to connect to LTE
network 2. If dial-up fails because the account balance of the master SIM card is insufficient, the
master SIM card is faulty, the LTE link signal quality is poor, or the connected LTE network is
faulty, traffic is automatically switched to the backup SIM card, ensuring uninterrupted
enterprise services.
Figure 1 Networking diagram for accessing different LTE networks using dual SIM cards
 Create two APN profiles. Bind one APN profile to the master SIM card and the other to
the backup SIM card.
 Configure C-DCC for the dial-up connection on the LTE cellular interface.
 Bind the APN profiles to the LTE cellular interface.
 Configure the enterprise intranet and use Router to assign IP addresses to the branch
intranet users.
 Configure the NAT function and specify the IP address of the LTE cellular interface as
the public IP address of the enterprise branch.
 Configure a default route and specify the LTE cellular interface as the outbound interface
so that traffic from the branch intranet is forwarded to the Internet through the LTE
cellular interface.
Procedure
1. Configure APN profiles.
# Configure APN profile mainCard and bind it to the master SIM card to connect to
LTE network 1. According to the carrier, the APN of LTE network 1 is LTENET1.
[Router] apn profile mainCard
[Router-apn-profile-mainCard] sim-id 1
[Router-apn-profile-mainCard] apn LTENET1
[Router-apn-profile-mainCard] quit
# Configure APN profile backupCard and bind it to the backup SIM card to connect to
LTE network 2. According to the carrier, the APN of LTE network 2 is LTENET2.
[Router] apn profile backupCard

[Router-apn-profile-backupCard] sim-id 2
[Router-apn-profile-backupCard] apn LTENET2
[Router-apn-profile-backupCard] quit
2. Configure C-DCC for the dial-up connection on the LTE cellular interface.
# Configure C-DCC for the dial-up connection on the LTE cellular interface.

[Router-Cellular0/0/0] dialer timer autodial 20
3. Bind the APN profiles to the LTE cellular interface.

4. [Router-Cellular0/0/0] apn-profile mainCard priority 150
5. [Router-Cellular0/0/0] apn-profile backupCard priority 120
6. [Router-Cellular0/0/0] sim switch rssi-threshold 105
7. [Router-Cellular0/0/0] sim switch-back enable timer 1440
8. [Router-Cellular0/0/0] shutdown
9. [Router-Cellular0/0/0] undo shutdown
[Router] vlan 10
# Enable DHCP.

[Router] ip pool ltepool
[Router-ip-pool-ltepool] network 192.168.100.0 mask 255.255.255.0
[Router-ip-pool-ltepool] gateway-list 192.168.100.1
[Router-ip-pool-ltepool] quit


15. [Router] interface cellular 0/0/0
16. [Router-Cellular0/0/0] nat outbound 3002
17. [Router-Cellular0/0/0] quit
18. Configure a default route and specify Cellular0/0/0 as the outbound interface.
[Router] ip route-static 0.0.0.0 0 cellular 0/0/0
# After the previous configurations, traffic on the branch intranet is transmitted to LTE
network 1 through the master SIM card. If dial-up fails because the account balance of
the master SIM card is insufficient, the master SIM card is faulty, the LTE link signal
quality is poor, or the connected LTE network is faulty, traffic is automatically switched
to the backup SIM card and transmitted to the LTE network 2.
Example
 Configuration file of Router

 #
 sysname Router
 #
 vlan batch 10
 #
 dhcp enable
 #
 acl number 3002
 #
 apn profile mainCard
 apn LTENET1
 apn profile backupCard
 apn LTENET2
 sim-id 2
 #
 dialer-group 1
 apn-profile mainCard priority 150
 apn-profile backupCard priority 120
 sim switch-back enable timer 1440
 sim switch rssi-threshold 105
 #
 #
 ip address 192.168.100.1 255.255.255.0
 #
 ip pool ltepool
 gateway-list 192.168.100.1
 network 192.168.100.0 mask 255.255.255.0
 #
 dialer-rule
 #
 #
return
< Previous topic
< Home
This section lists references of 3G and LTE.
The following table lists the references for this document.
Document Description Remarks

RFC3113 3GPP-IETF Standardization -
Collaboration
Document Description Remarks
RFC3574 Transition Scenarios for 3GPP -
Networks
RFC3025 Mobile IP -
Vendor/Organization-Specific
Extensions
3G and LTE standards defined by 3GPP include:
 3GPP Release 99
 3GPP Release 4
 3GPP Release 5
 3GPP Release 6
 3GPP Release 7
 3GPP Release 8

< Previous topic
< Home
7.3.10.6 DSVPN Configuration

DSVPN can be configured on the source branch, destination branch, and central office Routers.
Overview
This section describes the definition and functions of DSVPN.
Principles
This section describes the implementation of DSVPN.
Applications
This section describes the applicable scenario of DSVPN.
Configuration Notes
This section describes DSVPN configuration notes.
Default Configuration
This section provides the default DSVPN configuration.
Configuring DSVPN
After DSVPN is configured, a Spoke can dynamically obtain the public network address
of its peer device and establish a tunnel with the peer device to exchange data.
Maintaining DSVPN
This section describes how to clear and check the DSVPN statistics.
Configuration Examples
This section describes how to configure DSVPN in different application scenarios when
different routing plans are used.
Common Configuration Errors
This section describes common faults caused by incorrect DSVPN configurations and
provides the troubleshooting procedure.
References
This section lists references of DSVPN.
Parent Topic: VPN Configuration Guide
< Home
7.3.10.6.1 Overview
This section describes the definition and functions of DSVPN.
Definition
Dynamic Smart Virtual Private Network (DSVPN) is a technology that allows virtual private
networks (VPNs) to be established dynamically between enterprise branches and between
branches and central offices in the Hub-Spoke model.
Purpose
The DSVPN technology allows enterprises to connect their central offices (Hubs) and branches
(Spokes) in different areas through the public network. Branches can dynamically establish
VPNs with the central office and with each other.
Figure 1 Typical Hub-Spoke networking without DSVPN enabled

In the traditional Hub-Spoke model, Hub-Spoke tunnels are established between the central
office and branches, and all the data flows transmitted between two branches pass through the
central office. The network deployment in Figure 1 has the following problems:
 When a new branch is added to the network, the Hub needs to add and maintain the VPN
configuration for this branch. When a large number of branches exist on the network,
configuration on the Hub is complicated. Additionally, the configuration on the Hub must
be modified each time the network topology changes.
 If traffic between two branches passes through the central office, forwarding the traffic
consumes resources of the central office and causes an extra delay transmission. It is
obvious when IP Security (IPSec) is used to decrypt data, because the central office must
decrypt data packets sent from the source branch, and then encrypt the data packets to
send them to the destination branch.
 If traffic between two branches does not pass through the central office and outbound
interfaces in the branches use dynamic addresses, they cannot obtain the address of each
other. Therefore, the two branches cannot establish a direct tunnel.
DSVPN uses the Next Hop Resolution Protocol (NHRP) to collect and maintain dynamic public
network addresses. This allows a device to obtain the public network address of its peer in
advance.
Figure 2 Typical Hub-Spoke networking with DSVPN enabled
As shown in Figure 2, branches use dynamic addresses to access the public network and establish
Spoke-Spoke tunnels dynamically with each other for direct communication between them.
Besides, the multipoint Generic Routing Encapsulation (mGRE) technology allows one mGRE
tunnel interface to have multiple GRE tunnels. DSVPN uses the mGRE technology to simplify
subnet traffic management and configuration of GRE and IPSec.
Benefits
 Lower costs on VPN construction.
DSVPN implements dynamic connections between the central office and branches, and
between branches. Branches do not need to purchase static public network addresses.
 Simplify configuration on the Hub and Spokes.
The Hub and Spokes use an mGRE tunnel interface but not multiple GRE tunnel
interfaces to establish tunnels. When a new Spoke is added to the network, the network
administrator does not need to change configurations on the Hub or any existing Spokes.
The administrator only needs to configure the new Spoke, and then the Spoke
dynamically registers with the Hub.
 Reduce the forwarding delay between branch offices.
Branches can dynamically establish tunnels to directly exchange service data, reducing
the forwarding delay and improving forwarding performance and efficiency.
Parent Topic: DSVPN Configuration

Next topic >
< Home
This section describes the implementation of DSVPN.
Basic Concepts
Basic Principles
DSVPN NAT Traversal
DSVPN Dual-Hub Backup
IPSec-based DSVPN
< Home
7.3.10.6.2.1 Basic Concepts

As shown in Figure 1, an enterprise connects its central office (the Hub) and multiple sparsely
distributed branches (the Spokes) through the public network.
Figure 1 Typical enterprise networking
On a network shown in Figure 1, the public network address is a Non-Broadcast Multiple Access
(NBMA) address and the tunnel address is a protocol address (see RFC2332).
The concepts related to DSVPN are as follows:
DSVPN Node
A DSVPN node is a device on which DSVPN is deployed. A DSVPN node can be a Spoke or
Hub.
 Spoke
A Spoke is the network gateway of a branch office. Generally, a Spoke uses a dynamic
public network address.
 Hub
A Hub is a device in the central office and also an important device of the DSVPN
network. The Hub receives registration packets from Spokes. On the DSVPN network,
the Hub can use a fixed public network address or a domain name.
mGRE and mGRE Tunnel Interface
mGRE is a point-to-multipoint GRE technology developed from GRE. An mGRE tunnel

interface is a logical interface.
The mGRE tunnel interface has the following attributes:
 Source tunnel address: used by the transmission protocol to identify the packet source.
The source tunnel address is the source address of a GRE encapsulated packet, that is, the
public network address (NBMA address) in Figure 1.
 Destination tunnel address: used by the transmission protocol to identify the packet
destination. The destination tunnel address is the destination address of the GRE
encapsulated packet.
 Tunnel interface IP address: protocol address in Figure 1. Same as IP addresses of other
physical interfaces, a tunnel interface IP address contains routing information used for
communication between devices.
NOTE:
 The destination IP address of a GRE tunnel interface is manually configured, whereas the
destination IP address of an mGRE tunnel is resolved by the NHRP protocol. An mGRE
tunnel interface has multiple remote ends and allows multiple GRE tunnels to be
established on the interface.
 mGRE tunnel interfaces do not support keealive detection.
NHRP
NHRP enables a source Spoke on an NBMA network to obtain a dynamic public network
address from a destination Spoke. When a Spoke connects to an NBMA network, it sends NHRP
Registration Request packets to the Hub by using the public network address of the outbound
interface as the source address. The Hub creates or updates NHRP mapping entries based on the
packets received. Two Spokes send NHRP Resolution Request and Reply packets to each other
to create or update their NHRP mapping entries.
Hub-Spoke Tunnel
The tunnel between the Hub and a Spoke shown in Figure 1 is a Hub-Spoke tunnel. Other Spokes
can also establish Hub-Spoke tunnels with the Hub.
On a DSVPN network, Spoke information is not configured on the Hub, but the public network
address or domain name of the Hub is statically configured on Spokes. When a Spoke connects
to the NBMA network, it sends NHRP Registration Request packets to the Hub to report the
public network address of its outbound interface. The Hub creates or updates NHRP mapping
entries based on the packets received.
Spoke-Spoke Tunnel
The tunnel between the Spokes shown in Figure 1 is a Spoke-Spoke tunnel.
When one Spoke transmits data to another Spoke, the source Spoke checks the routing table to
obtain the private address of the next hop. If the Spoke fails to obtain the public network address
corresponding to the private address in the local NHRP mapping entries, it sends NHRP
Resolution Request packets to obtain the public network address of the destination Spoke. After
obtaining the NHRP Resolution Reply packets, the Spokes use the mGRE interface to
dynamically establish a VPN tunnel for data transmission between them. The tunnel is
automatically removed if no packet is forwarded through it within a period.

Next topic >
< Home
7.3.10.6.2.2 Basic Principles

The DSVPN technology can be used in two scenarios: Non-Shortcut Scenario of DSVPN on
small- and medium-sized networks and Shortcut Scenario of DSVPN on large-sized networks.
Application scenarios and route deployment are described as follows:
 Non-Shortcut Scenario of DSVPN: Branches learn routes from each other.
A small- or medium-sized network has a few of branches, and the branches can learn
routes from each other by deploying Non-Shortcut Scenario of DSVPN. In this scenario,
the next hop to a destination subnet is the tunnel address of the destination branch. This
deployment has a low requirement on the performance of the Hub and Spokes because
the devices only have to learn a small number of routes.
 Shortcut Scenario of DSVPN: Branches have only summarized routes to the central office.
On a large-sized network with many branch subnets, Spokes need to learn many routes
from other branches. If the shortcut function is not configured, the Spokes have to save
routing information on the entire network. This requires Spokes to maintain a large
routing table and provide high performance because many CPU and memory resources
are consumed for computing of dynamic routing protocols. To reduce the number of
routes saved on Spokes, Shortcut Scenario of DSVPN can be deployed. In this scenario,
the next hop to a destination subnet is the tunnel address of the Hub.
Non-Shortcut Scenario of DSVPN
Route Deployment
In the Non-Shortcut Scenario, Spokes establish direct tunnels between each other. The next hop
to a destination subnet is the tunnel address of the destination Spoke. Two routing plans are
provided to enable a Spoke to learn the route to its peer:
 Static routes are configured on branches.
Each branch has static routes to the other branches. The destination address of a static
route is the subnet of the destination subnet, and the next hop is the tunnel address of the
destination Spoke.
 Branches learn routes dynamically.
DSVPN supports the Routing Information Protocol (RIP), Open Shortest Path First
(OSPF), and Border Gateway Protocol (BGP) to allow routes to be learned between
branches, and between branches and the central office. Configure the routing protocols on
the Hub and Spokes so that they can learn the routes dynamically.
Branches learn routes from each other, and each Spoke saves the routes to all branch subnets.
DSVPN Working Principle
DSVPN uses the Next Hop Resolution Protocol (NHRP) to obtain dynamic public network
addresses of peer devices. Figure 1 shows the DSVPN working process in an application scenario
without the shortcut function.
Figure 1 Non-Shortcut Scenario of DSVPN
The working process is as follows:
1. The public network address or domain name of the Hub is statically configured on
Spokes. All Spokes on the network send NHRP Registration Request packets to the Hub.
2. The Hub receives NHRP Registration Request packets, generates NHRP mapping entries,
and sends NHRP Registration Reply packets to the Spokes.
3. Spokes obtain routes to destination subnets using static routing or a dynamic routing
protocol. For a branch, the next hop address of the route to the destination branch is the
tunnel address of peer Spoke.
4. To forward a packet, a source Spoke need to obtain the public network address mapping
the tunnel address of the destination Spoke.
5. If local NHRP mapping table does not contain the public network address mapping the
tunnel address of the destination Spoke, the source Spoke needs to obtain the public
network address from the Hub.
6. The source Spoke sends an NHRP Resolution Request packet to request the public
network address mapping the tunnel address of the destination Spoke.
7. The Hub receives the NHRP Resolution Request packet and forwards the packet to the
destination Spoke.
8. The destination Spoke sends an NHRP Resolution Reply packet to the source Spoke in
response to the received NHRP Resolution Request packet.
9. The source and destination Spokes can directly exchange data traffic.
Shortcut Scenario of DSVPN

Route Deployment
In the Shortcut Scenario, the next hop to a destination subnet is the tunnel address of the Hub.
Two routing plans are provided to enable branch Spokes to save only summarized routes to the
Hub:
 Static routes are configured on branches.
Each branch has static routes that the next hop to a destination subnet is the tunnel
address of the Hub.
 Branches learn summarized routes to the central office.
DSVPN supports RIP, OSPF and BGP. Configure route summarization on the Hub and
dynamic routing protocols on the Spokes. Then Spokes learn only the summarized routes
to the Hub. The routing configuration on the Hub and Spokes varies according to the
routing protocol used on the network.
In the second routing plan, data traffic is sent to the Hub by default. Spokes do not learn routes
from each other. The Hub summarizes the routes to branch subnets and advertises the
summarized routes to Spokes. NHRP Resolution Request packets sent from a source Spoke is
forwarded to the destination Spoke by the Hub, and the destination Spoke resolves the received
NHRP Resolution Request packets and sends NHRP Resolution Reply packets in response.
DSVPN Working Principle
DSVPN uses NHRP to obtain dynamic public network addresses of peer devices. Figure 2 shows
the DSVPN working process in an application scenario with the shortcut function.
Figure 2 Working principle of Shortcut Scenario of DSVPN
The working process is as follows:
1. The public network address or domain name of the Hub is statically configured on
Spokes. All Spokes on the network send NHRP Registration Request packets to the Hub.
2. The Hub receives NHRP Registration Request packets, generates NHRP mapping entries
and sends NHRP Registration Reply packets to the Spokes.
3. Branch Spokes obtain the summarized routes to the central office according to static
configurations or using a routing protocol.
4. The source Spoke finds the public network address of the next hop, encapsulates a data
packet, and forwards the packet to the Hub.
5. After receiving the packet, the Hub sends the packet to the destination Spoke and sends
an NHRP Redirect packet to the source Spoke.
6. The source Spoke receives the NHRP Redirect packet and sends an NHRP Resolution
Request packets to the destination Spoke.
7. After receiving the NHRP Resolution Request packets, the Hub forwards the packets to
the destination Spoke.
8. The destination Spoke sends an NHRP Resolution Reply packet to the source Spoke in
response to the received NHRP Resolution Request packet.
9. The source and destination Spokes can directly exchange data traffic.
< Home
7.3.10.6.2.3 DSVPN NAT Traversal

As shown in Figure 1, when private networks of branch offices connect the central office,
Network Address Translation (NAT) traversal must be implemented to establish VPNs between
the central office and branches, and between the branches. DSVPN supports NAT traversal to
implement direct communication between branches.
Figure 1 DSVPN NAT traversal
The NAT traversal process is as follows:
1. The Spokes send NHRP Registration Request packets to the Hub. The NHRP
Registration Request packets contain the public network addresses of the Spokes.
2. The NHRP module in the Hub detects whether NAT devices exist on the routes to the
Spokes. If NAT devices exist, the Hub sends NHRP Registration Reply packets to report
the translated public network addresses to the Spokes.
3. The source Spoke sends an NHRP Resolution Request packet with its original address
and the translated address to the destination Spoke.
4. The destination Spoke sends an NHRP Resolution Reply packet with with its original
address and the translated address to the source Spoke.
5. The source Spoke and destination Spoke obtain each other's public network addresses
and establish a tunnel based on the addresses translated by NAT devices.
NOTE:
 NAT traversal cannot be implemented on a DSVPN network if two branches use the
same NAT device and their original addresses are translated to the same public network
address.
 NAT traversal cannot be implemented if two Spokes are behind different NAT devices,
and Port Address Translation (PAT) is enabled on the NAT devices.
 When branches need to communicate with each other, the NAT devices must be
configured with an NAT server or static NAT. NAT traversal cannot be implemented if
inbound or outbound NAT is configured on the NAT devices.

< Home
7.3.10.6.2.4 DSVPN Dual-Hub Backup

On a DSVPN network, all Spokes connect to the Hub. Therefore, Spokes cannot communicate
with each other when the Hub fails. To improve network reliability, two Hubs can be deployed in
the central office.
Figure 1 DSVPN dual-Hub backup
As shown in Figure 1, the DSVPN network uses two Hubs. The detailed principles are as follows:
1. All branch Spokes send NHRP Registration Request packets to Hub1 (the master) and
Hub2 (the backup) simultaneously. An NHRP Registration Request packet contains
tunnel address and public network address of the sender Spoke. Meanwhile, the Spokes
generate local NHRP mapping entries to record the mappings between the tunnel
addresses and public network addresses of the two Hubs.
2. Hub1 and Hub2 generate local NHRP mapping entries between tunnel addresses and
public network addresses of the Spokes based on the NHRP Registration Request packets
received, and send NHRP Registration Reply packets to the Spokes.
3. Routing policies are deployed on the Spokes so that routes to Hub1 have a higher priority
than those to Hub2. When the Spokes communicate with each other, they prefer to send
NHRP Resolution Request packets to Hub1.
4. For details about how Spokes establish tunnels based on the data traffic, see Non-Shortcut
Scenario of DSVPN and Shortcut Scenario of DSVPN.
5. When Hub1 fails, the Spokes send NHRP Resolution Request packets to Hub2. When
Hub1 recovers, the Spokes choose Hub1 for data transmission based on the defined
routing policies.

< Home
7.3.10.6.2.5 IPSec-based DSVPN
Data transmitted between the central office and a branch, and between branches can be encrypted
to increase data security. Binding an IPSec profile to DSVPN can dynamically establish an
mGRE tunnel and IPSec tunnel simultaneously.
 The establishment of an mGRE tunnel triggers the establishment of an IPSec tunnel.

 The traditional IPSec technology uses an access control list (ACL) to identify unicast
traffic to be encrypted. ACLs need to be defined before the IPSec policy can be used,
which makes IPSec implementation difficult. Joint deployment of IPSec and DSVPN that
uses NHRP and mGRE technologies simplifies device and network deployment and
ensures data transmission security.
 Because an IPSec tunnel is dynamically established between two branches, packets
transmitted between them are not decrypted or encrypted by the Hub. This reduces packet
forwarding delay.
Figure 1 IPSec-based DSVPN
On the DSVPN network, IPSec profiles are configured on mGRE interfaces on the Hub and
Spokes. The mechanism of DSVPN over IPSec is as follows:
1. All the Spokes on the network send NHRP Registration Request packets to the Hub and
report the NHRP mapping entries to IPSec. The Internet Key Exchange (IKE) modules of
the Spokes and the Hub negotiate with each other for IPSec tunnel parameters.
2. The Hub generates local NHRP mapping entries between tunnel addresses and public
network addresses of the Spokes based on the NHRP Registration Request packets
received. The Hub then sends NHRP Registration Reply packets to the Spokes.
3. The Spokes trigger an mGRE tunnel immediately when they transmit traffic. For details
about how to establish an mGRE tunnel, see Non-Shortcut Scenario of DSVPN and Shortcut
Scenario of DSVPN.
4. After the Spokes establish an mGRE tunnel, the IPSec module obtains NHRP mapping
entries, adds or deletes IPSec peers based on the mapping entries, and triggers the Spokes
to dynamically establish an IPSec tunnel.
5. After an IPSec tunnel is established between the Spokes, packets are routed based on the
destination IP addresses. If the outbound interface is an mGRE interface, the Spoke
searches the NHRP mapping table for the public network address mapping the next hop
private address. After obtaining the public network address, the Spoke searches for the
IPSec security association (SA) matching the public network address to encrypt the
packets and send them.

< Previous topic
< Home
This section describes the applicable scenario of DSVPN.
DSVPN Deployment on a Small- or Medium-sized Network

DSVPN Deployment on a Large-sized Network
< Home
7.3.10.6.3.1 DSVPN Deployment on a Small-

or Medium-sized Network
Small- and medium-sized networks have only a few branches, and the branches can dynamically
establish VPNs by deploying Non-Shortcut Scenario of DSVPN.
Figure 1 DSVPN deployment on a small- or medium-sized network
As shown in Figure 1, Spoke1 and Spoke2 connect to the Hub through the public network.
DSVPN is deployed to enable Spoke1 and Spoke2 to learn routes from each other. Spoke1 and
Spoke2 can communicate with each other directly because they are each other's next hop.

Next topic >
< Home
7.3.10.6.3.2 DSVPN Deployment on a Large-

sized Network
A large-sized network has a large number of branch offices. The deployment of Non-Shortcut
Scenario of DSVPN requires the Spokes to have a large routing table and high forwarding
performance. Shortcut Scenario of DSVPN can be deployed without upgrading the Spokes. This
deployment reduces the routing entries on the Spokes, lowering the requirements on the Spokes'
routing table size and forwarding performance.
Figure 1 DSVPN deployment on a large-sized network
As shown in Figure 1, all the Spokes only have routes to the Hub. When two Spokes need to
communicate with each other, the first packet is sent to the Hub. After that, a tunnel is
established between the Spokes, and the Spokes can directly exchange data traffic.

< Previous topic
< Home

This section describes DSVPN configuration notes.
Involved Network Elements
None
DSVPN License
The DSVPN function is used with a license. By default, the DSVPN function cannot be used on
the device.
To use the DSVPN function, apply for and purchase the following license from the Huawei local
office:
NOTE:
The AR120 do not require license authentication.
DSVPN is a Huawei proprietary protocol and can only be used to interconnect AR routers.
 AR150&AR160&AR200 series:
o AR150&160&200 Value-Added Security Package
o AR150&160&200 DSVPN (Dynamic Smart VPN) Function
 AR1200 series:
o AR1200 Value-Added Security Package
o AR1200 DSVPN (Dynamic Smart VPN) Function
 AR2200 series:
 AR3200 series:
 AR3600 series:
Feature Dependencies and Limitations
When IPSec tunnels are deployed on the DSVPN network, rapidly updating the NHRP mapping
table will cause IKE re-negotiation and may even interrupt services. Do not update the NHRP
mapping table frequently.

< Home

This section provides the default DSVPN configuration.

DSVPN domain of an interface 0
NHRP authentication Unspecified
Time interval at which a Spoke registers with 1800 seconds
the Hub
Holding time of NHRP mapping entries 7200 seconds
NHRP redirect function Disabled
NHRP shortcut function Disabled
Adding dynamically registered branches to the Unspecified
NHRP multicast member table
Method to process conflicting NHRP mapping Not overridden
entries during NHRP registration
Referencing an IKE peer in the IPSec profile Not referenced
Referencing an IPSec proposal in the IPSec Not referenced
profile
Using PFS in IPSec negotiation Unused
< Home
7.3.10.6.6 Configuring DSVPN

After DSVPN is configured, a Spoke can dynamically obtain the public network address of its
peer device and establish a tunnel with the peer device to exchange data.
Before configuring DSVPN, complete the following task:
 Configuring public network addresses to ensure that routes between nodes are reachable
Configuration Process
Perform the following operations on the Hub and Spokes to configure DSVPN. Configuring an
IPSec profile is optional. You are advised to perform this operation to protect packets against
attacks because NHRP does not provide the encryption and decryption functions.
Configuring mGRE
Configuring Routes
Configuring NHRP
(Optional) Configuring an IPSec Profile
< Home
7.3.10.6.6.1 Configuring mGRE

Context
To implement DSVPN, create a tunnel interface and set the interface type to Multipoint GRE
(mGRE). You only need to configure the source address or source interface but not the
destination address on the mGRE interface. An mGRE tunnel interface has multiple remote ends
and allows multiple GRE tunnels to be established on the interface. This simplifies GRE
configuration on devices.
Perform the following operations on the Hub and Spokes.
Procedure
1. Run:
system-view
2. Run:
interface tunnel interface-number
A tunnel interface is created and the tunnel interface view is displayed.
3. Run:
ip address ip-address { mask | mask-length }
The IP address of the tunnel interface is configured.
4. Run:
tunnel-protocol gre p2mp
The tunnel encapsulation mode is set to mGRE.
NOTICE:
Changing the encapsulation mode of a tunnel interface deletes other parameters of the
tunnel interface, including the source address or source interface configured for the
tunnel interface, and NHRP parameters.
5. Run:
source { [ vpn-instance vpn-instance-name ] source-ip-address |

interface-type interface-number }
The source address or source interface is configured for the tunnel interface.
6. (Optional) Run:
gre key { plain key-number | [ cipher ] plain-cipher-text }
The key number of a tunnel interface is set.
By default, no key number is set for a tunnel interface.
When multiple mGRE tunnel interfaces are configured with the same source address or
source interface, run this command to set a key number for each interface.
NOTICE:
If plain is selected, the password is saved in the configuration file in plain text. This
brings security risks. It is recommended that you select cipher to save the password in
cipher text.
Parent Topic: Configuring DSVPN

Next topic >
< Home
7.3.10.6.6.2 Configuring Routes

Context
The routes forwarded by a tunnel must be available on branches and the central office so that
packets encapsulated with mGRE can be forwarded correctly. These routes can be static routes
or dynamic routes.
DSVPN provides two route deployments to meet the requirements in different scenarios.
 Non-Shortcut Scenario of DSVPN: Branches learn routes from each other.
A small- or medium-sized network has a few branches, and the branches can learn routes
from each other by deploying Non-Shortcut Scenario of DSVPN. In this scenario, the
next hop to a destination subnet is the tunnel address of the destination branch. This
deployment has a low requirement on the performance of the Hub and Spokes because
the devices only have to learn a small number of routes.
 Shortcut Scenario of DSVPN: Branches have only summarized routes to the central
office.
On a large-sized network with many branch subnets, Spokes need to learn many routes
from other branches. If the shortcut function is not configured, the Spokes must save
routing information on the entire network. This requires Spokes to maintain a large
routing table and provide high performance because many CPU and memory resources
are consumed for computing of dynamic routing protocols. To reduce the number of
routes saved on Spokes, Shortcut Scenario of DSVPN can be deployed. In this scenario,
the next hop to a destination subnet is the tunnel address of the Hub.
Perform the following operations on the Hub and Spokes to deploy routes in a non-shortcut
scenario and a shortcut scenario.
Procedure
 Configuring a static route

1. Run:
system-view
2. Run:
ip route-static ip-address { mask | mask-length } nexthop-address

[ description text ]
A static route is configured.
NOTE:
 Non-Shortcut Scenario of DSVPN
You must configure static routes on both the Hub and Spokes, and set the
next hop as the address of the tunnel interface on the peer device.
 Shortcut Scenario of DSVPN

You must configure static routes on both the Hub and Spokes. Set the next
hop of the Hub as the tunnel interface address of the destination Spoke and
set the next hop of a Spoke as the tunnel interface address of the Hub.
 Configuring a dynamic route

1. Run:
system-view
2. Configure a dynamic route.
Dynamic routes can be implemented using RIP, OSPF, or BGP. For the
configuration of a dynamic routing protocol, see Huawei
AR120&AR150&AR160&AR200&AR1200&AR2200&AR3200&AR3600 Series
Enterprise Routers Configuration Guide - IP Unicast Routing.
When configuring dynamic routing protocols, pay attention to the following

points:
Scenario and RIP OSPF BGP

Routing Protocol
Non-Shortcut Disable the split Configure the Route aggregation
Scenario of horizon and OSPF network cannot be
DSVPN automatic route type to multicast configured on the
aggregation using the ospf Hub.
functions on the network-type
mGRE interface of broadcast
the Hub. command on Hubs
and Spokes.
Shortcut Scenario Enable the split Configure the Configure route
of DSVPN horizon and OSPF network aggregation on the
automatic route type to Point-to- Hub.
aggregation Multipoint (P2MP)
functions on the using the ospf
mGRE interface of network-type p2mp
the Hub. command on Hubs
and Spokes.
< Home
7.3.10.6.6.3 Configuring NHRP
Context
NHRP enables a source Spoke on a public network to dynamically obtain the public network
address of a destination Spoke. When a Spoke connects to a public network, it sends NHRP
Registration Request packets to the Hub by using the public network address of the outbound
interface. The Hub creates or updates NHRP mapping entries based on the packets received. Two
Spokes exchange NHRP Resolution Request and Reply packets to create or update NHRP
mapping entries between them.
Perform the following operations on the Hub and Spokes in a non-shortcut scenario and a
shortcut scenario.
NOTICE:
When configuring the NHRP authentication string, if simple is selected, the password is saved in
the configuration file in plain text. This brings security risks. It is recommended that you select
cipher to save the password in cipher text.
Procedure
 Configure the Hub

1. Run:
system-view
2. Run:
The tunnel interface view is displayed.
3. (Optional) Run:
nhrp network-id number
A DSVPN domain is configured for the tunnel interface.
By default, a tunnel interface belongs to DSVPN domain 0.
4. Run:
nhrp entry multicast dynamic
Dynamically registered branches are added to the NHRP multicast member table.
By default, no dynamically registered Spoke is added to the NHRP multicast

member table.
5. (Optional) Run:
nhrp authentication { simple string | cipher cipher-string }
The NHRP authentication string is configured.
By default, no NHRP authentication string is configured.
6. (Optional) Run:
nhrp entry holdtime seconds seconds
The aging time of NHRP mapping entries is configured.
By default, the aging time of NHRP mapping entries is 7200 seconds.
7. Run:
nhrp redirect
The NHRP redirect function is enabled.
Perform this operation only in the non-shortcut scenario. By default, the NHRP
redirect function is disabled.
 Configure the Spokes

1. Run:
system-view
2. Run:
3. (Optional) Run:
nhrp network-id number

A DSVPN domain is configured for the tunnel interface.
By default, a tunnel interface belongs to DSVPN domain 0.
4. Run:
nhrp entry protocol-address { dns-name | nbma-address } [ register ]

[ track apn apn-name ]
An NHRP mapping entry is configured.
When the track apn parameter is specified, whether the NHRP mapping entry
takes effect depends on the APN status. If the APN is valid, the NHRP mapping
entry takes effect; otherwise, the configuration is saved but the NHRP mapping
entry does not take effect.
5. (Optional) Run:
nhrp registration no-unique
New NHRP mapping entries are allowed to override conflicting NHRP mapping
entries during NHRP registration.
By default, new NHRP mapping entries cannot override conflicting NHRP

mapping entries during NHRP registration.
6. (Optional) Run:
nhrp authentication { simple string | cipher cipher-string }
The NHRP authentication string is configured.
By default, no NHRP authentication string is configured.
NOTE:
If the NHRP authentication string is configured on the Hub, it must also be

configured on the Spoke.
7. (Optional) Run:
nhrp registration interval seconds
The NHRP registration interval is configured.
By default, a Spoke registers with the Hub at an interval of 1800 seconds.

8. (Optional) Run:
nhrp entry holdtime seconds seconds
The aging time of NHRP mapping entries is configured.
By default, the aging time of NHRP mapping entries is 7200 seconds.
9. Run:
nhrp shortcut
The NHRP shortcut function is enabled.
Perform this operation on the Spoke only in the shortcut scenario. By default, the
NHRP shortcut function is disabled.

< Home
7.3.10.6.6.4 (Optional) Configuring an IPSec

Profile
Context
Data transmitted between the central office and a branch, and between branches can be encrypted
to increase data security. Binding an IPSec profile to DSVPN can dynamically establish an
mGRE over IPSec tunnel.
Before configuring an IPSec profile for DSVPN, you need to perform the following operations:
 Create an IKE peer. For details, see Configuring an IKE Peer.

 Create an IPSec proposal. For details, see Configuring an IPSec Proposal.
After completing the preceding configuration, perform the following operations on the Hub and
Spokes.
Procedure
1. Run:
system-view
2. Run:
ipsec profile profile-name
An IPSec profile is created and the IPSec profile view is displayed.
3. Run:
ike-peer peer-name
An IKE peer is bound to the IPSec profile.
4. Run:
proposal proposal-name
An IPSec proposal is bound to the IPSec profile.
5. (Optional) Run:
pfs { dh-group1 | dh-group2 | dh-group5 | dh-group14 }
The perfect forward secrecy (PFS) feature is used in IPSec negotiation.
By default, PFS is not used in IPSec negotiation.
NOTICE:
If PFS is specified on the local end, you also need to specify PFS on the remote peer. The
Diffie-Hellman groups specified on the two ends must be the same. Otherwise, the
negotiation fails.
6. Run:
quit
7. Run:

8. Run:
tunnel-protocol gre p2mp
The tunnel encapsulation mode is configured.
9. Run:
ipsec profile profile-name
The tunnel interface is bound to an IPSec profile.

< Home

Prerequisites
All DSVPN configurations have been completed.
Procedure
 Run the display nhrp peer command to check NHRP mapping entries.
 Run the display nhrp peer maximum-history command to check the history statistics on
NHRP peer entries.
 Run the display ipsec profile [ brief | name profile-name ] command to check the IPSec
profile configuration.
 Run the display ipsec sa profile profile-namecommand to check the information of IPSec
SA.

< Previous topic
< Home
7.3.10.6.7 Maintaining DSVPN

This section describes how to clear and check the DSVPN statistics.
Clearing DSVPN Statistics
Displaying the DSVPN Statistics
< Home
7.3.10.6.7.1 Clearing DSVPN Statistics

Context
NOTICE:
Statistics cannot be restored after being cleared. Therefore, confirm the action before you run the
command.
Procedure
 Run the reset nhrp statistics interface tunnel interface-number command in the user view
to clear the NHRP packet statistics on a specified tunnel interface.
 Run the reset nhrp peer maximum-history command in the user view to clear the history
statistics on NHRP peer entries.
Parent Topic: Maintaining DSVPN

Next topic >
< Home
7.3.10.6.7.2 Displaying the DSVPN Statistics

Prerequisites
All DSVPN configurations have been completed.
Procedure
 Run the display nhrp statistics interface tunnel interface-number command to check
NHRP packet statistics.
Parent Topic: Maintaining DSVPN

< Previous topic
< Home

This section describes how to configure DSVPN in different application scenarios when different
routing plans are used.
Example for Configuring Non-Shortcut Scenario of DSVPN (Static Route)

Example for Configuring Non-Shortcut Scenario of DSVPN (RIP)
Example for Configuring Non-Shortcut Scenario of DSVPN (OSPF)
Example for Configuring Non-Shortcut Scenario of DSVPN (BGP)
Example for Configuring Shortcut Scenario of DSVPN (RIP)
Example for Configuring Shortcut Scenario of DSVPN (OSPF)
Example for Configuring Shortcut Scenario of DSVPN (BGP)
Example for Configuring DSVPN NAT traversal
Example for Configuring Dual-Hub DSVPN
Example for configuring IPSec-based DSVPN
Example for Configuring a Dual-Hub DSVPN Protected by IPSec
Example for Configuring a DSVPN Based on the LTE Dialup Status
< Home
7.3.10.6.8.1 Example for Configuring Non-

Shortcut Scenario of DSVPN (Static Route)
A small enterprise has a central office (Hub) and two branches (Spoke1 and Spoke2) which are
located in different areas. The network between the Hub and Spokes is stable. The Spokes use
dynamic addresses to connect to the public network.
The enterprise wants to establish a VPN between the Spokes.

Figure 1 Networking diagram for the Non-Shortcut DSVPN configuration
1. Because a Spoke uses a dynamic address to connect to the public network, it does not
know the public IP address of the other Spoke. DSVPN is implemented to establish a
VPN between the Spokes.
2. Non-Shortcut Scenario of DSVPN is implemented because the enterprise has a small
number of branches.
3. Static routes can be configured to realize communication between the Hub and Spokes
because the network is stable. This simplifies configuration and maintenance.
Procedure
1. Assign an IP address to each interface.
Configure IP addresses for the interfaces of each Router.
# Configure IP addresses for interfaces of Hub.
[Huawei] sysname Hub
[Hub] interface gigabitethernet 1/0/0
[Hub-GigabitEthernet1/0/0] ip address 202.1.1.10 255.255.255.0
[Hub-GigabitEthernet1/0/0] quit
[Hub] interface tunnel 0/0/0
[Hub-Tunnel0/0/0] ip address 172.16.1.1 255.255.255.0
[Hub-Tunnel0/0/0] quit
[Hub] interface loopback 0
[Hub-LoopBack0] ip address 192.168.0.1 255.255.255.0
[Hub-LoopBack0] quit
Configure IP addresses for interfaces of the Spoke1 and Spoke2 as shown in Figure 1. The
specific configuration is not mentioned here.
2. Configure routes between the Routers.
# Configure OSPF on each Router to provide reachable routes to the public network.
# Configure OSPF on Hub.
[Hub] ospf 2
[Hub-ospf-2] area 0.0.0.1
[Hub-ospf-2-area-0.0.0.1] network 202.1.1.0 0.0.0.255
[Hub-ospf-2-area-0.0.0.1] quit
[Hub-ospf-2] quit
# Configure OSPF on Spoke1.
[Spoke1] ospf 2
[Spoke1-ospf-2] area 0.0.0.1
[Spoke1-ospf-2-area-0.0.0.1] network 202.1.2.0 0.0.0.255
[Spoke1-ospf-2-area-0.0.0.1] quit
[Spoke1-ospf-2] quit
[Spoke2] ospf 2
3. Configure static routes.
# Configure Hub.
[Hub] ip route-static 192.168.1.0 255.255.255.0 172.16.1.2

[Hub] ip route-static 192.168.2.0 255.255.255.0 172.16.1.3
# Configure Spoke1.
[Spoke1] ip route-static 192.168.0.0 255.255.255.0 172.16.1.1

# Configure Spoke2.
4. Configure tunnel interfaces.
Configure tunnel interfaces on Hub and Spokes and configure static NHRP peer entries
of Spoke1 and Spoke2.
# Configure a tunnel interface on Hub.

[Hub-Tunnel0/0/0] tunnel-protocol gre p2mp
[Hub-Tunnel0/0/0] source gigabitethernet 1/0/0
# Configure a tunnel interface and a static NHRP peer entry of Hub on Spoke1.
[Spoke1] interface tunnel 0/0/0

[Spoke1-Tunnel0/0/0] tunnel-protocol gre p2mp
[Spoke1-Tunnel0/0/0] source gigabitethernet 1/0/0
[Spoke1-Tunnel0/0/0] nhrp entry 172.16.1.1 202.1.1.10 register
[Spoke1-Tunnel0/0/0] quit
# Configure a tunnel interface and a static NHRP mapping entry of Hub on Spoke2.

After the preceding configurations are complete, check the NHRP mapping entries of
Spoke1 and Spoke2.
# Run the display nhrp peer all command on Spoke1. The command output is as
follows:
[Spoke1] display nhrp peer all

-----------------------------------------------------------------------
--------
Protocol-addr Mask NBMA-addr NextHop-addr Type Flag
-----------------------------------------------------------------------
--------
172.16.1.1 32 202.1.1.10 172.16.1.1 static hub
-----------------------------------------------------------------------
--------
Tunnel interface: Tunnel0/0/0
Created time : 00:10:58
Expire time : --
Number of nhrp peers: 1
follows:

-----------------------------------------------------------------------
--------
-----------------------------------------------------------------------
--------
172.16.1.1 32 202.1.1.10 172.16.1.1 static hub
-----------------------------------------------------------------------
--------
Expire time : --
NOTE:
If you run the display nhrp peer all command on Spoke1 and Spoke2, you can view
only the NHRP mapping entry of Hub.
On Hub, check the NHRP mapping entries of Spoke1 and Spoke2.
Run the display nhrp peer all command on Hub. The command output is as follows:
[Hub] display nhrp peer all

-----------------------------------------------------------------------
--------
-----------------------------------------------------------------------
--------
172.16.1.2 32 202.1.2.10 172.16.1.2 dynamic
route tunnel
-----------------------------------------------------------------------
--------
Expire time : 01:57:58
-----------------------------------------------------------------------
--------
-----------------------------------------------------------------------
--------
172.16.1.3 32 202.1.3.10 172.16.1.3 dynamic
route tunnel
-----------------------------------------------------------------------
--------
6. Check the static routes.
Check the static routes on Hub.
Run the display ip routing-table protocol static command on Hub. The command
output is as follows:
[Hub] display ip routing-table protocol static

Route Flags: R - relay, D - download to fib
-----------------------------------------------------------------------
-------
Public routing table : Static
Destinations : 2 Routes : 2 Configured Routes :
2
Static routing table status : <Active>

Destinations : 2 Routes : 2
Destination/Mask Proto Pre Cost Flags NextHop

Interface
192.168.1.0/24 Static 60 0 RD 172.16.1.2

Tunnel0/0/0
192.168.2.0/24 Static 60 0 RD 172.16.1.3
Tunnel0/0/0
Static routing table status : <Inactive>

Check the static routes on the Spokes.
# Run the display ip routing-table protocol static command on Spoke1. The command
[Spoke1] display ip routing-table protocol static

-----------------------------------------------------------------------
-------
2


Interface
192.168.0.0/24 Static 60 0 RD 172.16.1.1
Tunnel0/0/0
192.168.2.0/24 Static 60 0 RD 172.16.1.3
Tunnel0/0/0

# Run the display ip routing-table protocol static command on Spoke2. The command
[Spoke2] display ip routing-table protocol static

-----------------------------------------------------------------------
-------
2


Interface
192.168.0.0/24 Static 60 0 RD 172.16.1.1

Tunnel0/0/0
192.168.1.0/24 Static 60 0 RD 172.16.1.2
Tunnel0/0/0

7. Run the ping command to check the configuration result.
Ping 192.168.2.1 on Spoke1. You can see that Spoke1 and Spoke2 have learned dynamic
NHRP mapping entries from each other.
# Run the ping -a 192.168.1.1 192.168.2.1 command on Spoke1. The command output is
as follows:
[Spoke1] ping -a 192.168.1.1 192.168.2.1

PING 192.168.2.1: 56 data bytes, press CTRL_C to break
Reply from 192.168.2.1: bytes=56 Sequence=1 ttl=254 time=3 ms
--- 192.168.2.1 ping statistics ---

5 packet(s) transmitted
5 packet(s) received
0.00% packet loss
round-trip min/avg/max = 2/2/3 ms
follows:

-----------------------------------------------------------------------
--------
-----------------------------------------------------------------------
--------
172.16.1.1 32 202.1.1.10 172.16.1.1 static hub
-----------------------------------------------------------------------
--------
Expire time : --
-----------------------------------------------------------------------
--------
-----------------------------------------------------------------------
--------
172.16.1.3 32 202.1.3.10 172.16.1.3 dynamic
route tunnel
-----------------------------------------------------------------------
--------
-----------------------------------------------------------------------
--------
-----------------------------------------------------------------------
--------
172.16.1.2 32 202.1.2.10 172.16.1.2 dynamic
local
-----------------------------------------------------------------------
--------
follows:

-----------------------------------------------------------------------
--------
-----------------------------------------------------------------------
--------
172.16.1.1 32 202.1.1.10 172.16.1.1 static hub
-----------------------------------------------------------------------
--------
Expire time : --
-----------------------------------------------------------------------
--------
-----------------------------------------------------------------------
--------
172.16.1.2 32 202.1.2.10 172.16.1.2 dynamic
route tunnel
-----------------------------------------------------------------------
--------
-----------------------------------------------------------------------
--------
-----------------------------------------------------------------------
--------
172.16.1.3 32 202.1.3.10 172.16.1.3 dynamic
local
-----------------------------------------------------------------------
--------
Configuration Files
 Configuration file of Hub

 #
 sysname Hub
 #
 interface GigabitEthernet1/0/0
 ip address 202.1.1.10 255.255.255.0
 #
 interface LoopBack0
 ip address 192.168.0.1 255.255.255.0
 #
 interface Tunnel0/0/0
 ip address 172.16.1.1 255.255.255.0
 tunnel-protocol gre p2mp
 source GigabitEthernet1/0/0
 #
 ospf 2
 area 0.0.0.1
 network 202.1.1.0 0.0.0.255
 #
 ip route-static 192.168.1.0 255.255.255.0 172.16.1.2
 ip route-static 192.168.2.0 255.255.255.0 172.16.1.3
 #
 return
 Configuration file of Spoke1
 #
 sysname Spoke1
 #
 ip address 202.1.2.10 255.255.255.0
 #
 ip address 192.168.1.1 255.255.255.0
 #
 ip address 172.16.1.2 255.255.255.0
 nhrp entry 172.16.1.1 202.1.1.10 register
 #
 ospf 2
 area 0.0.0.1
 network 202.1.2.0 0.0.0.255
 #
 ip route-static 192.168.0.0 255.255.255.0 172.16.1.1
 ip route-static 192.168.2.0 255.255.255.0 172.16.1.3
 #
 return
 #
 sysname Spoke2
 #
 ip address 202.1.3.10 255.255.255.0
 #
 ip address 192.168.2.1 255.255.255.0
 #
 ip address 172.16.1.3 255.255.255.0
 #
 ospf 2
 area 0.0.0.1
 network 202.1.3.0 0.0.0.255
 #
 ip route-static 192.168.0.0 255.255.255.0 172.16.1.1
 ip route-static 192.168.1.0 255.255.255.0 172.16.1.2
 #
 return
Next topic >
< Home

Shortcut Scenario of DSVPN (RIP)
located in different areas. The networks of the central office and branches frequently change. The
Spokes use dynamic addresses to connect to the public network. Routing Information Protocol
(RIP) is used on the enterprise network.

number of branches.
3. The networks of the central office and branches frequently change. RIP is deployed to
realize communication between the Hub and Spokes and to simplify maintenance.
Procedure
[Hub] ospf 2
[Hub-ospf-2] quit

[Spoke1] ospf 2
[Spoke2] ospf 2
3. Configure the basic RIP functions.
# Configure Hub.
[Hub] rip 1
[Hub-rip-1] version 2
[Hub-rip-1] undo summary
[Hub-rip-1] network 172.16.0.0
[Hub-rip-1] quit
# Configure Spoke1.
[Spoke1] rip 1
[Spoke1-rip-1] version 2
[Spoke1-rip-1] network 172.16.0.0
[Spoke1-rip-1] quit
# Configure Spoke2.
[Spoke2] rip 1
[Spoke2-rip-1] quit
NOTE:
The RIP configuration on a Spoke subnet is given as an example. Perform the same
configuration on other Spoke subnets.
When the subnet of a branch changes, you only need to configure the dynamic routing
policy on the local device.

Configure route attributes on Hub to allow Spokes to learn routes from each other.
Configure static NHRP mapping entries of Hub on Spoke1 and Spoke2.
# Configure a tunnel interface and RIP on Hub.

[Hub-Tunnel0/0/0] nhrp entry multicast dynamic
[Hub-Tunnel0/0/0] undo rip split-horizon


Spoke1 and Spoke2.
follows:

-----------------------------------------------------------------------
--------
-----------------------------------------------------------------------
--------
172.16.1.1 32 202.1.1.10 172.16.1.1 static hub
-----------------------------------------------------------------------
--------
Expire time : --

follows:

-----------------------------------------------------------------------
--------
-----------------------------------------------------------------------
--------
172.16.1.1 32 202.1.1.10 172.16.1.1 static hub
-----------------------------------------------------------------------
--------
Expire time : --
NOTE:
# Run the display nhrp peer all command on Hub. The command output is as follows:

-----------------------------------------------------------------------
--------
-----------------------------------------------------------------------
--------
172.16.1.3 32 202.1.3.10 172.16.1.3 dynamic
route tunnel
-----------------------------------------------------------------------
--------
-----------------------------------------------------------------------
--------
-----------------------------------------------------------------------
--------
172.16.1.2 32 202.1.2.10 172.16.1.2 dynamic
route tunnel
-----------------------------------------------------------------------
--------
6. Check the RIP routing information.
Check the RIP routing information on Hub.
# Run the display rip 1 route command on Hub. The command output is as follows:
[Hub] display rip 1 route

Route Flags : R - RIP
A - Aging, G - Garbage-collect
----------------------------------------------------------------------
------
Peer 172.16.1.2 on Tunnel0/0/0
Destination/Mask Nexthop Cost Tag Flags Sec
192.168.1.1/32 172.16.1.2 1 0 RA 33
192.168.2.1/32 172.16.1.3 1 0 RA 7
Check the RIP routing information on Spoke1 and Spoke2.
# Run the display rip 1 route command on Spoke1. The command output is as follows:
[Spoke1] display rip 1 route

----------------------------------------------------------------------
------
192.168.2.1/32 172.16.1.3 2 0 RA 15

----------------------------------------------------------------------
------
192.168.1.1/32 172.16.1.2 2 0 RA 21
as follows:
[Spoke1] ping -a 192.168.1.1 192.168.2.1

0.00% packet loss
follows:

-----------------------------------------------------------------------
--------
-----------------------------------------------------------------------
--------
172.16.1.1 32 202.1.1.10 172.16.1.1 static hub
-----------------------------------------------------------------------
--------
Expire time : --
-----------------------------------------------------------------------
--------
-----------------------------------------------------------------------
--------
172.16.1.3 32 202.1.3.10 172.16.1.3 dynamic
route tunnel
-----------------------------------------------------------------------
--------
-----------------------------------------------------------------------
--------
-----------------------------------------------------------------------
--------
172.16.1.2 32 202.1.2.10 172.16.1.2 dynamic
local
-----------------------------------------------------------------------
--------

follows:

-----------------------------------------------------------------------
--------
-----------------------------------------------------------------------
--------
172.16.1.1 32 202.1.1.10 172.16.1.1 static hub
-----------------------------------------------------------------------
--------
Expire time : --
-----------------------------------------------------------------------
--------
-----------------------------------------------------------------------
--------
172.16.1.2 32 202.1.2.10 172.16.1.2 dynamic
route tunnel
-----------------------------------------------------------------------
--------
-----------------------------------------------------------------------
--------
-----------------------------------------------------------------------
--------
172.16.1.3 32 202.1.3.10 172.16.1.3 dynamic
local
-----------------------------------------------------------------------
--------
Configuration Files

 #
 sysname Hub
 #
 ip address 202.1.1.10 255.255.255.0
 #
 ip address 192.168.0.1 255.255.255.0
 #
 ip address 172.16.1.1 255.255.255.0
 undo rip split-horizon
 nhrp entry multicast dynamic
 #
 ospf 2
 area 0.0.0.1
 network 202.1.1.0 0.0.0.255
 #
 rip 1
 undo summary
 version 2
 network 172.16.0.0
 #
 return
 #
 sysname Spoke1
 #
 ip address 202.1.2.10 255.255.255.0
 #
 ip address 192.168.1.1 255.255.255.0
 #
 ip address 172.16.1.2 255.255.255.0
 #
 ospf 2
 area 0.0.0.1
 network 202.1.2.0 0.0.0.255
 #
 rip 1
 version 2
 network 172.16.0.0
 network 192.168.1.0
 #
 return
 #
 sysname Spoke2
 #
 ip address 202.1.3.10 255.255.255.0
 #
 ip address 192.168.2.1 255.255.255.0
 #
 ip address 172.16.1.3 255.255.255.0
 #
 ospf 2
 area 0.0.0.1
 network 202.1.3.0 0.0.0.255
 #
 rip 1
 version 2
 network 192.168.2.0
 network 172.16.0.0
 #
 return
< Home

Shortcut Scenario of DSVPN (OSPF)
located in different areas. The networks of the central office and branches frequently change. The
Spokes use dynamic addresses to connect to the public network. Open Shortest Path First
(OSPF) is used on the enterprise network.

number of branches.
3. The networks of the central office and branches frequently change. OSPF is deployed to
Procedure
[Hub] ospf 2
[Hub-ospf-2] quit
[Spoke1] ospf 2
[Spoke2] ospf 2
3. Configure the basic OSPF functions.
# Configure Hub.
[Hub] ospf 1 router-id 172.16.1.1

[Hub-ospf-1] quit
# Configure Spoke1.
[Spoke1] ospf 1 router-id 172.16.1.2
# Configure Spoke2.

NOTE:
The OSPF configuration on a Spoke subnet is given as an example. Perform the same
Set the OSPF network type to broadcast on Hub and Spokes to allow Spokes to learn
routes from each other. Configure static NHRP mapping entries of Hub on Spoke1 and
Spoke2.
# Configure a tunnel interface and OSPF on Hub.

[Hub-Tunnel0/0/0] ospf network-type broadcast
# On Spoke1, configure a tunnel interface, OSPF, and a static NHRP mapping entry of
Hub.

[Spoke1-Tunnel0/0/0] ospf network-type broadcast
Hub.

Spoke1 and Spoke2.
follows:

-----------------------------------------------------------------------
--------
-----------------------------------------------------------------------
--------
172.16.1.1 32 202.1.1.10 172.16.1.1 static hub
-----------------------------------------------------------------------
--------
Expire time : --
follows:

-----------------------------------------------------------------------
--------
-----------------------------------------------------------------------
--------
172.16.1.1 32 202.1.1.10 172.16.1.1 static hub
-----------------------------------------------------------------------
--------
Expire time : --
NOTE:

-----------------------------------------------------------------------
--------
-----------------------------------------------------------------------
--------
172.16.1.3 32 202.1.3.10 172.16.1.3 dynamic
route tunnel
-----------------------------------------------------------------------
--------
-----------------------------------------------------------------------
--------
-----------------------------------------------------------------------
--------
172.16.1.2 32 202.1.2.10 172.16.1.2 dynamic
route tunnel
-----------------------------------------------------------------------
--------
6. Check OSPF routing information.
Check the OSPF routing information on Hub.
# Run the display ospf 1 routing command on Hub. The command output is as follows:
[Hub] display ospf 1 routing
OSPF Process 1 with Router ID 172.16.1.1

Routing Tables
Routing for Network

Destination Cost Type NextHop AdvRouter
Area
172.16.1.0/24 1562 Transit 172.16.1.1 172.16.1.1
0.0.0.0
192.168.1.1/32 1562 Stub 172.16.1.2 172.16.1.2
0.0.0.0
192.168.2.1/32 1562 Stub 172.16.1.3 172.16.1.3
0.0.0.0
Total Nets: 3
Intra Area: 3 Inter Area: 0 ASE: 0 NSSA: 0
Check the OSPF routing information on Spoke1 and Spoke2.
Run the display ospf 1 routing command on Spoke1. The command output is as follows:
[Spoke1] display ospf 1 routing

Routing Tables
Routing for Network

Area
172.16.1.0/24 1562 Transit 172.16.1.2 172.16.1.2
0.0.0.0
192.168.1.1/32 0 Stub 192.168.1.1 172.16.1.2
0.0.0.0
192.168.2.1/32 1562 Stub 172.16.1.3 172.16.1.3
0.0.0.0
Total Nets: 3

Routing Tables
Routing for Network

Area
172.16.1.0/24 1562 Transit 172.16.1.3 172.16.1.3
0.0.0.0
192.168.2.1/32 0 Stub 192.168.2.1 172.16.1.3
0.0.0.0
192.168.1.1/32 1562 Stub 172.16.1.2 172.16.1.2
0.0.0.0
Total Nets: 3

as follows:
[Spoke1] ping -a 192.168.1.1 192.168.2.1


0.00% packet loss
follows:

-----------------------------------------------------------------------
--------
-----------------------------------------------------------------------
--------
172.16.1.1 32 202.1.1.10 172.16.1.1 static hub
-----------------------------------------------------------------------
--------
Expire time : --
-----------------------------------------------------------------------
--------
-----------------------------------------------------------------------
--------
172.16.1.3 32 202.1.3.10 172.16.1.3 dynamic
route tunnel
-----------------------------------------------------------------------
--------
-----------------------------------------------------------------------
--------
-----------------------------------------------------------------------
--------
172.16.1.2 32 202.1.2.10 172.16.1.2 dynamic
local
-----------------------------------------------------------------------
--------
follows:

-----------------------------------------------------------------------
--------
-----------------------------------------------------------------------
--------
172.16.1.1 32 202.1.1.10 172.16.1.1 static hub
-----------------------------------------------------------------------
--------
Expire time : --
-----------------------------------------------------------------------
--------
-----------------------------------------------------------------------
--------
172.16.1.2 32 202.1.2.10 172.16.1.2 dynamic
route tunnel
-----------------------------------------------------------------------
--------
-----------------------------------------------------------------------
--------
-----------------------------------------------------------------------
--------
172.16.1.3 32 202.1.3.10 172.16.1.3 dynamic
local
-----------------------------------------------------------------------
--------
Configuration Files

 #
 sysname Hub
 #
 ip address 202.1.1.10 255.255.255.0
 #
 ip address 192.168.0.1 255.255.255.0
 #
 ip address 172.16.1.1 255.255.255.0
 ospf network-type broadcast
 #
 ospf 1 router-id 172.16.1.1
 area 0.0.0.0
 network 172.16.1.0 0.0.0.255
 network 192.168.0.0 0.0.0.255
 #
 ospf 2
 area 0.0.0.1
 network 202.1.1.0 0.0.0.255
 #
 return
 #
 sysname Spoke1
 #
 ip address 202.1.2.10 255.255.255.0
 #
 ip address 192.168.1.1 255.255.255.0
 #
 ip address 172.16.1.2 255.255.255.0
 #
 area 0.0.0.0
 network 172.16.1.0 0.0.0.255
 network 192.168.1.0 0.0.0.255
 #
 ospf 2
 area 0.0.0.1
 network 202.1.2.0 0.0.0.255
 #
 return
 #
 sysname Spoke2
 #
 ip address 202.1.3.10 255.255.255.0
 #
 ip address 192.168.2.1 255.255.255.0
 #
 ip address 172.16.1.3 255.255.255.0
 #
 area 0.0.0.0
 network 172.16.1.0 0.0.0.255
 network 192.168.2.0 0.0.0.255
 #
 ospf 2
 area 0.0.0.1
 network 202.1.3.0 0.0.0.255
 #
 return
< Home

Shortcut Scenario of DSVPN (BGP)
located in different areas and belong to different ASs. The networks of the central office and
branches frequently change. The Spokes use dynamic addresses to connect to the public network.
On the enterprise network, Open Shortest Path First (OSPF) is used for intra-AS routing and
External Border Gateway Protocol (EBGP) is used for inter-AS routing.
number of branches.
3. The networks of the central office and branches frequently change. BGP is deployed to
Procedure

[Hub] ospf 2
[Hub-ospf-2] quit
[Spoke1] ospf 2
[Spoke2] ospf 2
3. Configure reachable routes between the ASs.
Configure OSPF to implement reachable routes between Hub and Spokes that are located
in different ASs.
# Configure Hub.
[Hub] ospf 1
[Hub-ospf-1] quit
# Configure Spoke1.
[Spoke1] ospf 1
# Configure Spoke2.
[Spoke2] ospf 1
4. Configure Basic EBGP Functions
# Configure Hub.
[Hub] bgp 100

[Hub-bgp] router-id 172.16.1.1
[Hub-bgp] import-route ospf 1
[Hub-bgp] peer 172.16.1.2 as-number 200
[Hub-bgp] quit
# Configure Spoke1.
[Spoke1] bgp 200

[Spoke1-bgp] router-id 172.16.1.2
[Spoke1-bgp] import-route ospf 1
[Spoke1-bgp] peer 172.16.1.1 as-number 100
[Spoke1-bgp] quit
# Configure Spoke2.
[Spoke2] bgp 300

[Spoke2-bgp] quit
NOTE:
The basic BGP configuration on a Spoke subnet is given as an example. Perform the
same configuration on other Spoke subnets.
Configure route attributes on Hub and Spokes to allow Spokes to learn routes from each
other. Configure static NHRP mapping entries of Hub on Spoke1 and Spoke2.
NOTE:
In the non-shortcut scenario, configure BGP and set relevant attributes in the BGP view.
# Configure a tunnel interface on Hub.



6. Check the BGP routing information.
Check the BGP routing information on Hub.
Run the display bgp routing-table command on Hub. The command output is as
follows:
[Hub] display bgp routing-table
BGP Local router ID is 172.16.1.1

Status codes: * - valid, > - best, d - damped,
h - history, i - internal, s - suppressed, S - Stale
Origin : i - IGP, e - EGP, ? - incomplete
Total Number of Routes: 5

Network NextHop MED LocPrf PrefVal
Path/Ogn
*> 192.168.0.0 0.0.0.0 0 0 ?

*> 192.168.1.0 172.16.1.2 0 0
200?
* 172.16.1.3 0
300 200?
*> 192.168.2.0 172.16.1.3 0 0
300?
* 172.16.1.2 0
200 300?
Check the BGP routing information on Spokes.
Run the display bgp routing-table command on Spoke1. The command output is as
follows:
[Spoke1] display bgp routing-table


Path/Ogn
*> 192.168.0.0 172.16.1.1 0 0

100?
* 172.16.1.3 0
300 100?
*> 192.168.1.0 0.0.0.0 0 0 ?
*> 192.168.2.0 172.16.1.3 0 0
300?
* 172.16.1.1 0
100 300?
follows:


Path/Ogn
*> 192.168.0.0 172.16.1.1 0 0

100?
* 172.16.1.2 0
200 100?
*> 192.168.1.0 172.16.1.2 0 0
200?
* 172.16.1.1 0
100 200?
*> 192.168.2.0 0.0.0.0 0 0 ?
Spoke1 and Spoke2.
follows:

-----------------------------------------------------------------------
--------
-----------------------------------------------------------------------
--------
172.16.1.1 32 202.1.1.10 172.16.1.1 static hub
-----------------------------------------------------------------------
--------
Expire time : --
-----------------------------------------------------------------------
--------
-----------------------------------------------------------------------
--------
172.16.1.3 32 202.1.3.10 172.16.1.3 dynamic
route tunnel
-----------------------------------------------------------------------
--------
follows:
-----------------------------------------------------------------------
--------
-----------------------------------------------------------------------
--------
172.16.1.1 32 202.1.1.10 172.16.1.1 static hub
-----------------------------------------------------------------------
--------
Expire time : --
-----------------------------------------------------------------------
--------
-----------------------------------------------------------------------
--------
172.16.1.2 32 202.1.2.10 172.16.1.2 dynamic
route tunnel
-----------------------------------------------------------------------
--------
-----------------------------------------------------------------------
--------
-----------------------------------------------------------------------
--------
172.16.1.3 32 202.1.3.10 172.16.1.3 dynamic
local
-----------------------------------------------------------------------
--------
NOTE:
When you run the display nhrp peer all command, you can view the static NHRP
mapping entries of Hub and dynamic NHRP mapping entries of each other on Spoke1
and Spoke2. Exchange of BGP packets triggers the Spokes to establish a dynamic tunnel.

-----------------------------------------------------------------------
--------
-----------------------------------------------------------------------
--------
172.16.1.2 32 202.1.2.10 172.16.1.2 dynamic
route tunnel
-----------------------------------------------------------------------
--------
-----------------------------------------------------------------------
--------
-----------------------------------------------------------------------
--------
172.16.1.3 32 202.1.3.10 172.16.1.3 dynamic
route tunnel
-----------------------------------------------------------------------
--------
On Spoke1, ping the subnet address 192.168.2.1 of Spoke2.
as follows:
[Spoke1] ping -a 192.168.1.1 192.168.2.1


0.00% packet loss
NOTE:
After running the ping command, the NHRP mapping entries in the command output on
Spoke1 and Spoke2 are the same as those displayed in step 7.
Configuration Files
 #
 sysname Hub
 #
 ip address 202.1.1.10 255.255.255.0
 #
 ip address 192.168.0.1 255.255.255.0
 #
 ip address 172.16.1.1 255.255.255.0
 #
 bgp 100
 router-id 172.16.1.1
 peer 172.16.1.2 as-number 200
 peer 172.16.1.3 as-number 300
 #
 ipv4-family unicast
 undo synchronization
 import-route ospf 1
 peer 172.16.1.2 enable
 #
 ospf 1
 area 0.0.0.0
 network 192.168.0.0 0.0.0.255
 #
 ospf 2
 area 0.0.0.1
 network 202.1.1.0 0.0.0.255
 #
 return
 #
 sysname Spoke1
 #
 ip address 202.1.2.10 255.255.255.0
 #
 ip address 192.168.1.1 255.255.255.0
 #
 ip address 172.16.1.2 255.255.255.0
 #
 bgp 200
 router-id 172.16.1.2
 peer 172.16.1.1 as-number 100
 peer 172.16.1.3 as-number 300
 #
 #
 ospf 1
 area 0.0.0.0
 network 192.168.1.0 0.0.0.255
 #
 ospf 2
 area 0.0.0.1
 network 202.1.2.0 0.0.0.255
 #
 return
 #
 sysname Spoke2
 #
 ip address 202.1.3.10 255.255.255.0
 #
 ip address 192.168.2.1 255.255.255.0
 #
 ip address 172.16.1.3 255.255.255.0
 #
 bgp 300
 router-id 172.16.1.3
 peer 172.16.1.1 as-number 100
 peer 172.16.1.2 as-number 200
 #
 #
 ospf 1
 area 0.0.0.0
 network 192.168.2.0 0.0.0.255
 #
 ospf 2
 area 0.0.0.1
 network 202.1.3.0 0.0.0.255
 #
 return
< Home
7.3.10.6.8.5 Example for Configuring

Shortcut Scenario of DSVPN (RIP)
A large-scale enterprise has a central office (Hub) and multiple branches which are located in
different areas (this example shows only two Spokes Spoke1 and Spoke2). The networks of the
central office and branches frequently change. The Spokes use dynamic addresses to connect to
the public network. Routing Information Protocol (RIP) is used on the enterprise network.

Figure 1 Networking diagram for the Shortcut DSVPN configuration
2. Shortcut Scenario of DSVPN is implemented because the enterprise has a large number
of branches.
3. The networks of the central office and branches frequently change. RIP is deployed to
Procedure
[Hub] ospf 2
[Hub-ospf-2] quit
[Spoke1] ospf 2
[Spoke2] ospf 2
3. Configure the basic RIP functions.
# Configure Hub.
[Hub] rip 1
[Hub-rip-1] version 2
[Hub-rip-1] quit
# Configure Spoke1.
[Spoke1] rip 1
[Spoke1-rip-1] quit
# Configure Spoke2.
[Spoke2] rip 1
[Spoke2-rip-1] quit
NOTE:
The RIP configuration on a Spoke subnet is given as an example. Perform the same
Configure RIP-2 route summarization on Hub and RIP-2 on the Spokes, so that the
Spokes have reachable routes to Hub. Enable the NHRP redirect function on Hub.
Configure NHRP mapping entries of Hub and enable the NHRP shortcut function on
Spoke1 and Spoke2.
# On Hub, configure a tunnel interface, configure RIP, and enable the NHRP redirect
function.

[Hub-Tunnel0/0/0] rip version 2 multicast
[Hub-Tunnel0/0/0] rip summary-address 192.168.0.0 255.255.0.0
[Hub-Tunnel0/0/0] nhrp redirect
NOTE:
When configuring route summarization, the specified summarized address must exist on
the local device. Therefore, a LoopBack address must be configured.
# On Spoke1, configure a tunnel interface, RIP, and a static NHRP mapping entry of
Hub, and enable the NHRP shortcut function.

[Spoke1-Tunnel0/0/0] rip version 2 multicast
[Spoke1-Tunnel0/0/0] nhrp shortcut
# On Spoke2, configure a tunnel interface, RIP, and a static NHRP mapping entry of

[Spoke2-Tunnel0/0/0] rip version 2 multicast
Spoke1 and Spoke2.
follows:

-----------------------------------------------------------------------
--------
-----------------------------------------------------------------------
--------
172.16.1.1 32 202.1.1.10 172.16.1.1 static hub
-----------------------------------------------------------------------
--------
Expire time : --
follows:

-----------------------------------------------------------------------
--------
-----------------------------------------------------------------------
--------
172.16.1.1 32 202.1.1.10 172.16.1.1 static hub
-----------------------------------------------------------------------
--------
Expire time : --
NOTE:

-----------------------------------------------------------------------
--------
-----------------------------------------------------------------------
--------
172.16.1.2 32 202.1.2.10 172.16.1.2 dynamic
route tunnel
-----------------------------------------------------------------------
--------
-----------------------------------------------------------------------
--------
-----------------------------------------------------------------------
--------
172.16.1.3 32 202.1.3.10 172.16.1.3 dynamic
route tunnel
-----------------------------------------------------------------------
--------
6. Check the RIP routing information.
Check the RIP routing information on Hub.
# Run the display rip 1 route command on Hub. The command output is as follows:
[Hub] display rip 1 route

----------------------------------------------------------------------
------
192.168.1.0/24 172.16.1.2 1 0 RA 15
192.168.2.0/24 172.16.1.3 1 0 RA 28
Check the RIP routing information on Spoke1 and Spoke2.

----------------------------------------------------------------------
------
192.168.0.0/16 172.16.1.1 1 0 RA 30

----------------------------------------------------------------------
------
192.168.0.0/16 172.16.1.1 1 0 RA 1
as follows:
[Spoke1] ping -a 192.168.1.1 192.168.2.1


0.00% packet loss
follows:

-----------------------------------------------------------------------
--------
-----------------------------------------------------------------------
--------
172.16.1.1 32 202.1.1.10 172.16.1.1 static hub
-----------------------------------------------------------------------
--------
Expire time : --
-----------------------------------------------------------------------
--------
-----------------------------------------------------------------------
--------
192.168.2.1 32 202.1.3.10 172.16.1.3 dynamic
route network
-----------------------------------------------------------------------
--------
-----------------------------------------------------------------------
--------
-----------------------------------------------------------------------
--------
172.16.1.3 32 202.1.3.10 172.16.1.3 dynamic
route tunnel
-----------------------------------------------------------------------
--------
-----------------------------------------------------------------------
--------
-----------------------------------------------------------------------
--------
192.168.1.1 32 202.1.2.10 172.16.1.2 dynamic
local
-----------------------------------------------------------------------
--------

follows:

-----------------------------------------------------------------------
--------
-----------------------------------------------------------------------
--------
172.16.1.1 32 202.1.1.10 172.16.1.1 static hub
-----------------------------------------------------------------------
--------
Expire time : --
-----------------------------------------------------------------------
--------
-----------------------------------------------------------------------
--------
192.168.1.1 32 202.1.2.10 172.16.1.2 dynamic
route network
-----------------------------------------------------------------------
--------
-----------------------------------------------------------------------
--------
-----------------------------------------------------------------------
--------
172.16.1.2 32 202.1.2.10 172.16.1.2 dynamic
route tunnel
-----------------------------------------------------------------------
--------
-----------------------------------------------------------------------
--------
-----------------------------------------------------------------------
--------
192.168.2.1 32 202.1.3.10 172.16.1.3 dynamic
local
-----------------------------------------------------------------------
--------
Configuration Files
 #
 sysname Hub
 #
 ip address 202.1.1.10 255.255.255.0
 #
 ip address 192.168.0.1 255.255.255.0
 #
 ip address 172.16.1.1 255.255.255.0
 rip version 2 multicast
 rip summary-address 192.168.0.0 255.255.0.0
 nhrp redirect
 #
 rip 1
 version 2
 network 172.16.0.0
 network 192.168.0.0
 #
 ospf 2
 area 0.0.0.1
 network 202.1.1.0 0.0.0.255
 #
 return
 #
 sysname Spoke1
 #
 ip address 202.1.2.10 255.255.255.0
 #
 ip address 192.168.1.1 255.255.255.0
 #
 ip address 172.16.1.2 255.255.255.0
 nhrp shortcut
 #
 rip 1
 version 2
 network 172.16.0.0
 network 192.168.1.0
 #
 ospf 2
 area 0.0.0.1
 network 202.1.2.0 0.0.0.255
 #
 return
 #
 sysname Spoke2
 #
 ip address 202.1.3.10 255.255.255.0
 #
 ip address 192.168.2.1 255.255.255.0
 #
 ip address 172.16.1.3 255.255.255.0
 nhrp shortcut
 #
 rip 1
 version 2
 network 172.16.0.0
 network 192.168.2.0
 #
 ospf 2
 area 0.0.0.1
 network 202.1.3.0 0.0.0.255
 #
 return
< Home

Shortcut Scenario of DSVPN (OSPF)
the public network. Open Shortest Path First (OSPF) is used on the enterprise network.
of branches.
Procedure

[Hub] ospf 2
[Hub-ospf-2] quit
[Spoke1] ospf 2
[Spoke2] ospf 2
# Configure Hub.

[Hub-ospf-1] quit
# Configure Spoke1.

# Configure Spoke2.

NOTE:
The OSPF configuration on a Spoke subnet is given as an example. Perform the same
Configure the OSPF network type to Point-to-Multipoint (P2MP) on Hub and Spokes.
Enable the NHRP redirect function on Hub. Configure NHRP mapping entries of Hub
and enable the NHRP shortcut function on Spoke1 and Spoke2.
# On Hub, configure a tunnel interface, configure OSPF, and enable the NHRP redirect
function.

[Hub-Tunnel0/0/0] ospf network-type p2mp
[Spoke1-Tunnel0/0/0] ospf network-type p2mp

Spoke1 and Spoke2.
follows:

-----------------------------------------------------------------------
--------
-----------------------------------------------------------------------
--------
172.16.1.1 32 202.1.1.10 172.16.1.1 static hub
-----------------------------------------------------------------------
--------
Expire time : --
follows:

-----------------------------------------------------------------------
--------
-----------------------------------------------------------------------
--------
172.16.1.1 32 202.1.1.10 172.16.1.1 static hub
-----------------------------------------------------------------------
--------
Expire time : --
NOTE:

-----------------------------------------------------------------------
--------
-----------------------------------------------------------------------
--------
172.16.1.2 32 202.1.2.10 172.16.1.2 dynamic
route tunnel
-----------------------------------------------------------------------
--------
-----------------------------------------------------------------------
--------
-----------------------------------------------------------------------
--------
172.16.1.3 32 202.1.3.10 172.16.1.3 dynamic
route tunnel
-----------------------------------------------------------------------
--------

Routing Tables
Routing for Network

Area
172.16.1.1/32 0 Stub 172.16.1.1 172.16.1.1
0.0.0.0
172.16.1.2/32 1562 Stub 172.16.1.2 172.16.1.2
0.0.0.0
172.16.1.3/32 1562 Stub 172.16.1.3 172.16.1.3
0.0.0.0
192.168.1.1/32 1562 Stub 172.16.1.2 172.16.1.2
0.0.0.0
192.168.2.1/32 1562 Stub 172.16.1.3 172.16.1.3
0.0.0.0
Total Nets: 5

Routing Tables
Routing for Network

Area
172.16.1.2/32 0 Stub 172.16.1.2 172.16.1.2
0.0.0.0
192.168.1.1/32 0 Stub 192.168.1.1 172.16.1.2
0.0.0.0
172.16.1.1/32 1562 Stub 172.16.1.1 172.16.1.1
0.0.0.0
172.16.1.3/32 3124 Stub 172.16.1.1 172.16.1.3
0.0.0.0
192.168.2.1/32 3124 Stub 172.16.1.1 172.16.1.3
0.0.0.0
Total Nets: 5

Routing Tables
Routing for Network
Area
172.16.1.3/32 0 Stub 172.16.1.3 172.16.1.3
0.0.0.0
192.168.2.1/32 0 Stub 192.168.2.1 172.16.1.3
0.0.0.0
172.16.1.1/32 1562 Stub 172.16.1.1 172.16.1.1
0.0.0.0
172.16.1.2/32 3124 Stub 172.16.1.1 172.16.1.2
0.0.0.0
192.168.1.1/32 3124 Stub 172.16.1.1 172.16.1.2
0.0.0.0
Total Nets: 5
as follows:
[Spoke1] ping -a 192.168.1.1 192.168.2.1


0.00% packet loss
follows:

-----------------------------------------------------------------------
--------
-----------------------------------------------------------------------
--------
172.16.1.1 32 202.1.1.10 172.16.1.1 static hub
-----------------------------------------------------------------------
--------
Expire time : --
-----------------------------------------------------------------------
--------
-----------------------------------------------------------------------
--------
192.168.2.1 32 202.1.3.10 172.16.1.3 dynamic
route network
-----------------------------------------------------------------------
--------
-----------------------------------------------------------------------
--------
-----------------------------------------------------------------------
--------
172.16.1.3 32 202.1.3.10 172.16.1.3 dynamic
route tunnel
-----------------------------------------------------------------------
--------
-----------------------------------------------------------------------
--------
-----------------------------------------------------------------------
--------
192.168.1.1 32 202.1.2.10 172.16.1.2 dynamic
local
-----------------------------------------------------------------------
--------
follows:

-----------------------------------------------------------------------
--------
-----------------------------------------------------------------------
--------
172.16.1.1 32 202.1.1.10 172.16.1.1 static hub
-----------------------------------------------------------------------
--------
Expire time : --
-----------------------------------------------------------------------
--------
-----------------------------------------------------------------------
--------
192.168.1.1 32 202.1.2.10 172.16.1.2 dynamic
route network
-----------------------------------------------------------------------
--------
-----------------------------------------------------------------------
--------
-----------------------------------------------------------------------
--------
172.16.1.2 32 202.1.2.10 172.16.1.2 dynamic
route tunnel
-----------------------------------------------------------------------
--------
-----------------------------------------------------------------------
--------
-----------------------------------------------------------------------
--------
192.168.2.1 32 202.1.3.10 172.16.1.3 dynamic
local
-----------------------------------------------------------------------
--------
Configuration Files

 #
 sysname Hub
 #
 ip address 202.1.1.10 255.255.255.0
 #
 ip address 192.168.0.1 255.255.255.0
 #
 ip address 172.16.1.1 255.255.255.0
 ospf network-type p2mp
 nhrp redirect
 #
 area 0.0.0.0
 network 172.16.1.0 0.0.0.255
 network 192.168.0.0 0.0.0.255
 #
 ospf 2
 area 0.0.0.1
 network 202.1.1.0 0.0.0.255
 #
 return
 #
 sysname Spoke1
 #
 ip address 202.1.2.10 255.255.255.0
 #
 ip address 192.168.1.1 255.255.255.0
 #
 ip address 172.16.1.2 255.255.255.0
 nhrp shortcut
 #
 area 0.0.0.0
 network 172.16.1.0 0.0.0.255
 network 192.168.1.0 0.0.0.255
 #
 ospf 2
 area 0.0.0.1
 network 202.1.2.0 0.0.0.255
 #
 return
 #
 sysname Spoke2
 #
 ip address 202.1.3.10 255.255.255.0
 #
 ip address 192.168.2.1 255.255.255.0
 #
 ip address 172.16.1.3 255.255.255.0
 nhrp shortcut
 #
 area 0.0.0.0
 network 172.16.1.0 0.0.0.255
 network 192.168.2.0 0.0.0.255
 #
 ospf 2
 area 0.0.0.1
 network 202.1.3.0 0.0.0.255
 #
 return
< Home

Shortcut Scenario of DSVPN (BGP)
different areas and belong to different ASs (this example shows only two Spokes Spoke1 and
Spoke2). The networks of the central office and branches frequently change. The Spokes use
dynamic addresses to connect to the public network. On the enterprise network, Open Shortest
Path First (OSPF) is used for intra-AS routing and External Border Gateway Protocol (EBGP) is
used for inter-AS routing.

of branches.
3. The networks of the central office and branches frequently change. BGP is deployed to
Procedure
[Hub] ospf 2
[Hub-ospf-2] quit
[Spoke1] ospf 2
[Spoke2] ospf 2
3. Configure reachable routes between the ASs.
Configure OSPF to implement reachable routes between Hub and Spokes that are located
in different ASs.
# Configure Hub.
[Hub] ospf 1
[Hub-ospf-1] quit
# Configure Spoke1.
[Spoke1] ospf 1
# Configure Spoke2.
[Spoke2] ospf 1
NOTE:
The BGP configuration on a Spoke subnet is given as an example. Perform the same
4. Configure Basic EBGP Functions
# Configure Hub.
[Hub] bgp 100

[Hub-bgp] router-id 172.16.1.1
[Hub-bgp] import-route ospf 1
[Hub-bgp] aggregate 192.168.0.0 16 detail-suppressed
[Hub-bgp] quit
NOTE:
When configuring route summarization, the specified summarized address must exist on
the local device. Therefore, a LoopBack address must be configured.
# Configure Spoke1.
[Spoke1] bgp 200

[Spoke1-bgp] quit
# Configure Spoke2.
[Spoke2] bgp 300

[Spoke2-bgp] quit
Configure route attributes on Hub and Spokes to ensure that the routes from the Spokes
to Hub are reachable. Enable the NHRP redirect function on Hub. Configure NHRP
mapping entries of Hub and enable the NHRP shortcut function on Spoke1 and Spoke2.
NOTE:
In the shortcut scenario, configure BGP and set relevant attributes in the BGP view.
# On Hub, configure a tunnel interface and enable the NHRP redirect function.

# On Spoke1, configure a tunnel interface and a static NHRP mapping entry of Hub, and
enable the NHRP shortcut function.

# On Spoke2, configure a tunnel interface and a static NHRP mapping entry of Hub, and
enable the NHRP shortcut function.

6. Check the BGP routing information.
Check the BGP routing information on Hub.
Run the display bgp routing-table command on Hub. The command output is as
follows:
[Hub] display bgp routing-table


Path/Ogn
*> 192.168.0.0/16 127.0.0.1 0 ?

s> 192.168.0.0 0.0.0.0 0 0 ?
s> 192.168.1.0 172.16.1.2 0 0
200?
s> 192.168.2.0 172.16.1.3 0 0
300?
Check the BGP routing information on Spokes.
follows:


Path/Ogn
*> 192.168.0.0/16 172.16.1.1 0

100?
*> 192.168.1.0 0.0.0.0 0 0 ?
follows:


Path/Ogn
*> 192.168.0.0/16 172.16.1.1 0
100?
*> 192.168.2.0 0.0.0.0 0 0 ?
Spoke1 and Spoke2.
follows:

-----------------------------------------------------------------------
--------
-----------------------------------------------------------------------
--------
172.16.1.1 32 202.1.1.10 172.16.1.1 static hub
-----------------------------------------------------------------------
--------
Expire time : --
follows:

-----------------------------------------------------------------------
--------
-----------------------------------------------------------------------
--------
172.16.1.1 32 202.1.1.10 172.16.1.1 static hub
-----------------------------------------------------------------------
--------
Expire time : --
NOTE:


-----------------------------------------------------------------------
--------
-----------------------------------------------------------------------
--------
172.16.1.2 32 202.1.2.10 172.16.1.2 dynamic
route tunnel
-----------------------------------------------------------------------
--------
-----------------------------------------------------------------------
--------
-----------------------------------------------------------------------
--------
172.16.1.3 32 202.1.3.10 172.16.1.3 dynamic
route tunnel
-----------------------------------------------------------------------
--------
as follows:
[Spoke1] ping -a 192.168.1.1 192.168.2.1


0.00% packet loss
follows:

-----------------------------------------------------------------------
--------
-----------------------------------------------------------------------
--------
172.16.1.1 32 202.1.1.10 172.16.1.1 static hub
-----------------------------------------------------------------------
--------
Expire time : --
-----------------------------------------------------------------------
--------
-----------------------------------------------------------------------
--------
192.168.2.1 32 202.1.3.10 172.16.1.3 dynamic
route network
-----------------------------------------------------------------------
--------
-----------------------------------------------------------------------
--------
-----------------------------------------------------------------------
--------
172.16.1.3 32 202.1.3.10 172.16.1.3 dynamic
route tunnel
-----------------------------------------------------------------------
--------
-----------------------------------------------------------------------
--------
-----------------------------------------------------------------------
--------
192.168.1.1 32 202.1.2.10 172.16.1.2 dynamic
local
-----------------------------------------------------------------------
--------

follows:

-----------------------------------------------------------------------
--------
-----------------------------------------------------------------------
--------
172.16.1.1 32 202.1.1.10 172.16.1.1 static hub
-----------------------------------------------------------------------
--------
Expire time : --
-----------------------------------------------------------------------
--------
-----------------------------------------------------------------------
--------
192.168.1.1 32 202.1.2.10 172.16.1.2 dynamic
route network
-----------------------------------------------------------------------
--------
-----------------------------------------------------------------------
--------
-----------------------------------------------------------------------
--------
172.16.1.2 32 202.1.2.10 172.16.1.2 dynamic
route tunnel
-----------------------------------------------------------------------
--------
-----------------------------------------------------------------------
--------
-----------------------------------------------------------------------
--------
192.168.2.1 32 202.1.3.10 172.16.1.3 dynamic
local
-----------------------------------------------------------------------
--------
Configuration Files
 #
 sysname Hub
 #
 ip address 202.1.1.10 255.255.255.0
 #
 ip address 192.168.0.1 255.255.255.0
 #
 ip address 172.16.1.1 255.255.255.0
 nhrp redirect
 #
 bgp 100
 router-id 172.16.1.1
 peer 172.16.1.2 as-number 200
 peer 172.16.1.3 as-number 300
 #
 aggregate 192.168.0.0 16 detail-suppressed
 #
 ospf 1
 area 0.0.0.0
 network 192.168.0.0 0.0.0.255
 #
 ospf 2
 area 0.0.0.1
 network 202.1.1.0 0.0.0.255
 #
 return
 #
 sysname Spoke1
 #
 ip address 202.1.2.10 255.255.255.0
 #
 ip address 192.168.1.1 255.255.255.0
 #
 ip address 172.16.1.2 255.255.255.0
 nhrp shortcut
 #
 bgp 200
 router-id 172.16.1.2
 peer 172.16.1.1 as-number 100
 #
 #
 ospf 1
 area 0.0.0.0
 network 192.168.1.0 0.0.0.255
 #
 ospf 2
 area 0.0.0.1
 network 202.1.2.0 0.0.0.255
 #
 return
 #
 sysname Spoke2
 #
 ip address 202.1.3.10 255.255.255.0
 #
 ip address 192.168.2.1 255.255.255.0
 #
 ip address 172.16.1.3 255.255.255.0
 nhrp shortcut
 #
 bgp 300
 router-id 172.16.1.3
 peer 172.16.1.1 as-number 100
 #
 #
 ospf 1
 area 0.0.0.0
 network 192.168.2.0 0.0.0.255
 #
 ospf 2
 area 0.0.0.1
 network 202.1.3.0 0.0.0.255
 #
 return
< Home
7.3.10.6.8.8 Example for Configuring DSVPN

NAT traversal
An enterprise has a central office (Hub) and multiple branches which are located in different
areas (this example shows only two Spokes Spoke1 and Spoke2). The subnets of the branches
frequently change. The Spokes use addresses translated by NAT devices to connect to the public
network. Open Shortest Path First (OSPF) is used on the enterprise network.

Figure 1 Networking diagram for DSVPN NAT traversal configuration
Device Interface and IP Address

NAT1
NAT2
1. Because a Spoke uses a translated address to connect to the public network, it does not
know the translated public address of the other Spoke. DSVPN NAT traversal is
implemented to establish a VPN between the Spokes.
of branches.
Procedure
[Hub] ospf 2
[Hub-ospf-2] quit
# Configure OSPF on NAT1.
[NAT1] ospf 2
[NAT1] import-route unr
[NAT1-ospf-2] area 0.0.0.1
[NAT1-ospf-2-area-0.0.0.1] network 202.1.2.0 0.0.0.255
[NAT1-ospf-2-area-0.0.0.1] quit
[NAT1-ospf-2] quit
# Configure OSPF on NAT2.
[NAT2] ospf 2
[NAT2] import-route unr
[NAT2-ospf-2] area 0.0.0.1
[NAT2-ospf-2-area-0.0.0.1] quit
[NAT2-ospf-2] quit
[Spoke1] ospf 2
[Huawei] ospf 2
[Huawei-ospf-2] area 0.0.0.1
[Huawei-ospf-2-area-0.0.0.1] network 10.2.2.0 0.0.0.255
[Huawei-ospf-2-area-0.0.0.1] quit
[Huawei-ospf-2] quit
3. Configure NAT.
Configure addresses before and after NAT traversal.
# Configure NAT1.
[NAT1] interface gigabitethernet 1/0/0

[NAT1-GigabitEthernet1/0/0] nat server global 202.1.2.10 inside
10.1.1.1
# Configure NAT2.
[NAT2] interface gigabitethernet 1/0/0

[NAT2-GigabitEthernet1/0/0] nat server global 202.1.3.10 inside
10.2.2.2
NOTE:
The NAT devices must be configured with an NAT server or static NAT. NAT traversal
cannot be implemented if outbound NAT is configured on the NAT devices.
# Configure Hub.

[Hub-ospf-1] quit
# Configure Spoke1.
# Configure Spoke2.

Configure the OSPF network type to Point-to-Multipoint (P2MP) on Hub and Spokes.
Enable the NHRP redirect function on Hub. Configure NHRP mapping entries of Hub
and enable the NHRP shortcut function on Spoke1 and Spoke2.
# On Hub, configure a tunnel interface, configure OSPF, and enable the NHRP redirect
function.

[Hub-Tunnel0/0/0] ospf network-type p2mp


Spoke1 and Spoke2.
follows:

-----------------------------------------------------------------------
--------
-----------------------------------------------------------------------
--------
172.16.1.1 32 202.1.1.10 172.16.1.1 static hub
-----------------------------------------------------------------------
--------
Expire time : --
follows:

-----------------------------------------------------------------------
--------
-----------------------------------------------------------------------
--------
172.16.1.1 32 202.1.1.10 172.16.1.1 static hub
-----------------------------------------------------------------------
--------
Expire time : --
NOTE:


-----------------------------------------------------------------------
--------
-----------------------------------------------------------------------
--------
172.16.1.2 32 202.1.2.10 172.16.1.2 dynamic
route tunnel
-----------------------------------------------------------------------
--------
Before NAT NBMA-addr: 10.1.1.1
-----------------------------------------------------------------------
--------
-----------------------------------------------------------------------
--------
172.16.1.3 32 202.1.3.10 172.16.1.3 dynamic
route tunnel
-----------------------------------------------------------------------
--------

Routing Tables
Routing for Network

Area
172.16.1.1/32 0 Stub 172.16.1.1 172.16.1.1
0.0.0.0
172.16.1.2/32 1562 Stub 172.16.1.2 172.16.1.2
0.0.0.0
172.16.1.3/32 1562 Stub 172.16.1.3 172.16.1.3
0.0.0.0
192.168.1.1/32 1562 Stub 172.16.1.2 172.16.1.2
0.0.0.0
192.168.2.1/32 1562 Stub 172.16.1.3 172.16.1.3
0.0.0.0
Total Nets: 5

Routing Tables
Routing for Network

Area
172.16.1.2/32 0 Stub 172.16.1.2 172.16.1.2
0.0.0.0
192.168.1.1/32 0 Stub 192.168.1.1 172.16.1.2
0.0.0.0
172.16.1.1/32 1562 Stub 172.16.1.1 172.16.1.1
0.0.0.0
172.16.1.3/32 3124 Stub 172.16.1.1 172.16.1.3
0.0.0.0
192.168.2.1/32 3124 Stub 172.16.1.1 172.16.1.3
0.0.0.0
Total Nets: 5

Routing Tables
Routing for Network

Area
172.16.1.3/32 0 Stub 172.16.1.3 172.16.1.3
0.0.0.0
192.168.2.1/32 0 Stub 192.168.2.1 172.16.1.3
0.0.0.0
172.16.1.1/32 1562 Stub 172.16.1.1 172.16.1.1
0.0.0.0
172.16.1.2/32 3124 Stub 172.16.1.1 172.16.1.2
0.0.0.0
192.168.1.1/32 3124 Stub 172.16.1.1 172.16.1.2
0.0.0.0
Total Nets: 5
as follows:
[Spoke1] ping -a 192.168.1.1 192.168.2.1


0.00% packet loss
follows:

-----------------------------------------------------------------------
--------
-----------------------------------------------------------------------
--------
172.16.1.1 32 202.1.1.10 172.16.1.1 static hub
-----------------------------------------------------------------------
--------
Expire time : --
-----------------------------------------------------------------------
--------
-----------------------------------------------------------------------
--------
192.168.2.1 32 202.1.3.10 172.16.1.3 dynamic
route network
-----------------------------------------------------------------------
--------
-----------------------------------------------------------------------
--------
-----------------------------------------------------------------------
--------
172.16.1.3 32 202.1.3.10 172.16.1.3 dynamic
route tunnel
-----------------------------------------------------------------------
--------
-----------------------------------------------------------------------
--------
-----------------------------------------------------------------------
--------
192.168.1.1 32 10.1.1.1 172.16.1.2 dynamic
local
-----------------------------------------------------------------------
--------
follows:

-----------------------------------------------------------------------
--------
-----------------------------------------------------------------------
--------
172.16.1.1 32 202.1.1.10 172.16.1.1 static hub
-----------------------------------------------------------------------
--------
Expire time : --
-----------------------------------------------------------------------
--------
-----------------------------------------------------------------------
--------
192.168.1.1 32 202.1.2.10 172.16.1.2 dynamic
route network
-----------------------------------------------------------------------
--------
-----------------------------------------------------------------------
--------
-----------------------------------------------------------------------
--------
172.16.1.2 32 202.1.2.10 172.16.1.2 dynamic
route tunnel
-----------------------------------------------------------------------
--------
-----------------------------------------------------------------------
--------
-----------------------------------------------------------------------
--------
192.168.2.1 32 10.2.2.2 172.16.1.3 dynamic
local
-----------------------------------------------------------------------
--------
Configuration Files

 #
 sysname Hub
 #
 ip address 202.1.1.10 255.255.255.0
 #
 ip address 192.168.0.1 255.255.255.0
 #
 ip address 172.16.1.1 255.255.255.0
 nhrp redirect
 #
 area 0.0.0.0
 network 172.16.1.0 0.0.0.255
 network 192.168.0.0 0.0.0.255
 #
 ospf 2
 area 0.0.0.1
 network 202.1.1.0 0.0.0.255
 #
 return
 #
 sysname Spoke1
 #
 ip address 10.1.1.1 255.255.255.0
 #
 ip address 192.168.1.1 255.255.255.0
 #
 ip address 172.16.1.2 255.255.255.0
 nhrp shortcut
 #
 area 0.0.0.0
 network 172.16.1.0 0.0.0.255
 network 192.168.1.0 0.0.0.255
 #
 ospf 2
 area 0.0.0.1
 network 10.1.1.0 0.0.0.255
 #
 return
 #
 sysname Spoke2
 #
 ip address 10.2.2.2 255.255.255.0
 #
 ip address 192.168.2.1 255.255.255.0
 #
 ip address 172.16.1.3 255.255.255.0
 nhrp shortcut
 #
 area 0.0.0.0
 network 172.16.1.0 0.0.0.255
 network 192.168.2.0 0.0.0.255
 #
 ospf 2
 area 0.0.0.1
 network 10.2.2.0 0.0.0.255
 #
 return
 Configuration file of NAT1
 #
 sysname NAT1
 #
 ip address 202.1.2.1 255.255.255.0
 nat server global 202.1.2.10 inside 10.1.1.1
 #
 ip address 10.1.1.254 255.255.255.0
 #
 ospf 2
 import-route unr
 area 0.0.0.1
 network 10.1.1.0 0.0.0.255
 network 202.1.2.0 0.0.0.255
 #
 return
 Configuration file of NAT2
 #
 sysname NAT2
 #
 ip address 202.1.3.1 255.255.255.0
 nat server global 202.1.3.10 inside 10.2.2.2
 #
 ip address 10.2.2.254 255.255.255.0
 #
 ospf 2
 import-route unr
 area 0.0.0.1
 network 10.2.2.0 0.0.0.255
 network 202.1.3.0 0.0.0.255
 #
 return
< Home
7.3.10.6.8.9 Example for Configuring Dual-

Hub DSVPN
A large-scale enterprise has a central office (Hub1 and Hub2) and multiple branches which are
located in different areas (this example shows only two Spokes Spoke1 and Spoke2). The
networks of the central office and branches frequently change. The Spokes use dynamic
addresses to connect to the public network. Open Shortest Path First (OSPF) is used on the
enterprise network.
The enterprise wants to establish a VPN between the Spokes. Hub1 functions as the master
device and Hub2 functions as the backup device. Hub2 takes over the services and forwards
protocol packets if Hub1 fails. When Hub1 recovers, services are switched back to Hub1.
Figure 1 Networking diagram for dual-Hub DSVPN configuration
of branches.
4. Dual-Hub DSVPN is implemented to provide redundant backup by using Hub2.
Procedure
# Configure IP addresses for interfaces of Hub1.
[Huawei] sysname Hub1
[Hub1] interface gigabitethernet 1/0/0
[Hub1-GigabitEthernet1/0/0] ip address 202.1.1.10 255.255.255.0
[Hub1-GigabitEthernet1/0/0] quit
[Hub1] interface tunnel 0/0/0
[Hub1-Tunnel0/0/0] ip address 172.16.1.1 255.255.255.0
[Hub1-Tunnel0/0/0] quit
[Hub1] interface loopback 0
[Hub1-LoopBack0] ip address 192.168.0.1 255.255.255.0
[Hub1-LoopBack0] quit
Configure IP addresses for interfaces of the Spoke1, Spoke2 and Hub2 as shown in Figure
1. The specific configuration is not mentioned here.
# Configure OSPF on Hub1.
[Hub1] ospf 2
[Hub1-ospf-2] area 0.0.0.1
[Hub1-ospf-2-area-0.0.0.1] network 202.1.1.0 0.0.0.255
[Hub1-ospf-2-area-0.0.0.1] quit
[Hub1-ospf-2] quit
[Hub2] ospf 2
[Hub2-ospf-2] quit
[Spoke1] ospf 2
[Spoke2] ospf 2
# Configure Hub1.
[Hub1] ospf 1 router-id 172.16.1.1

[Hub1-ospf-1] quit
# Configure the basic OSPF functions on Hub2.

[Hub2-ospf-1] quit
# Configure Spoke1.

# Configure Spoke2.
Configure the OSPF network type to Point-to-Multipoint (P2MP) on Hubs and Spokes.
Enable the NHRP redirect function on Hub1 and Hub2. Configure NHRP mapping
entries of Hubs and enable the NHRP shortcut function on Spoke1 and Spoke2.
# Configure a tunnel interface and OSPF on Hub1 and enable the NHRP redirect
function.

[Hub1-Tunnel0/0/0] tunnel-protocol gre p2mp
[Hub1-Tunnel0/0/0] source gigabitethernet 1/0/0
[Hub1-Tunnel0/0/0] nhrp entry multicast dynamic
[Hub1-Tunnel0/0/0] ospf network-type p2mp
[Hub1-Tunnel0/0/0] ospf cost 1000
[Hub1-Tunnel0/0/0] nhrp redirect
# Configure a tunnel interface and OSPF on Hub2 and enable the NHRP redirect
function.

[Hub2-Tunnel0/0/0] ospf cost 3000
# Configure a tunnel interface, OSPF, and a static NHRP mapping entry of Hubs on
Spoke1, and enable the NHRP shortcut function.

[Spoke1-Tunnel0/0/0] nhrp registration interval 300
# Configure a tunnel interface, OSPF, and a static NHRP mapping entry of Hubs on
Spoke2, and enable the NHRP shortcut function.
NOTE:
o Configure different OSPF cost values on Hub1 and Hub2 to ensure that the
Spokes prefer Hub1 as the next hop device.
o When Hub1 recovers, it restarts to forward OSPF protocol packets when receiving
NHRP Registration Request packets from Spokes. The Spokes learn routes to
Hub1 after the routes they have already learned are aged out. Set the interval for
sending NHRP Registration Request packets to a proper value to ensure that the
Spokes can quick detect Hub1 recovery. The interval is set to 1800 seconds by
default.
Spoke1 and Spoke2.
follows:

-----------------------------------------------------------------------
--------
-----------------------------------------------------------------------
--------
172.16.1.1 32 202.1.1.10 172.16.1.1 static hub
-----------------------------------------------------------------------
--------
Expire time : --
-----------------------------------------------------------------------
--------
-----------------------------------------------------------------------
--------
172.16.1.254 32 202.1.254.10 172.16.1.254 static hub
-----------------------------------------------------------------------
--------
Expire time : --
follows:

-----------------------------------------------------------------------
--------
-----------------------------------------------------------------------
--------
172.16.1.1 32 202.1.1.10 172.16.1.1 static hub
-----------------------------------------------------------------------
--------
Expire time : --
-----------------------------------------------------------------------
--------
-----------------------------------------------------------------------
--------
172.16.1.254 32 202.1.254.10 172.16.1.254 static hub
-----------------------------------------------------------------------
--------
Expire time : --
NOTE:
only the NHRP mapping entry of Hub1 and Hub2.
# Run the display nhrp peer all command on Hub1. The command output is as follows:
[Hub1] display nhrp peer all

-----------------------------------------------------------------------
--------
-----------------------------------------------------------------------
--------
172.16.1.3 32 202.1.3.10 172.16.1.3 dynamic
route tunnel
-----------------------------------------------------------------------
--------
-----------------------------------------------------------------------
--------
-----------------------------------------------------------------------
--------
172.16.1.2 32 202.1.2.10 172.16.1.2 dynamic
route tunnel
-----------------------------------------------------------------------
--------
# Run the display nhrp peer all command on Hub2. The command output is as follows:
[Hub2] display nhrp peer all

-----------------------------------------------------------------------
--------
-----------------------------------------------------------------------
--------
172.16.1.3 32 202.1.3.10 172.16.1.3 dynamic
route tunnel
-----------------------------------------------------------------------
--------
-----------------------------------------------------------------------
--------
-----------------------------------------------------------------------
--------
172.16.1.2 32 202.1.2.10 172.16.1.2 dynamic
route tunnel
-----------------------------------------------------------------------
--------
Check the OSPF routing information on Hubs.
# Run the display ospf 1 routing command on Hub1. The command output is as follows:
[Hub1] display ospf 1 routing

Routing Tables
Routing for Network

Area
172.16.1.1/32 0 Stub 172.16.1.1 172.16.1.1
0.0.0.0
172.16.1.2/32 1000 Stub 172.16.1.2 172.16.1.2
0.0.0.0
172.16.1.3/32 5562 Stub 172.16.1.2 172.16.1.3
0.0.0.0
172.16.1.254/32 2562 Stub 172.16.1.2 172.16.1.254
0.0.0.0
192.168.1.1/32 1000 Stub 172.16.1.2 172.16.1.2
0.0.0.0
192.168.2.1/32 5562 Stub 172.16.1.2 172.16.1.3
0.0.0.0
Total Nets: 6
# Run the display ospf 1 routing command on Hub2. The command output is as follows:
[Hub2] display ospf 1 routing

Routing Tables
Routing for Network

Area
172.16.1.254/32 0 Stub 172.16.1.254 172.16.1.254
0.0.0.0
172.16.1.1/32 4562 Stub 172.16.1.3 172.16.1.1
0.0.0.0
172.16.1.2/32 5562 Stub 172.16.1.3 172.16.1.2
0.0.0.0
172.16.1.3/32 3000 Stub 172.16.1.3 172.16.1.3
0.0.0.0
192.168.1.1/32 5562 Stub 172.16.1.3 172.16.1.2
0.0.0.0
192.168.2.1/32 3000 Stub 172.16.1.3 172.16.1.3
0.0.0.0
Total Nets: 6
# Run the display ospf 1 routing command on Spoke1. The command output is as
follows:

Routing Tables
Routing for Network

Area
172.16.1.2/32 0 Stub 172.16.1.2 172.16.1.2
0.0.0.0
192.168.1.1/32 0 Stub 192.168.1.1 172.16.1.2
0.0.0.0
172.16.1.1/32 1562 Stub 172.16.1.1 172.16.1.1
0.0.0.0
172.16.1.3/32 2562 Stub 172.16.1.1 172.16.1.3
0.0.0.0
172.16.1.254/32 1562 Stub 172.16.1.254 172.16.1.254
0.0.0.0
192.168.2.1/32 2562 Stub 172.16.1.1 172.16.1.3
0.0.0.0
Total Nets: 6
follows:

Routing Tables
Routing for Network

Area
172.16.1.3/32 0 Stub 172.16.1.3 172.16.1.3
0.0.0.0
192.168.2.1/32 0 Stub 192.168.2.1 172.16.1.3
0.0.0.0
172.16.1.1/32 1562 Stub 172.16.1.1 172.16.1.1
0.0.0.0
172.16.1.2/32 2562 Stub 172.16.1.1 172.16.1.2
0.0.0.0
172.16.1.254/32 1562 Stub 172.16.1.254 172.16.1.254
0.0.0.0
192.168.1.1/32 2562 Stub 172.16.1.1 172.16.1.2
0.0.0.0
Total Nets: 6

as follows:
[Spoke1] ping -a 192.168.1.1 192.168.2.1


0.00% packet loss
follows:

-----------------------------------------------------------------------
--------
-----------------------------------------------------------------------
--------
172.16.1.1 32 202.1.1.10 172.16.1.1 static hub
-----------------------------------------------------------------------
--------
Expire time : --
-----------------------------------------------------------------------
--------
-----------------------------------------------------------------------
--------
172.16.1.254 32 202.1.254.10 172.16.1.254 static hub
-----------------------------------------------------------------------
--------
Expire time : --
-----------------------------------------------------------------------
--------
-----------------------------------------------------------------------
--------
192.168.2.1 32 202.1.3.10 172.16.1.3 dynamic
route network
-----------------------------------------------------------------------
--------
-----------------------------------------------------------------------
--------
-----------------------------------------------------------------------
--------
172.16.1.3 32 202.1.3.10 172.16.1.3 dynamic
route tunnel
-----------------------------------------------------------------------
--------
-----------------------------------------------------------------------
--------
-----------------------------------------------------------------------
--------
192.168.1.1 32 202.1.2.10 172.16.1.2 dynamic
local
-----------------------------------------------------------------------
--------
follows:

-----------------------------------------------------------------------
--------
-----------------------------------------------------------------------
--------
172.16.1.1 32 202.1.1.10 172.16.1.1 static hub
-----------------------------------------------------------------------
--------
Expire time : --
-----------------------------------------------------------------------
--------
-----------------------------------------------------------------------
--------
172.16.1.254 32 202.1.254.10 172.16.1.254 static hub
-----------------------------------------------------------------------
--------
Expire time : --
-----------------------------------------------------------------------
--------
-----------------------------------------------------------------------
--------
192.168.1.1 32 202.1.2.10 172.16.1.2 dynamic
route network
-----------------------------------------------------------------------
--------
-----------------------------------------------------------------------
--------
-----------------------------------------------------------------------
--------
172.16.1.2 32 202.1.2.10 172.16.1.2 dynamic
route tunnel
-----------------------------------------------------------------------
--------
-----------------------------------------------------------------------
--------
-----------------------------------------------------------------------
--------
192.168.2.1 32 202.1.3.10 172.16.1.3 dynamic
local
-----------------------------------------------------------------------
--------
8. Shutdown the physical interface GE1/0/0 of Hub1. Check the OSPF routing information.
# Run the shutdown command on the interface GE1/0/0 of Hub1.

[Hub1-GigabitEthernet1/0/0] shutdown
Check the routing entries on the Spokes if Hub1 fails. The next hop switches to Hub2.
follows:

Routing Tables
Routing for Network

Area
172.16.1.2/32 0 Stub 172.16.1.2 172.16.1.2
0.0.0.0
192.168.1.1/32 0 Stub 192.168.1.1 172.16.1.2
0.0.0.0
172.16.1.3/32 4562 Stub 172.16.1.254 172.16.1.3
0.0.0.0
172.16.1.254/32 1562 Stub 172.16.1.254 172.16.1.254
0.0.0.0
192.168.2.1/32 4562 Stub 172.16.1.254 172.16.1.3
0.0.0.0
Total Nets: 5
follows:

Routing Tables
Routing for Network

Area
172.16.1.3/32 0 Stub 172.16.1.3 172.16.1.3
0.0.0.0
192.168.2.1/32 0 Stub 192.168.2.1 172.16.1.3
0.0.0.0
172.16.1.2/32 4562 Stub 172.16.1.254 172.16.1.2
0.0.0.0
172.16.1.254/32 1562 Stub 172.16.1.254 172.16.1.254
0.0.0.0
192.168.1.1/32 4562 Stub 172.16.1.254 172.16.1.2
0.0.0.0
Total Nets: 5
NOTICE:
Before you run the ping command, ensure that no default route to Hub1 exists on the
local device.
as follows:
[Spoke1] ping -a 192.168.1.1 192.168.2.1


0.00% packet loss
follows:

-----------------------------------------------------------------------
--------
-----------------------------------------------------------------------
--------
172.16.1.1 32 202.1.1.10 172.16.1.1 static hub
-----------------------------------------------------------------------
--------
Expire time : --
-----------------------------------------------------------------------
--------
-----------------------------------------------------------------------
--------
172.16.1.254 32 202.1.254.10 172.16.1.254 static hub
-----------------------------------------------------------------------
--------
Expire time : --
-----------------------------------------------------------------------
--------
-----------------------------------------------------------------------
--------
192.168.2.1 32 202.1.3.10 172.16.1.3 dynamic
route network
-----------------------------------------------------------------------
--------
-----------------------------------------------------------------------
--------
-----------------------------------------------------------------------
--------
172.16.1.3 32 202.1.3.10 172.16.1.3 dynamic
route tunnel
-----------------------------------------------------------------------
--------
-----------------------------------------------------------------------
--------
-----------------------------------------------------------------------
--------
192.168.1.1 32 202.1.2.10 172.16.1.2 dynamic
local
-----------------------------------------------------------------------
--------
follows:

-----------------------------------------------------------------------
--------
-----------------------------------------------------------------------
--------
172.16.1.1 32 202.1.1.10 172.16.1.1 static hub
-----------------------------------------------------------------------
--------
Expire time : --
-----------------------------------------------------------------------
--------
-----------------------------------------------------------------------
--------
172.16.1.254 32 202.1.254.10 172.16.1.254 static hub
-----------------------------------------------------------------------
--------
Expire time : --
-----------------------------------------------------------------------
--------
-----------------------------------------------------------------------
--------
192.168.1.1 32 202.1.2.10 172.16.1.2 dynamic
route network
-----------------------------------------------------------------------
--------
-----------------------------------------------------------------------
--------
-----------------------------------------------------------------------
--------
172.16.1.2 32 202.1.2.10 172.16.1.2 dynamic
route tunnel
-----------------------------------------------------------------------
--------
-----------------------------------------------------------------------
--------
-----------------------------------------------------------------------
--------
192.168.2.1 32 202.1.3.10 172.16.1.3 dynamic
local
-----------------------------------------------------------------------
--------
NOTE:
Run the undo nhrp peer command to clear the NHRP mapping entries existing on the
Spokes before running the ping command.
Configuration Files
 Configuration file of Hub1

 #
 sysname Hub1
 #
 ip address 202.1.1.10 255.255.255.0
 #
 ip address 192.168.0.1 255.255.255.0
 #
 ip address 172.16.1.1 255.255.255.0
 ospf cost 1000
 nhrp redirect
 #
 area 0.0.0.0
 network 172.16.1.0 0.0.0.255
 network 192.168.0.0 0.0.0.255
 #
 ospf 2
 area 0.0.0.1
 network 202.1.1.0 0.0.0.255
 #
 return
 Configuration file of Hub2
 #
 sysname Hub2
 #
 ip address 202.1.254.10 255.255.255.0
 #
 ip address 192.168.0.2 255.255.255.0
 #
 ip address 172.16.1.254 255.255.255.0
 ospf cost 3000
 nhrp redirect
 #
 ospf 1 router-id 172.16.1.254
 area 0.0.0.0
 network 172.16.1.0 0.0.0.255
 network 192.168.0.0 0.0.0.255
 #
 ospf 2
 area 0.0.0.1
 network 202.1.254.0 0.0.0.255
 #
 return
 #
 sysname Spoke1
 #
 ip address 202.1.2.10 255.255.255.0
 #
 ip address 192.168.1.1 255.255.255.0
 #
 ip address 172.16.1.2 255.255.255.0
 nhrp shortcut
 nhrp registration interval 300
 #
 area 0.0.0.0
 network 172.16.1.0 0.0.0.255
 network 192.168.1.0 0.0.0.255
 #
 ospf 2
 area 0.0.0.1
 network 202.1.2.0 0.0.0.255
 #
 return
 #
 sysname Spoke2
 #
 ip address 202.1.3.10 255.255.255.0
 #
 ip address 192.168.2.1 255.255.255.0
 #
 ip address 172.16.1.3 255.255.255.0
 nhrp shortcut
 #
 area 0.0.0.0
 network 172.16.1.0 0.0.0.255
 network 192.168.2.0 0.0.0.255
 #
 ospf 2
 area 0.0.0.1
 network 202.1.3.0 0.0.0.255
 #
 return
< Home
7.3.10.6.8.10 Example for configuring IPSec-

based DSVPN
the public network. Open Shortest Path First (OSPF) is used on the enterprise network.
The enterprise wants to establish a VPN between the Spokes and encrypt data transmitted
between the Hub and Spokes, and between Spokes to increase data security.
Figure 1 Networking diagram for IPSec-based DSVPN configuration
of branches.
4. IPSec-based DSVPN is implemented to encrypt data transmitted between the central
office and branches, and between branches.
Procedure
[Hub] ospf 2
[Hub-ospf-2] quit
[Spoke1] ospf 2
[Spoke2] ospf 2
# Configure Hub.

[Hub-ospf-1] quit
# Configure Spoke1.

# Configure Spoke2.

4. Configure IKE proposals.
On Hub, Spoke1, and Spoke2, configure IKE proposals and set the same authentication
mode.
# Configure Hub.
[Hub] ike proposal 1

[Hub-ike-proposal-1] dh group5
[Hub-ike-proposal-1] authentication-algorithm aes-xcbc-mac-96
[Hub-ike-proposal-1] prf aes-xcbc-128
[Hub-ike-proposal-1] quit
# Configure Spoke1.
[Spoke1] ike proposal 1

[Spoke1-ike-proposal-1] dh group5
[Spoke1-ike-proposal-1] authentication-algorithm aes-xcbc-mac-96
[Spoke1-ike-proposal-1] prf aes-xcbc-128
[Spoke1-ike-proposal-1] quit
# Configure Spoke2.

[Spoke2-ike-proposal-1] authentication-algorithm aes-xcbc-mac-96
5. Configure IKE peers.
Configure IKE peers used during IKE negotiation on Hub, Spoke1, and Spoke2.
# Configure Hub.
[Hub] ike peer hub v2

[Hub-ike-peer-hub] ike-proposal 1
[Hub-ike-peer-hub] pre-shared-key cipher Huawei@1234
[Hub-ike-peer-hub] dpd type periodic
[Hub-ike-peer-hub] dpd idle-time 40
[Hub-ike-peer-hub] quit
# Configure Spoke1.
[Spoke1] ike peer spoke1 v2

[Spoke1-ike-peer-spoke1] ike-proposal 1
[Spoke1-ike-peer-spoke1] pre-shared-key cipher Huawei@1234
[Spoke1-ike-peer-spoke1] dpd type periodic
[Spoke1-ike-peer-spoke1] dpd idle-time 40
[Spoke1-ike-peer-spoke1] quit
# Configure Spoke2.

6. Create IPSec proposals.
Configure IPSec proposals on Hub, Spoke1, and Spoke2.
# Configure Hub.
[Hub] ipsec proposal pro1

[Hub-ipsec-proposal-pro1] transform ah-esp
[Hub-ipsec-proposal-pro1] ah authentication-algorithm sha2-256
[Hub-ipsec-proposal-pro1] esp authentication-algorithm sha2-256
[Hub-ipsec-proposal-pro1] esp encryption-algorithm aes-192
[Hub-ipsec-proposal-pro1] quit
# Configure Spoke1.
[Spoke1] ipsec proposal pro1

[Spoke1-ipsec-proposal-pro1] transform ah-esp
[Spoke1-ipsec-proposal-pro1] ah authentication-algorithm sha2-256
[Spoke1-ipsec-proposal-pro1] esp authentication-algorithm sha2-256
[Spoke1-ipsec-proposal-pro1] esp encryption-algorithm aes-192
[Spoke1-ipsec-proposal-pro1] quit
# Configure Spoke2.

Running the display ipsec proposal command on Hub, Spoke1 and Spoke2, you can
view configurations. Take the display on Hub as an example.
[Hub] display ipsec proposal
Number of proposals: 1
IPSec proposal name: pro1

Encapsulation mode: Tunnel
Transform : ah-esp-new
AH protocol : Authentication SHA2-HMAC-256
ESP protocol : Authentication SHA2-HMAC-256
Encryption AES-192
7. Configure IPSec profiles.
Configure IPSec profiles on Hub, Spoke1, and Spoke2.
# Configure Hub.
[Hub] ipsec profile profile1

[Hub-ipsec-profile-profile1] ike-peer hub
[Hub-ipsec-profile-profile1] proposal pro1
[Hub-ipsec-profile-profile1] quit
# Configure Spoke1.
[Spoke1] ipsec profile profile1

[Spoke1-ipsec-profile-profile1] ike-peer spoke1
[Spoke1-ipsec-profile-profile1] proposal pro1
[Spoke1-ipsec-profile-profile1] quit
# Configure Spoke2.

Configure the OSPF network type to broadcast on Hub and Spokes. # Configure a static
NHRP mapping entry of Hub on Spoke1 and Spoke2 respectively. Apply the IPSec
profiles to the mGRE interfaces of Hub, Spoke1, and Spoke2.
# On Hub, configure a tunnel interface, configure OSPF, and apply the IPSec profile.

[Hub-Tunnel0/0/0] ospf network-type broadcast
[Hub-Tunnel0/0/0] ipsec profile profile1
Hub, and apply the IPSec profile.

[Spoke1-Tunnel0/0/0] ipsec profile profile1
Hub, and apply the IPSec profile.

9. Verify the IPSec configuration.
Running the display ipsec profile command on Hub, Spoke1 and Spoke2, you can view
configurations. Take the display on Hub as an example.
[Hub] display ipsec profile

===========================================
IPSec profile : profile1
Using interface: Tunnel0/0/0
===========================================
IPSec Profile Name :profile1
Peer Name :hub
PFS Group :0 (0:Disable 1:Group1 2:Group2 5:Group5
14:Group14)
SecondsFlag :0 (0:Global 1:Local)
SA Life Time Seconds :3600
KilobytesFlag :0 (0:Global 1:Local)
SA Life Kilobytes :1843200
Anti-replay window size :32
Qos pre-classify :0 (0:Disable 1:Enable)
Number of IPSec Proposals :1
IPSec Proposals Name :pro1
Spoke1 and Spoke2.
follows:

-----------------------------------------------------------------------
--------
-----------------------------------------------------------------------
--------
172.16.1.1 32 202.1.1.10 172.16.1.1 static hub
-----------------------------------------------------------------------
--------
Expire time : --
follows:

-----------------------------------------------------------------------
--------
-----------------------------------------------------------------------
--------
172.16.1.1 32 202.1.1.10 172.16.1.1 static hub
-----------------------------------------------------------------------
--------
Expire time : --
NOTE:
-----------------------------------------------------------------------
--------
-----------------------------------------------------------------------
--------
172.16.1.2 32 202.1.2.10 172.16.1.2 dynamic
route tunnel
-----------------------------------------------------------------------
--------
-----------------------------------------------------------------------
--------
-----------------------------------------------------------------------
--------
172.16.1.3 32 202.1.3.10 172.16.1.3 dynamic
route tunnel
-----------------------------------------------------------------------
--------
11. Verify the IPSec SA configuration.
Check the IPSec SAs generated on Hub, Spoke1, and Spoke2.
# Run the display ipsec sa command on Hub. The command output is as follows:
[Hub] display ipsec sa
===============================
Interface: Tunnel0/0/0
Path MTU: 1500
===============================
-----------------------------
IPSec profile name: "profile1"
Mode : PROF-Template
-----------------------------
Connection ID : 4
Tunnel local : 202.1.1.10
Tunnel remote : 202.1.3.10
Flow source : 202.1.1.10/255.255.255.255 47/0
Flow destination : 202.1.3.10/255.255.255.255 47/0
Qos pre-classify : Disable
[Outbound ESP SAs]

SPI: 2719506836 (0xa2186194)
Proposal: ESP-ENCRYPT-AES-192 SHA2-512-256
SA remaining key duration (bytes/sec): 1887428316/2924
Outpacket count : 0
Outpacket encap count : 0
Outpacket drop count : 0
Max sent sequence-number: 87
UDP encapsulation used for NAT traversal: N
[Outbound AH SAs]
SPI: 3188118142 (0xbe06d27e)
Proposal: SHA2-512-256
Outpacket count : 0
[Inbound AH SAs]
SPI: 4023741109 (0xefd56ab5)
Inpacket count : 0
Inpacket decap count : 0
Inpacket drop count : 0
Max received sequence-number: 80
Anti-replay window size: 32
[Inbound ESP SAs]

SPI: 2725542237 (0xa274795d)
Inpacket count : 0
-----------------------------
Mode : PROF-Template
-----------------------------
Connection ID : 2
Flow source : 202.1.1.10/255.255.255.255 47/0
Flow destination : 202.1.2.10/255.255.255.255 47/0
[Outbound ESP SAs]

SPI: 2140030022 (0x7f8e4446)
Outpacket count : 0
[Outbound AH SAs]
SPI: 833505824 (0x31ae4a20)
Outpacket count : 0
[Inbound AH SAs]
SPI: 3662509166 (0xda4d746e)
Inpacket count : 0
[Inbound ESP SAs]

SPI: 2485560141 (0x9426a34d)
Inpacket count : 0
# Run the display ipsec sa command on Spoke1. The command output is as follows:
[Spoke1] display ipsec sa
===============================
Path MTU: 1500
===============================
-----------------------------
Mode : PROF-ISAKMP
-----------------------------
Connection ID : 2
[Outbound ESP SAs]
SPI: 2485560141 (0x9426a34d)
Outpacket count : 0
[Outbound AH SAs]
SPI: 3662509166 (0xda4d746e)
Outpacket count : 0
[Inbound AH SAs]
SPI: 833505824 (0x31ae4a20)
Inpacket count : 0
[Inbound ESP SAs]

SPI: 2140030022 (0x7f8e4446)
Inpacket count : 0
===============================
Path MTU: 1500
===============================
-----------------------------
Mode : PROF-ISAKMP
-----------------------------
Connection ID : 2
[Outbound ESP SAs]

SPI: 2725542237 (0xa274795d)
Outpacket count : 0
[Outbound AH SAs]
SPI: 4023741109 (0xefd56ab5)
Outpacket count : 0
[Inbound AH SAs]
SPI: 3188118142 (0xbe06d27e)
Inpacket count : 0
[Inbound ESP SAs]

SPI: 2719506836 (0xa2186194)
Inpacket count : 0

Routing Tables
Routing for Network

Area
172.16.1.0/24 1562 Transit 172.16.1.1 172.16.1.1
0.0.0.0
192.168.1.1/32 1562 Stub 172.16.1.2 172.16.1.2
0.0.0.0
192.168.2.1/32 1562 Stub 172.16.1.3 172.16.1.3
0.0.0.0
Total Nets: 3

Routing Tables
Routing for Network

Area
172.16.1.0/24 1562 Transit 172.16.1.2 172.16.1.2
0.0.0.0
192.168.1.1/32 0 Stub 192.168.1.1 172.16.1.2
0.0.0.0
192.168.2.1/32 1562 Stub 172.16.1.3 172.16.1.3
0.0.0.0
Total Nets: 3

Routing Tables
Routing for Network

Area
172.16.1.0/24 1562 Transit 172.16.1.3 172.16.1.3
0.0.0.0
192.168.2.1/32 0 Stub 192.168.2.1 172.16.1.3
0.0.0.0
192.168.1.1/32 1562 Stub 172.16.1.2 172.16.1.2
0.0.0.0
Total Nets: 3
as follows:
[Spoke1] ping -a 192.168.1.1 192.168.2.1


0.00% packet loss
follows:

-----------------------------------------------------------------------
--------
-----------------------------------------------------------------------
--------
172.16.1.1 32 202.1.1.10 172.16.1.1 static hub
-----------------------------------------------------------------------
--------
Expire time : --
-----------------------------------------------------------------------
--------
-----------------------------------------------------------------------
--------
172.16.1.3 32 202.1.3.10 172.16.1.3 dynamic
route tunnel
-----------------------------------------------------------------------
--------
-----------------------------------------------------------------------
--------
-----------------------------------------------------------------------
--------
172.16.1.2 32 202.1.2.10 172.16.1.2 dynamic
local
-----------------------------------------------------------------------
--------
follows:

-----------------------------------------------------------------------
--------
-----------------------------------------------------------------------
--------
172.16.1.1 32 202.1.1.10 172.16.1.1 static hub
-----------------------------------------------------------------------
--------
Expire time : --
-----------------------------------------------------------------------
--------
-----------------------------------------------------------------------
--------
172.16.1.2 32 202.1.2.10 172.16.1.2 dynamic
route tunnel
-----------------------------------------------------------------------
--------
-----------------------------------------------------------------------
--------
-----------------------------------------------------------------------
--------
172.16.1.3 32 202.1.3.10 172.16.1.3 dynamic
local
-----------------------------------------------------------------------
--------
===============================
Path MTU: 1500
===============================
-----------------------------
Mode : PROF-ISAKMP
-----------------------------
Connection ID : 2
[Outbound ESP SAs]

SPI: 2485560141 (0x9426a34d)
Outpacket count : 0
[Outbound AH SAs]
SPI: 3662509166 (0xda4d746e)
Outpacket count : 0
[Inbound AH SAs]
SPI: 833505824 (0x31ae4a20)
Inpacket count : 0
[Inbound ESP SAs]

SPI: 2140030022 (0x7f8e4446)
Inpacket count : 0
-----------------------------
Mode : PROF-ISAKMP
-----------------------------
Connection ID : 5
[Outbound ESP SAs]

SPI: 576349831 (0x225a6687)
Outpacket count : 0
[Outbound AH SAs]
SPI: 3363305474 (0xc877f802)
Outpacket count : 0
[Inbound AH SAs]
SPI: 3753703982 (0xdfbcfa2e)
Inpacket count : 0
[Inbound ESP SAs]

SPI: 3361785078 (0xc860c4f6)
Inpacket count : 0
===============================
Path MTU: 1500
===============================
-----------------------------
Mode : PROF-ISAKMP
-----------------------------
Connection ID : 2
[Outbound ESP SAs]

SPI: 2725542237 (0xa274795d)
Outpacket count : 0
[Outbound AH SAs]
SPI: 4023741109 (0xefd56ab5)
Outpacket count : 0
[Inbound AH SAs]
SPI: 3188118142 (0xbe06d27e)
Inpacket count : 0
[Inbound ESP SAs]

SPI: 2719506836 (0xa2186194)
Inpacket count : 0
-----------------------------
Mode : PROF-ISAKMP
-----------------------------
Connection ID : 6
[Outbound ESP SAs]

SPI: 3361785078 (0xc860c4f6)
Outpacket count : 0
[Outbound AH SAs]
SPI: 3753703982 (0xdfbcfa2e)
Outpacket count : 0
[Inbound AH SAs]
SPI: 3363305474 (0xc877f802)
Inpacket count : 0
[Inbound ESP SAs]

SPI: 576349831 (0x225a6687)
Inpacket count : 0
Configuration Files

 #
 sysname Hub
 #
 ipsec proposal pro1
 transform ah-esp
 ah authentication-algorithm sha2-256
 esp authentication-algorithm sha2-256
 esp encryption-algorithm aes-192
 #
 ike proposal 1
 dh group5
 authentication-algorithm aes-xcbc-mac-96
 prf aes-xcbc-128
 #
 ike peer hub v2
 pre-shared-key cipher %^%#O3uIP\/YNF+`AcJhbZ&C7y*iVlOOU@DraF58J4=;%^%#
 ike-proposal 1
 dpd type periodic
 dpd idle-time 40
 #
 ipsec profile profile1
 ike-peer hub
 proposal pro1
 #
 ip address 202.1.1.10 255.255.255.0
 #
 ip address 192.168.0.1 255.255.255.0
 #
 ip address 172.16.1.1 255.255.255.0
 #
 area 0.0.0.0
 network 172.16.1.0 0.0.0.255
 network 192.168.0.0 0.0.0.255
 #
 ospf 2
 area 0.0.0.1
 network 202.1.1.0 0.0.0.255
 #
 return
 #
 sysname Spoke1
 #
 #
 ike proposal 1
 dh group5
 #
 ike peer spoke1 v2
 ike-proposal 1
 #
 ike-peer spoke1
 proposal pro1
 #
 ip address 202.1.2.10 255.255.255.0
 #
 ip address 192.168.1.1 255.255.255.0
 #
 ip address 172.16.1.2 255.255.255.0
 #
 area 0.0.0.0
 network 172.16.1.0 0.0.0.255
 network 192.168.1.0 0.0.0.255
 #
 ospf 2
 area 0.0.0.1
 network 202.1.2.0 0.0.0.255
 #
 return
 #
 sysname Spoke2
 #
 #
 ike proposal 1
 dh group5
 #
 ike-proposal 1
 #
 ike-peer spoke2
 proposal pro1
 #
 ip address 202.1.3.10 255.255.255.0
 #
 ip address 192.168.2.1 255.255.255.0
 #
 ip address 172.16.1.3 255.255.255.0
 #
 area 0.0.0.0
 network 172.16.1.0 0.0.0.255
 network 192.168.2.0 0.0.0.255
 #
 ospf 2
 area 0.0.0.1
 network 202.1.3.0 0.0.0.255
 #
 return
< Home
7.3.10.6.8.11 Example for Configuring a

Dual-Hub DSVPN Protected by IPSec
In a large-size enterprise, two hubs (Hub1 and Hub2) in the headquarters communicate with
multiple branches (Spoke1 and Spoke2 in this example) over the Internet. Spokes in branches
use dynamic addresses to connect to the Internet.
The enterprise wants to protect traffic exchanged between the headquarters and branch and has
the following requirements: Normally, the branch should communicate with the headquarters
through Hub1. Traffic should be switched to Hub2 when Hub1 becomes faulty but back to Hub1
when Hub1 recovers.
Figure 1 Configuring a dual-hub DSVPN protected by IPSec
1. Branches use dynamic addresses to connect to the Internet; therefore, they do not know
the public addresses of each other. Configure DSVPN to implement direct
communication between branches.
2. Use the shortcut DSVPN because there are a large number of branches.
3. Subnets of the headquarters and branches frequently change. To simplify maintenance,
configure OSPF based on the enterprise network plan to enable communication between
the headquarters and branches.
4. To protect data transmitted between the headquarters and branch as well as between
branches, configure IPSec for DSVPN.
Procedure
1. Configure IP addresses for interfaces.
Configure IP addresses for the interfaces of the Router. The configurations of Spoke1,
Spoke2, and Hub2 are similar to that of Hub1, and are not mentioned here.
# Configure an IP address for each interface on Hub1.
[Huawei] sysname Hub1
[Hub1-GigabitEthernet1/0/0] ip address 1.1.1.10 255.255.255.0
[Hub1-Tunnel0/0/0] ip address 10.2.1.1 255.255.255.0
[Hub1] interface loopback 0
[Hub1-LoopBack0] ip address 10.1.0.1 255.255.255.0
[Hub1-LoopBack0] quit
Configure OSPF on each Router to enable reachable routes over the Internet.
[Hub1] ospf 2
[Hub1-ospf-2] quit
[Hub2] ospf 2
[Hub2-ospf-2] quit
[Spoke1] ospf 2
[Spoke2] ospf 2
3. Configure basic OSPF functions.
# Configure Hub1.

[Hub1-ospf-1] quit
# Configure Hub2.

[Hub2-ospf-1] quit
# Configure Spoke1.

# Configure Spoke2.

Set the OSPF network type to p2mp on the hubs and spokes. Enable NHRP redirect on
Hub1 and Hub2. Configure static NHRP peer entries of Hub1 and Hub2 and enable
NHRP shortcut on Spoke1 and Spoke2.
# Configure a tunnel interface and OSPF attributes and enable NHRP redirect on Hub1.

[Hub1-Tunnel0/0/0] nhrp authentication cipher huawei@1
[Hub1-Tunnel0/0/0] gre key cipher 1999
# Configure a tunnel interface and OSPF attributes and enable NHRP redirect on Hub2.
[Hub2-Tunnel0/0/0] nhrp authentication cipher huawei@1
[Hub2-Tunnel0/0/0] gre key cipher 2999
# Configure tunnel interfaces, OSPF attributes, and static NHRP peer entries of Hub1 and
Hub2, and enable NHRP shortcut on Spoke1.

[Spoke1-Tunnel0/0/0] nhrp authentication cipher huawei@1
[Spoke1-Tunnel0/0/0] gre key cipher 1999
# Configure tunnel interfaces, OSPF attributes, and static NHRP peer entries of Hub1 and
Hub2, and enable NHRP shortcut on Spoke2.

[Spoke2-Tunnel0/0/0] nhrp authentication cipher huawei@1
[Spoke2-Tunnel0/0/0] gre key cipher 1999
5. Configure an IKE proposal.
Configure an IKE proposal on the hubs and spokes. Ensure that the authentication mode
is the same on all the devices.
# Configure Hub1.
[Hub1] ike proposal 1

[Hub1-ike-proposal-1] dh group5
[Hub1-ike-proposal-1] encryption-algorithm aes-cbc-256
[Hub1-ike-proposal-1] authentication-algorithm sha2-256
[Hub1-ike-proposal-1] prf aes-xcbc-128
[Hub1-ike-proposal-1] quit
# Configure Hub2.
[Hub2] ike proposal 1

[Hub2-ike-proposal-1] dh group5
[Hub2-ike-proposal-1] encryption-algorithm aes-cbc-256
[Hub2-ike-proposal-1] authentication-algorithm sha2-256
[Hub2-ike-proposal-1] prf aes-xcbc-128
[Hub2-ike-proposal-1] quit
# Configure Spoke1.

[Spoke1-ike-proposal-1] encryption-algorithm aes-cbc-256
[Spoke1-ike-proposal-1] authentication-algorithm sha2-256
# Configure Spoke2.

[Spoke2-ike-proposal-1] encryption-algorithm aes-cbc-256
[Spoke2-ike-proposal-1] authentication-algorithm sha2-256
6. Configure an IKE peer.
Configure an IKE peer for IKE negotiation on the hubs and spokes.
# Configure Hub1.
[Hub1] ike peer hub1 v1

[Hub1-ike-peer-hub1] ike-proposal 1
[Hub1-ike-peer-hub1] pre-shared-key cipher Huawei@1234
[Hub1-ike-peer-hub1] dpd type periodic
[Hub1-ike-peer-hub1] dpd idle-time 40
[Hub1-ike-peer-hub1] quit
# Configure Hub2.
[Hub2] ike peer hub2 v1

[Hub2-ike-peer-hub2] ike-proposal 1
[Hub2-ike-peer-hub2] pre-shared-key cipher Huawei@1234
[Hub2-ike-peer-hub2] dpd type periodic
[Hub2-ike-peer-hub2] dpd idle-time 40
[Hub2-ike-peer-hub2] quit
# Configure Spoke1.

# Configure Spoke2.

7. Create an IPSec proposal.
Create an IPSec proposal on the hubs and spokes.
# Configure Hub1.
[Hub1] ipsec proposal pro1

[Hub1-ipsec-proposal-pro1] transform ah-esp
[Hub1-ipsec-proposal-pro1] ah authentication-algorithm sha2-256
[Hub1-ipsec-proposal-pro1] esp authentication-algorithm sha2-256
[Hub1-ipsec-proposal-pro1] esp encryption-algorithm aes-192
[Hub1-ipsec-proposal-pro1] quit
# Configure Hub2.
[Hub2] ipsec proposal pro1

[Hub2-ipsec-proposal-pro1] transform ah-esp
[Hub2-ipsec-proposal-pro1] ah authentication-algorithm sha2-256
[Hub2-ipsec-proposal-pro1] esp authentication-algorithm sha2-256
[Hub2-ipsec-proposal-pro1] esp encryption-algorithm aes-192
[Hub2-ipsec-proposal-pro1] quit
# Configure Spoke1.

# Configure Spoke2.

8. Create an IPSec profile.
Create an IPSec profile on the hubs and spokes.
# Configure Hub1.
[Hub1] ipsec profile profile1

[Hub1-ipsec-profile-profile1] ike-peer hub1
[Hub1-ipsec-profile-profile1] proposal pro1
[Hub1-ipsec-profile-profile1] quit
# Configure Hub2.
[Hub2] ipsec profile profile1

[Hub2-ipsec-profile-profile1] ike-peer hub2
[Hub2-ipsec-profile-profile1] proposal pro1
[Hub2-ipsec-profile-profile1] quit
# Configure Spoke1.

# Configure Spoke2.

9. Apply the IPSec profile to interfaces.
# Configure Hub1.

[Hub1-Tunnel0/0/0] ipsec profile profile1
# Configure Hub2.

[Hub2-Tunnel0/0/0] ipsec profile profile1
# Configure Spoke1.
# Configure Spoke2.

The headquarters and branch as well as branches can communicate with each other, and
data flows between them are protected by IPSec.
a. Check whether IKE SAs are established.
Run the display ike sa command to check whether IKE SAs are established. The
command output on Hub1 and Spoke1 is used as an example.
[Spoke1] display ike sa

Conn-ID Peer VPN Flag(s) Phase
---------------------------------------------------------------
442 1.1.1.10 0 RD|ST 2
138 1.1.1.10 0 RD|ST 1
409 1.1.254.10 0 RD|ST 2
5 1.1.254.10 0 RD|ST 1
Flag Description:
RD--READY ST--STAYALIVE RL--REPLACED FD--FADING TO--
TIMEOUT
HRT--HEARTBEAT LKG--LAST KNOWN GOOD SEQ NO. BCK--BACKED UP
You can find that Spoke1 establishes IPSec tunnels with Hub1 and Hub2
successfully.
# Run the ping -a 10.1.1.1 10.1.2.1 command on Spoke1, and the command
output is as follows.
[Spoke1] ping -a 10.1.1.1 10.1.2.1


0.00% packet loss
[Spoke1] display ike sa
Conn-ID Peer VPN Flag(s) Phase
---------------------------------------------------------------
442 1.1.1.10 0 RD|ST 2
138 1.1.1.10 0 RD|ST 1
342 1.1.3.10 0 RD|ST 2
284 1.1.3.10 0 RD|ST 1
409 1.1.254.10 0 RD|ST 2
5 1.1.254.10 0 RD|ST 1
Flag Description:
RD--READY ST--STAYALIVE RL--REPLACED FD--FADING TO--
TIMEOUT
HRT--HEARTBEAT LKG--LAST KNOWN GOOD SEQ NO. BCK--BACKED UP
When branches communicate with each other, Spoke1 and Spoke2 establish an
IPSec tunnel.
b. When Hub1 fails, the headquarters and branch as well as branches can still
communicate with each other.
# Run the ping -a 10.1.1.1 10.1.2.1 command on Spoke1, and the command
output is as follows.
[Spoke1] ping -a 10.1.1.1 10.1.2.1


0.00% packet loss
Configuration Files
 Hub1 configuration file

 #
 sysname Hub1
 #
 #
 ike proposal 1
 encryption-algorithm aes-cbc-256
 dh group5
 authentication-algorithm sha2-256
 #
 ike peer hub1 v1
 pre-shared-key cipher %^%#r]yCG7r(%Obe2oGBu,[XG'[76vVusGq|D9KF,7K@%^%#
 ike-proposal 1
 #
 ike-peer hub1
 proposal pro1
 #
 ip address 1.1.1.10 255.255.255.0
 #
 ip address 10.1.0.1 255.255.255.0
 #
 ip address 10.2.1.1 255.255.255.0
 gre key cipher %^%#q'~GF"30`<g3mxV46;`!_&1{>'e5ALQLkU6~+T>C%^%#
 nhrp authentication
cipher %^%#!Noa/<I+/WhpAwVfx`QI=vcV),t#@Ihg=PQeN]%C%^%#
 nhrp redirect
 #
 area 0.0.0.0
 network 10.2.1.0 0.0.0.255
 network 10.1.0.0 0.0.0.255
 #
 ospf 2
 area 0.0.0.1
 network 1.1.1.0 0.0.0.255
 #
 return
 Hub2 configuration file
 #
 sysname Hub2
 #
 #
 ike proposal 1
 dh group5
 #
 ike peer hub2 v1
 pre-shared-key cipher %^%#W8t$Ji82`Y-RX')iNvw9dZ3.K8bxvKioU4LNKx*7%^%#
 ike-proposal 1
 #
 ike-peer hub2
 proposal pro1
 #
 ip address 1.1.254.10 255.255.255.0
 #
 ip address 10.1.0.2 255.255.255.0
 #
 ip address 10.2.1.4 255.255.255.0
 gre key cipher %^%#[*8)P`\Ra>LdAI7Hamn2t=W5D$M]kMjMEH:9^tr-%^%#
cipher %^%#T(U)=!7|/2^zbH",\BxIKTySV/5xQ*n+<U,dc!36%^%#
 nhrp redirect
 #
 area 0.0.0.0
 network 10.2.1.0 0.0.0.255
 network 10.1.0.0 0.0.0.255
 #
 ospf 2
 area 0.0.0.1
 network 1.1.254.0 0.0.0.255
 #
 return
 Spoke1 configuration file
 #
 sysname Spoke1
 #
 #
 ike proposal 1
 dh group5
 #
 pre-shared-key cipher %^%#yRiB!lV4gKvCG_LJ&QDF'FuTPhzX,)QVajSs&M_I%^%#
 ike-proposal 1
 #
 ike-peer spoke1
 proposal pro1
 #
 ip address 1.1.2.10 255.255.255.0
 #
 ip address 10.1.1.1 255.255.255.0
 #
 ip address 10.2.1.2 255.255.255.0
 gre key cipher %^%#qi,=:z}BQCPT5D>A}20MCIEc6-SBY*d<|bE~>i;2%^%#
 nhrp authentication cipher %^%#e1an+f[D*$J{NJ4ubbMM$N1L1F2O6#O/u:-
[EkSJ%^%#
 nhrp shortcut
 #
 area 0.0.0.0
 network 10.1.1.0 0.0.0.255
 network 10.2.1.0 0.0.0.255
 #
 ospf 2
 area 0.0.0.1
 network 1.1.2.0 0.0.0.255
 #
 return
 Spoke2 configuration file
 #
 sysname Spoke2
 #
 #
 ike proposal 1
 dh group5
 #
 pre-shared-key cipher %^%#yRiB!lV4gKvCG_LJ&QDF'FuTPhzX,)QVajSs&M_I%^%#
 ike-proposal 1
 #
 ike identity identity1
 ip address 1.1.1.0 255.255.255.0
 ip address 1.1.2.0 255.255.255.0
 #
 ike-peer spoke2
 proposal pro1
 match ike-identity identity1
 ike-peer spoke2
 proposal pro1
 #
 ip address 1.1.3.10 255.255.255.0
 #
 ip address 10.1.2.1 255.255.255.0
 #
 ip address 10.2.1.3 255.255.255.0
 gre key cipher %^%#y0|R0B_>==#l"D)42/nU!;A56Zx=oDj,7O7>#:4.%^%#
 nhrp authentication cipher %^%#FosR<0omi.W{)Y7gp`XP|I-
V"|]+7S>{'T/(vKO0%^%#
 nhrp shortcut
 #
 ip address 10.2.2.3 255.255.255.0
 gre key cipher %^%#y0|R0B_>==#l"D)42/nU!;A56Zx=oDj,7O7>#:4.%^%#
 nhrp authentication cipher %^%#FosR<0omi.W{)Y7gp`XP|I-
V"|]+7S>{'T/(vKO0%^%#
 nhrp shortcut
 #
 area 0.0.0.0
 network 10.1.2.0 0.0.0.255
 network 10.2.1.0 0.0.0.255
 network 10.2.1.0 0.0.0.255
 #
 ospf 2
 area 0.0.0.1
 network 1.1.3.0 0.0.0.255
 #
 return
< Home
7.3.10.6.8.12 Example for Configuring a

DSVPN Based on the LTE Dialup Status
As shown in Figure 1, an enterprise headquarters (Hub_1 as the primary device and Hub_2 as the
secondary device) and branch (Spoke) locate in different areas. The branch connects to the
headquarters through an LTE network, that is, LTE network 1 shown in the figure. The
enterprise requires that the branch communicate with the headquarters through a VPN and data
transmitted between them be encrypted.
To ensure that the enterprise users can still connect to the headquarters even when the primary
SIM card 1 or LTE network 1 is faulty, the enterprise leases the other LTE network, that is LTE
network 2 shown in the figure, to set up a backup link (through the secondary SIM card 2) for
temporary service transmission.
Figure 1 Configuring a DSVPN based on the LTE dialup status
The branch address is not fixed because it connects to the headquarters through an LTE network;
therefore, the branch and headquarters must be connected through a VPN.
To ensure reliable data transmission, two SIM cards in redundancy mode need to be configured
in the branch and they connect to different LTE networks. A tunnel can be established between
the headquarters and branch based on the association between the LTE dialup status and DSVPN
to ensure uninterrupted data transmission.
1. Configure a cellular interface and APN profile, so that the branch can connect to the LTE
network.
2. Use the non-shortcut DSVPN scenario because the enterprise has only few branches. Use
the RIP protocol to advertise private network routes between the headquarters and branch
and associate NHRP peer information with the APN profile. When the APN profile is in
use, the associated NHRP peer information takes effect; therefore, a tunnel can be
established between the headquarters and branch.
3. Configure the NQA function to implement switching between the primary and secondary
SIM cards.
4. Install a primary and a secondary SIM card on the cellular interface to ensure reliable
data transmission.
5. Bind IPSec policies to the cellular interface on the branch device and the public network
interfaces on the headquarters devices, so that data transmitted between them can be
encrypted.
Procedure
1. Configure IP addresses for interfaces.
Configure an IP address for each interface on Hub_1 and Hub_2 according to Figure 1.
# Configure an IP address for each interface on Hub_1.
[Huawei] sysname Hub_1
[Hub_1] interface gigabitethernet 1/0/0
[Hub_1-GigabitEthernet1/0/0] ip address 202.10.1.2 255.255.255.252
[Hub_1-GigabitEthernet1/0/0] quit
[Hub_1] interface tunnel 0/0/1
[Hub_1-Tunnel0/0/1] ip address 172.16.1.1 255.255.255.0
[Hub_1-Tunnel0/0/1] quit
[Hub_1-Tunnel0/0/3] ip address 172.16.3.1 255.255.255.0
The configurations of Hub_2 and the Spoke are similar to the configuration of Hub_1,
and are not mentioned here.
2. Configure a cellular interface and APN profile.
# Configure the Spoke.
[Spoke] dialer-rule
[Spoke-dialer-rule] dialer-rule 1 ip permit
[Spoke-dialer-rule] quit
[Spoke] interface cellular 0/0/0
[Spoke-Cellular0/0/0] ip address negotiate
[Spoke-Cellular0/0/0] dialer enable-circular
[Spoke-Cellular0/0/0] dialer-group 1
[Spoke-Cellular0/0/0] dialer timer autodial 15
[Spoke-Cellular0/0/0] dialer timer probe-interval 15
[Spoke-Cellular0/0/0] dialer number *99# autodial
[Spoke-Cellular0/0/0] mode lte auto
[Spoke-Cellular0/0/0] quit
[Spoke] apn profile ltenet
[Spoke-apn-profile-ltenet] sim-id 1
[Spoke-apn-profile-ltenet] apn LTENET1
[Spoke-apn-profile-ltenet] quit
[Spoke] apn profile ltewap
[Spoke-apn-profile-ltewap] sim-id 2
[Spoke-apn-profile-ltewap] apn LTENET2
[Spoke-apn-profile-ltewap] quit
3. Configure reachable public network routes between the devices.
Configure static routes on each device to ensure that the public network routes between
the devices are reachable.
# Configure Hub_1.
[Hub_1] ip route-static 0.0.0.0 0 202.10.1.1

# Configure Hub_2.

[Spoke] ip route-static 0.0.0.0 0 cellular 0/0/0
4. Configure the DSVPN function.
Configure tunnel interfaces on the Hubs and Spoke and associate NHRP peer information
with the APN profile. Configure the RIP protocol to advertise private network routes and
configure the Spoke to add different metric values to the routes when different tunnel
interfaces send or receive RIP packets to implement communication between the
headquarters and branch.
# Configure Hub_1.

[Hub_1-Tunnel0/0/1] tunnel-protocol gre p2mp
[Hub_1-Tunnel0/0/1] source gigabitethernet 1/0/0
[Hub_1-Tunnel0/0/1] nhrp registration no-unique
[Hub_1-Tunnel0/0/1] nhrp entry multicast dynamic
[Hub_1-Tunnel0/0/1] gre key 111
[Hub_1-Tunnel0/0/1] nhrp authentication cipher Huawei@1
[Hub_1-Tunnel0/0/1] nhrp entry holdtime seconds 60
[Hub_1] rip 1
[Hub_1-rip-1] version 2
[Hub_1-rip-1] undo summary
[Hub_1-rip-1] network 172.16.0.0
[Hub_1-rip-1] network 192.168.1.0
[Hub_1-rip-1] quit
# Configure Hub_2.

[Hub_2] rip 1
[Hub_2-rip-1] version 2
[Hub_2-rip-1] undo summary
[Hub_2-rip-1] network 172.16.0.0
[Hub_2-rip-1] network 192.168.1.0
[Hub_2-rip-1] quit
# Associate NHRP peer information with the APN profile on the Spoke and configure the
Spoke to add different metric values to the routes when different tunnel interfaces send or
receive RIP packets.
[Spoke] rip 1
[Spoke-rip-1] version 2
[Spoke-rip-1] network 172.16.0.0
[Spoke-rip-1] network 192.168.3.0
[Spoke-rip-1] quit
[Spoke] interface tunnel 0/0/1
[Spoke-Tunnel0/0/1] tunnel-protocol gre p2mp
[Spoke-Tunnel0/0/1] source cellular 0/0/0
[Spoke-Tunnel0/0/1] gre key 111
[Spoke-Tunnel0/0/1] nhrp authentication cipher Huawei@1
[Spoke-Tunnel0/0/1] nhrp registration interval 20
[Spoke-Tunnel0/0/1] nhrp entry 172.16.1.1 202.10.1.2 register track apn
ltenet
[Spoke-Tunnel0/0/1] rip metricin 1
[Spoke-Tunnel0/0/1] quit
[Spoke-Tunnel0/0/2] nhrp entry 172.16.2.1 202.10.1.10 register track
apn ltenet
[Spoke-Tunnel0/0/2] rip metricout 7
[Spoke-Tunnel0/0/3] nhrp entry 172.16.3.1 202.10.1.6 register track apn
ltewap
[Spoke-Tunnel0/0/4] nhrp entry 172.16.4.1 202.10.1.14 register track
apn ltewap
5. Configure the NQA function.
Determine whether to perform a primary/secondary SIM card switching based on the

NQA detection results on tunnel interfaces and the LTE dialup status.
[Spoke] nqa test-instance admin tunnel0/0/1

[Spoke-nqa-admin-tunnel0/0/1] test-type icmp
[Spoke-nqa-admin-tunnel0/0/1] destination-address ipv4 172.16.1.1
[Spoke-nqa-admin-tunnel0/0/1] source-address ipv4 172.16.1.2
[Spoke-nqa-admin-tunnel0/0/1] frequency 15
[Spoke-nqa-admin-tunnel0/0/1] source-interface tunnel 0/0/1
[Spoke-nqa-admin-tunnel0/0/1] start now
[Spoke-nqa-admin-tunnel0/0/1] quit
6. Install a primary and a secondary SIM card on the Spoke.

[Spoke-Cellular0/0/0] apn-profile ltenet priority 200 track nqa admin
tunnel0/0/1 admin tunnel0/0/2
[Spoke-Cellular0/0/0] apn-profile ltewap priority 150 track nqa admin
tunnel0/0/3 admin tunnel0/0/4
[Spoke-Cellular0/0/0] shutdown
[Spoke-Cellular0/0/0] undo shutdown
7. Configure the IPSec function to protect data transmitted between the headquarters and
branch.
# Configure Hub_1.
[Hub_1] acl number 3001

[Hub_1-acl-adv-3001] rule 5 permit ip source 202.10.1.2 0
[Hub_1-acl-adv-3001] quit
[Hub_1] ipsec proposal 1
[Hub_1-ipsec-proposal-1] quit
[Hub_1] ike peer 1 v1
[Hub_1-ike-peer-1] pre-shared-key cipher Huawei@1234
[Hub_1-ike-peer-1] quit
[Hub_1] ipsec policy-template use1 10
[Hub_1-ipsec-policy-templet-use1-10] ike-peer 1
[Hub_1-ipsec-policy-templet-use1-10] proposal 1
[Hub_1-ipsec-policy-templet-use1-10] security acl 3001
[Hub_1-ipsec-policy-templet-use1-10] quit
[Hub_1] ipsec policy policy1 10 isakmp template use1
[Hub_1-GigabitEthernet1/0/0] ipsec policy policy1
# Configure Hub_2.

[Spoke] acl number 3001

[Spoke-acl-adv-3001] rule 5 permit ip destination 202.10.1.2 0
[Spoke-acl-adv-3001] quit
[Spoke] ipsec proposal 1
[Spoke-ipsec-proposal-1] quit
[Spoke] ike peer 1 v1
[Spoke-ike-peer-1] pre-shared-key cipher Huawei@1234
[Spoke-ike-peer-1] remote-address 202.10.1.2
[Spoke-ike-peer-1] quit
[Spoke] ipsec policy policy1 10 isakmp
[Spoke-ipsec-policy-isakmp-policy1-10] ike-peer 1
[Spoke-ipsec-policy-isakmp-policy1-10] proposal 1
[Spoke-ipsec-policy-isakmp-policy1-10] security acl 3001
[Spoke-ipsec-policy-isakmp-policy1-10] quit
[Spoke-Cellular0/0/0] ipsec policy policy1
After the configuration is complete, run the display nhrp peer all command on Hub_1
and Hub_2 to check the registration information of the Spoke. The display on Hub_1 is
used as an example:
[Hub_1] display nhrp peer all

-----------------------------------------------------------------------
--------
-----------------------------------------------------------------------
--------
172.16.1.2 32 202.10.10.10 172.16.1.2 dynamic
route tunnel
-----------------------------------------------------------------------
--------
The branch can ping the headquarters successfully and data transmitted between them is
encrypted.
Run the display ipsec sa command on the Spoke. You can see that the Spoke has set up
an IPSec tunnel with Hub_1.
# Shut down GE1/0/0 on Hub_1 and GE2/0/0 on Hub_2 to simulate a fault on LTE
network 1.

[Hub_1-GigabitEthernet1/0/0] shutdown
[Hub_2-GigabitEthernet2/0/0] shutdown
Run the display nhrp peer all command on Hub_1 and Hub_2. You can see that the
Spoke registers to the headquarters through LTE network 2. The display on Hub_1 is
used as an example:
[Hub_1] display nhrp peer all
-----------------------------------------------------------------------
--------
-----------------------------------------------------------------------
--------
172.16.3.2 32 202.11.11.11 172.16.3.2 dynamic
route tunnel
-----------------------------------------------------------------------
--------
The branch can ping the headquarters successfully and data transmitted between them is
encrypted.
[Spoke] ping -a 192.168.3.1 192.168.1.1


0.00% packet loss
Configuration Files
 Configuration file of Hub_1

 #
 sysname Hub_1
 #
 acl number 3001
 rule 5 permit ip source 202.10.1.2 0
 acl number 3003
 #
 ipsec proposal 1
 #
 ike peer 1 v1
 ike peer 3 v1
 #
 ipsec policy-template use1 10
 security acl 3001
 ike-peer 1
 proposal 1
 ike-peer 3
 proposal 3
 #
 ipsec policy policy1 10 isakmp template use1
 #
 ip address 202.10.1.2 255.255.255.252
 ipsec policy policy1
 #
 ip address 202.10.1.6 255.255.255.252
 #
 ip address 192.168.1.1 255.255.255.0
 #
 ip address 172.16.1.1 255.255.255.0
 gre key cipher %^%#3isY%"^lX6F&N'Us)3x+\m@F0A2(SQ&=2|;K8abO%^%#
 nhrp authentication cipher %^%#1"<9Jp7D_'(SE-N.oVH5B5wZ=WO^KClOL|-
UOIQ$%^%#
 nhrp registration no-unique
 nhrp entry holdtime seconds 60
 #
 ip address 172.16.3.1 255.255.255.0
 gre key cipher %^%#=SXc*PbQgMQ|6<1H|8_W!PU!XFrjE7}LVC(ycs38%^%#
cipher %^%#EjU:.Y]}.8YZ8JK07')Qw\rTXJ|;LFAFfIH:C]W=%^%#
 #
 rip 1
 undo summary
 version 2
 network 172.16.0.0
 network 192.168.1.0
 #
 ip route-static 0.0.0.0 0.0.0.0 202.10.1.1
 ip route-static 0.0.0.0 0.0.0.0 202.10.1.5
 #
 return
 Configuration file of Hub_2
 #
 sysname Hub_2
 #
 acl number 3002
 acl number 3004
 #
 #
 ike peer 2 v1
 ike peer 4 v1
 #
 ike-peer 2
 proposal 2
 ike-peer 4
 proposal 4
 #
 #
 ip address 202.10.1.14 255.255.255.252
 #
 ip address 202.10.1.10 255.255.255.252
 #
 ip address 192.168.1.2 255.255.255.0
 #
 ip address 172.16.2.1 255.255.255.0
 gre key cipher %^%#9gxVF{"ZQT;-D<%Gm2I1OQd5(uV!2>(3#q2%V3R#%^%#
cipher %^%#g9*MEwPqQOCw:@Jt2WS9:,LNDn[|8If>@9&!2zQQ%^%#
 #
 ip address 172.16.4.1 255.255.255.0
 gre key cipher %^%#Y4YfQCCO%Of+{(KpezQ9b!nWTt:6I9wR)o#:Kr,!%^%#
 nhrp authentication cipher %^%#BChE#]PR%Z'[<-
&:Eq/GM@z=L%^%#BChE#]PR%Z'[<-&:Eq/GM@z=L
 #
 rip 1
 undo summary
 version 2
 network 172.16.0.0
 network 192.168.1.0
 #
 ip route-static 0.0.0.0 0.0.0.0 202.10.1.9
 ip route-static 0.0.0.0 0.0.0.0 202.10.1.13
 #
 return
 Configuration file of the Spoke
 #
 sysname Spoke
 #
 acl number 3001
 rule 5 permit ip destination 202.10.1.2 0
 acl number 3002
 acl number 3003
 acl number 3004
 #
 #
 ike peer 1 v1
 remote-address 202.10.1.2
 ike peer 2 v1
 ike peer 3 v1
 ike peer 4 v1
 #
 ipsec policy policy1 10 isakmp
 ike-peer 1
 proposal 1
 ike-peer 2
 proposal 2
 ike-peer 3
 proposal 3
 ike-peer 4
 proposal 4
 #
 ip address 192.168.3.1 255.255.255.0
 #
 dialer-group 1
 dialer timer probe-interval 15
 apn-profile ltenet priority 200 track nqa admin tunnel0/0/1 admin
tunnel0/0/2
 apn-profile ltewap priority 150 track nqa admin tunnel0/0/3 admin
tunnel0/0/4
 #
 ip address 172.16.1.2 255.255.255.0
 rip metricin 1
 source Cellular0/0/0
 gre key cipher %^%#3isY%"^lX6F&N'Us)3x+\m@F0A2(SQ&=2|;K8abO%^%#
 nhrp authentication cipher %^%#1"<9Jp7D_'(SE-N.oVH5B5wZ=WO^KClOL|-
UOIQ$%^%#
 nhrp entry 172.16.1.1 202.10.1.2 register track apn ltenet
 #
 ip address 172.16.2.2 255.255.255.0
 rip metricin 7
 rip metricout 7
 gre key cipher %^%#9gxVF{"ZQT;-D<%Gm2I1OQd5(uV!2>(3#q2%V3R#%^%#
cipher %^%#g9*MEwPqQOCw:@Jt2WS9:,LNDn[|8If>@9&!2zQQ%^%#
 nhrp entry 172.16.2.1 202.10.1.10 register track apn ltenet
 #
 ip address 172.16.3.2 255.255.255.0
 rip metricin 4
 rip metricout 4
 gre key cipher %^%#=SXc*PbQgMQ|6<1H|8_W!PU!XFrjE7}LVC(ycs38%^%#
cipher %^%#EjU:.Y]}.8YZ8JK07')Qw\rTXJ|;LFAFfIH:C]W=%^%#
 nhrp entry 172.16.3.1 202.10.1.6 register track apn ltewap
 #
 ip address 172.16.4.2 255.255.255.0
 rip metricin 10
 rip metricout 10
 gre key cipher %^%#Y4YfQCCO%Of+{(KpezQ9b!nWTt:6I9wR)o#:Kr,!%^%#
 nhrp authentication cipher %^%#BChE#]PR%Z'[<-
&:Eq/GM@z=L%^%#BChE#]PR%Z'[<-&:Eq/GM@z=L
 nhrp entry 172.16.4.1 202.10.1.14 register track apn ltewap
 #
 dialer-rule
 #
 apn profile ltenet
 apn LTENET1
 sim-id 1
 apn profile ltewap
 apn LTENET2
 sim-id 2
 #
 rip 1
 version 2
 network 172.16.0.0
 network 192.168.3.0
 #
 #
 nqa test-instance admin tunnel0/0/1
 test-type icmp
 destination-address ipv4 172.16.1.1
 source-address ipv4 172.16.1.2
 frequency 15
 source-interface Tunnel0/0/1
 start now
 test-type icmp
 frequency 15
 start now
 test-type icmp
 frequency 15
 start now
 test-type icmp
 frequency 15
 start now
 #
return
< Previous topic
< Home
7.3.10.6.9 Common Configuration Errors

This section describes common faults caused by incorrect DSVPN configurations and provides
the troubleshooting procedure.
Spoke Fails to Register with a Hub
Spokes Cannot Communicate with Each Other in the Non-shortcut Scenario
Spokes Cannot Communicate with Each Other in the Shortcut Scenario
Backup Hub Only Forwards Data After the Master Hub Fails
< Home
7.3.10.6.9.1 Spoke Fails to Register with a

Hub
Fault Description
After the display nhrp peer command is executed on the Hub, no NHRP mapping entry that
records the mapping between the tunnel address of the Spoke and the public network address is
displayed.
Procedure
1. Check that the Spoke has reachable routes to the remote Spoke and the Hub.
Run the display ip routing-table command on the local Spoke to check whether routes to the
remote Spoke exist in the local IP routing table. Run the display ip routing-table command
on the Hub to check whether routes to the Spoke exist in the local IP routing table.
oIf there is no reachable route between the Spoke and its remote Spoke, or between
the Spoke and Hub, check the configurations of routes on the Spoke and Hub. For
the configurations of routes, see the Huawei
Enterprise Routers Configuration Guide - IP Routing.
o If there are reachable routes between the Spoke and its remote Spoke, and
between the Spoke and Hub, go to step 2.
2. Check that configurations of the Spoke and Hub are correct.
Run the display nhrp peer command on the Spoke and Hub to check NHRP mapping
entries.
If the Hub does not have dynamic NHRP mapping entries of the Spoke, run the display
this command on mGRE tunnel interfaces of the Spoke and Hub to check whether the
configurations on both ends are consistent. The following table lists the fields in the
command output that you need to check the follow-up operations.
Item Check Standard and Operation
nhrp Check whether NHRP authentication string configurations of the Spoke
authentication and Hub are the same. If they are different, run the nhrp authentication
command to modify the configurations.
nhrp entry Check whether the static NHRP mapping entries on the Spoke contain
the interface information of the Hub. If not, run the nhrp entry command
to modify the configurations.
Parent Topic: Common Configuration Errors
Next topic >
< Home
7.3.10.6.9.2 Spokes Cannot Communicate

with Each Other in the Non-shortcut
Scenario
Fault Description
After Non-Shortcut Scenario of DSVPN is configured, the Spokes cannot communicate with
each other.
Procedure
1. Check whether subnet routes are available between Spokes, and between Spokes and the
Hub, and whether the next hop addresses of subnet routes are the tunnel addresses of the
peer devices.
on the Hub to check whether subnet routes to Spokes exist in the local IP routing table.
o If no subnet route is available between Spokes, and between Spokes and the Hub,
configure subnet routes. For the configurations of routes, see the Huawei
o If subnet routes are available between Spokes, and between Spokes and the Hub,
but the next hop to the destination subnet is not the tunnel address of the remote
device, configure routing information to set the next hop to the destination subnet
to the tunnel address of remote device. For details, see Configuring Routes.
oIf subnet routes are available between Spokes, and between Spokes and the Hub,
and the next hop to the destination subnet is the tunnel address of remote device,
go to step 2.
2. Check whether NHRP mapping entries of a local Spoke have been generated on the Hub
and the remote Spoke.
Run the display nhrp peer command on the Hub and Spoke to check NHRP mapping
entries.
If no NHRP mapping entry of the Spoke is generated on the Hub, rectify the fault
according to Spoke Fails to Register with a Hub.

< Home
7.3.10.6.9.3 Spokes Cannot Communicate

with Each Other in the Shortcut Scenario
Fault Description
After Shortcut Scenario of DSVPN is configured, the Spokes cannot communicate with each
other.
Procedure
1. Check that subnet routes are available between Spokes, and between Spokes and the Hub.
on the Hub to check whether subnet routes to Spokes exist in the local IP routing table.
o
If no subnet route is available between Spokes, and between Spokes and the Hub,
configure subnet routes. For the configurations of routes, see the Huawei
o If subnet routes are available between Spokes, and between Spokes and the Hub,
go to step 2.
2. Check whether the next hop to the destination subnet is the tunnel address of the Hub.
remote Spoke exist.
oIf the next hop to the destination subnet is not the tunnel address of the Hub,
configure routing information to set the next hop to the destination subnet to the
tunnel address of the remote Spoke. For details, see Configuring Routes.
o If the next hop to the destination subnet is the tunnel address of the Hub, go to
step 3.
3. Check whether NHRP mapping entries of a local Spoke have been generated on the Hub
and the remote Spoke.
Run the display nhrp peer command on the Hub and Spoke to check NHRP mapping
entries.
If no NHRP mapping entry of the Spoke is generated on the Hub, rectify the fault
according to Spoke Fails to Register with a Hub.

< Home
7.3.10.6.9.4 Backup Hub Only Forwards

Data After the Master Hub Fails
Fault Description
In dual-Hub DSVPN scenario, the backup Hub only forwards data after the master Hub fails. No
tunnel can be established between the Spokes.
Procedure
1. Check whether the public addresses configured on the master and backup Hubs are on the
same network segment.
Run the display this command on the mGRE interfaces of the master and backup Hubs to
check whether the IP addresses of the Hubs are on the same network segment.
o
If so, change the IP address of one Hub to an IP address on a different network
segment.
o If not, go to step 2.
2. Check whether routes to the master Hub are available on the Spokes.
Run the display ip routing-table command on the Spokes to check whether routes to the Hub
exist.
If the IP routing table contains routes to the master Hub, deletes the routes. For details,
see Huawei AR120&AR150&AR160&AR200&AR1200&AR2200&AR3200&AR3600
Series Enterprise Routers Configuration Guide - IP Routing.

< Previous topic
< Home
This section lists references of DSVPN.
The following table lists the references of this document.
Document Description
RFC2332 Next Hop Resolution Protocol
< Previous topic

LTE & DSVPN Configuration PDF

Caricato da

Informazioni sul documento

Titolo originale

Copyright

Formati disponibili

Condividi questo documento

Condividi o incorpora il documento

Opzioni di condivisione

Hai trovato utile questo documento?

Questo contenuto è inappropriato?

Copyright:

Formati disponibili

LTE & DSVPN Configuration PDF

Caricato da

Copyright:

Formati disponibili

LTE Cellular Interface Configuration

7.3.3.13 LTE Cellular Interface

Introduction to LTE Cellular Interfaces

7.3.3.13.1 Introduction to LTE Cellular

The device supports the following LTE cellular interface types:

 On the AR1200 series (Except AR1220C, AR1220-8GE), AR2200 series (Except

LTE technology brings users the following benefits:

Parent Topic: LTE Cellular Interface Configuration

LTE Network Architecture

7.3.3.13.2.1 LTE Network Architecture

Figure 1 LTE network architecture

The PDN gateway connects UEs to an external

The SGW routes and forwards data packets and

The SGSN is an important part of the packet

On 3G and 4G networks, UEs include mobile

7.3.3.13.2.2 LTE Hardware and Supported

Table 1 Frequency bands and rates supported by an LTE interface card

Table 2 Frequency bands and rates supported by a USB data card

Rates  GPRS: upstream 85.6 kbit/s and downstream 85.6 kbit/s

Parent Topic: Principles

7.3.3.13.2.3 LTE Dial-up Connection Setup

 Automatic dial-up (permanently online)

 Dial-on-demand (not permanently online; traffic-triggered connection setup)

An LTE dial-up connection is set up in the following process:

Parent Topic: Principles

Figure 1 PDN access using APNs

Figure 2 LTE multi-APN networking

Parent Topic: Principles

7.3.3.13.3 Configuration Notes

Involved Network Elements

Feature Dependencies and Limitations

Table 1 LTE data card that can be selected

Parent Topic: LTE Cellular Interface Configuration

LTE Links as Backup WAN Links

7.3.3.13.4.1 LTE Links as Backup WAN

Figure 1 LTE link backing up a DSL link

Figure 2 LTE link backing up another LTE link

Parent Topic: Applications

7.3.3.13.4.2 LTE Links as Primary WAN

Figure 1 LTE link as a primary WAN link

Parent Topic: Applications

7.3.3.13.4.3 VPN Tunnel to the Enterprise

Parent Topic: Applications

Figure 1 LTE multi-APN Scenario

Parent Topic: Applications

7.3.3.13.4.5 Accessing Different LTE

Parent Topic: Applications

7.3.3.13.5 Configuration Tasks

Parent Topic: LTE Cellular Interface Configuration

7.3.3.13.6 Default Configuration

Table 1 Default configuration of LTE cellular interfaces

7.3.3.13.7 Setting Connection Parameters of

1. Ensuring that an available LTE network covers the required region

(Optional) Configuring the Default APN

7.3.3.13.7.1 (Optional) Configuring the

This configuration is not supported on the LTE data card E8278.

The system view is displayed.

interface cellular interface-number

The LTE cellular interface view is displayed.

profile create lte-default apn [ user username password password authentication-

The default APN is configured for an LTE network.

By default, no default APN is configured for an LTE network.

7.3.3.13.7.2 Selecting a PLMN