Documenti di Didattica
Documenti di Professioni
Documenti di Cultura
Contents
7.3.3.13 LTE Cellular Interface Configuration
7.3.3.13.1 Introduction to LTE Cellular Interfaces
7.3.3.13.2 Principles
7.3.3.13.2.1 LTE Network Architecture
7.3.3.13.2.2 LTE Hardware and Supported Frequency Bands and Rates
7.3.3.13.2.3 LTE Dial-up Connection Setup
7.3.3.13.2.4 APN
7.3.3.13.3 Configuration Notes
7.3.3.13.4 Applications
7.3.3.13.4.1 LTE Links as Backup WAN Links
7.3.3.13.4.2 LTE Links as Primary WAN Links
7.3.3.13.4.3 VPN Tunnel to the Enterprise Headquarters over an LTE Link
7.3.3.13.4.4 Data Communication and VoIP Communication Using LTE Multi-APN
7.3.3.13.4.5 Accessing Different LTE Networks Using Dual SIM Cards
7.3.3.13.5 Configuration Tasks
7.3.3.13.6 Default Configuration
7.3.3.13.7 Setting Connection Parameters of LTE Cellular Interfaces
7.3.3.13.7.1 (Optional) Configuring the Default APN
7.3.3.13.7.2 Selecting a PLMN
7.3.3.13.7.3 (Optional) Configuring the Service Domain
7.3.3.13.7.4 (Optional) Manually Configuring Frequency Bands
7.3.3.13.7.5 Configuring a Network Connection Mode
7.3.3.13.7.6 Configuring an APN Profile (A Single SIM Card and A Single APN)
7.3.3.13.7.7 Configuring an APN Profile (A Single SIM Card and Dual APNs)
7.3.3.13.7.8 Configuring APN Profiles (Dual SIM Cards and a Single APN)
7.3.3.13.7.9 Configuring the MTU
7.3.3.13.7.10 Checking the Configuration
7.3.3.13.8 Configuring C-DCC for Dial-up Connection
7.3.3.13.9 Configuring PIN Management
7.3.3.13.10 (Optional) Configuring the Function of Receiving and Sending SMS Messages
7.3.3.13.11 (Optional) Configuring the SMS Alarm Function
7.3.3.13.12 Maintaining LTE Cellular Interfaces
7.3.3.13.12.1 Restarting an LTE Modem Manually
7.3.3.13.12.2 Automatically Restarting an LTE Modem
7.3.3.13.12.3 Using an NQA Test Instance to Detect a 3G or LTE Link
7.3.3.13.12.4 Restarting an LTE Modem After Several Consecutive Dial-up Failures
7.3.3.13.12.5 Clearing Statistics on LTE Cellular Interfaces
7.3.3.13.12.6 Enabling the WWAN Log Function
7.3.3.13.13 Configuration Examples
7.3.3.13.13.1 Example for Configuring an LTE Cellular Interface as the Primary Interface to Connect to the
Internet
7.3.3.13.13.2 Example for Configuring an LTE Cellular Interface as the Backup Interface to Connect to the
Internet
7.3.3.13.13.3 Example for Configuring LTE Cellular Interfaces as the Primary/Backup Interfaces to Connect
to the Internet (Using Two 1LTE-L Interfaces Cards)
7.3.3.13.13.4 Configuring LTE Cellular Interfaces to Use the Multi-APN Function for Data and VoIP
Communication
7.3.3.13.13.5 Example for Accessing Different LTE Networks Using Dual SIM Cards
7.3.3.13.14 References
7.3.10.6 DSVPN Configuration
7.3.10.6.1 Overview
7.3.10.6.2 Principles
7.3.10.6.2.1 Basic Concepts
7.3.10.6.2.2 Basic Principles
7.3.10.6.2.3 DSVPN NAT Traversal
7.3.10.6.2.4 DSVPN Dual-Hub Backup
7.3.10.6.2.5 IPSec-based DSVPN
7.3.10.6.3 Applications
7.3.10.6.3.1 DSVPN Deployment on a Small- or Medium-sized Network
7.3.10.6.3.2 DSVPN Deployment on a Large-sized Network
7.3.10.6.4 Configuration Notes
7.3.10.6.5 Default Configuration
7.3.10.6.6 Configuring DSVPN
7.3.10.6.6.1 Configuring mGRE
7.3.10.6.6.2 Configuring Routes
7.3.10.6.6.3 Configuring NHRP
7.3.10.6.6.4 (Optional) Configuring an IPSec Profile
7.3.10.6.6.5 Checking the Configuration
7.3.10.6.7 Maintaining DSVPN
7.3.10.6.7.1 Clearing DSVPN Statistics
7.3.10.6.7.2 Displaying the DSVPN Statistics
7.3.10.6.8 Configuration Examples
7.3.10.6.8.1 Example for Configuring Non-Shortcut Scenario of DSVPN (Static Route)
7.3.10.6.8.2 Example for Configuring Non-Shortcut Scenario of DSVPN (RIP)
7.3.10.6.8.3 Example for Configuring Non-Shortcut Scenario of DSVPN (OSPF)
7.3.10.6.8.4 Example for Configuring Non-Shortcut Scenario of DSVPN (BGP)
7.3.10.6.8.5 Example for Configuring Shortcut Scenario of DSVPN (RIP)
7.3.10.6.8.6 Example for Configuring Shortcut Scenario of DSVPN (OSPF)
7.3.10.6.8.7 Example for Configuring Shortcut Scenario of DSVPN (BGP)
7.3.10.6.8.8 Example for Configuring DSVPN NAT traversal
7.3.10.6.8.9 Example for Configuring Dual-Hub DSVPN
7.3.10.6.8.10 Example for configuring IPSec-based DSVPN
7.3.10.6.8.11 Example for Configuring a Dual-Hub DSVPN Protected by IPSec
7.3.10.6.8.12 Example for Configuring a DSVPN Based on the LTE Dialup Status
7.3.10.6.9 Common Configuration Errors
7.3.10.6.9.1 Spoke Fails to Register with a Hub
7.3.10.6.9.2 Spokes Cannot Communicate with Each Other in the Non-shortcut Scenario
7.3.10.6.9.3 Spokes Cannot Communicate with Each Other in the Shortcut Scenario
7.3.10.6.9.4 Backup Hub Only Forwards Data After the Master Hub Fails
7.3.10.6.10 References
< Home
Definition
Long Term Evolution (LTE) is a standard developed by the 3rd Generation Partnership Project
(3GPP) for the Universal Mobile Telecommunications System (UMTS).
LTE is improvement over 3G technology, but not equal to 4G technology. LTE is a transition
from 3G to 4G technology. Compared with 3G technology, LTE has the following technical
advantages:
Higher data transmission rate: LTE provides a downstream peak rate of 100 Mbit/s and
an upstream peak rate of 50 Mbit/s over a 20 MHz bandwidth.
Improved spectrum efficiency.
Increased network deployment flexibility: LTE supports bandwidth ranging from 1.25
MHz to 20 MHz.
QoS guarantee: The LTE system design and strict QoS mechanism ensures better QoS for
delay-sensitive services such as voice over Internet Protocol (VoIP).
Shorter delay on wireless networks.
Higher cell edge bit rate: The high bit rate delivers higher performance for users located
on the cell edge.
Backward compatible: LTE offers compatibility between the existing 3G system and
non-3GPP systems.
An LTE cellular interface is a physical interface supporting Long Term Evolution (LTE)
technology. Compared with 3G technology, LTE technology provides enterprises with the high-
bandwidth wireless WAN access service.
Type
LTE hardware includes the LTE data card, LTE interface card, and LTE model. The device
equipped with the LTE data card or LTE interface card provides LTE cellular interfaces, and
LTE models have LTE cellular interfaces. The LTE data card, LTE interface card, and LTE
model have built-in LTE modem. A LTE cellular interface manages a LTE modem. The LTE
cellular interface uses a LTE modem for wireless data transmission at the physical layer, PPP or
Wireless Wide Area Network (WWAN) at the data link layer, and IP at the network layer.
In addition, the LTE cellular interface provided by an 1LTE-L interface card can be configured
with two LTE channel interfaces numbered 1 and 2.
NOTE:
You can re-insert an LTE data card into the device 5 seconds after the card is removed. If an
LTE data card cannot be identified after you fast remove and install the card, you must restart the
device.
LTE includes the time division long term evolution (TD-LTE) and frequency-division duplex
long term evolution (FDD-LTE). Among LTE networks, LTE cellular interfaces can only
connect to FDD-LTE and TD-LTE networks. Among 3G networks, LTE cellular interfaces can
only connect to GSM, WCDMA and TD-SCDMA networks, not CDMA2000 networks.
Purpose
LTE technology deployed on routers provides wireless access and interconnection for enterprise
branches or small- and medium-sized enterprises. Compared with 3G technology, LTE
technology provides higher bandwidth on wireless WAN links to transmit more voice, data, and
video services for enterprise users.
Enterprises can use LTE technology to replace or back up wired WAN links such as Ethernet,
digital subscriber line (DSL), frame relay (FR), and integrated services digital network (ISDN)
links. LTE allows flexible, efficient, and fast network deployment, and provides a backup for
wired WAN links on an enterprise network.
Benefits
Wired WAN link backup: LTE technology backs up wired links such as Ethernet and
DSL, ensuring uninterrupted services if the wired links fail.
Flexible, efficient, and fast network deployment: LTE technology provides service
coverage even in remote areas and mobile office scenarios.
Secure virtual private network (VPN) access: An enterprise branch can set up a tunnel
with the enterprise headquarters on LTE links using VPN technologies, such as Generic
Routing Encapsulation (GRE), Layer 2 Tunneling Protocol (L2TP), or Internet Protocol
Security (IPSec) VPN. This tunnel allows the enterprise branch to communicate with the
headquarters in a fast, secure, and efficient way.
Data services and multimedia services: LTE allows a router to connect to different
gateways using different access point names (APNs). For example, the router can use one
APN to access the Internet, and another APN to access the IP multimedia subsystem
(IMS). QoS settings on the router can be configured to control the quality of data and
multimedia services on the router.
Limitations
Due to limitations in wireless transmission, LTE may be limited in terms of throughput, delay,
and customer requirements:
Throughput: varies depending on the number of active users and network congestion.
This is a common limitation of wireless networks.
Delay: varies depending on the quality of network services provided by carriers and may
increase due to network congestion. Compared with wired networks, wireless networks
may cause longer delays.
Carriers may pose other limitations on LTE.
describes LTE network elements (NEs). A router connects to the LTE network as user
Table 1
equipment (UE).
USB data card (LTE data card): inserted in the USB interface on the SRU.
LTE interface card: has built-in LTE modem and is installed in a slot on the router.
NOTE:
Install a SIM card on an LTE modem or interface card before using the LTE feature.
LTE is classified into time division LTE (TD-LTE) and frequency division duplex LTE (FDD-
LTE).
Table 1 lists the frequency bands and rates supported by an LTE interface card (1LTE-L).
Rates GSM CS: upstream 14.4 kbit/s and downstream 14.4 kbit/s
GPRS: upstream 85.6 kbit/s and downstream 85.6 kbit/s
EDGE: upstream 236.8 kbit/s and downstream 236.8 kbit/s
WCDMA CS: upstream 64 kbit/s and downstream 64 kbit/s
WCDMA PS: upstream 384 kbit/s and downstream 384 kbit/s
HSPA+: upstream 5.76 Mbit/s and downstream 21.6 Mbit/s
DC-HSPA+: upstream 5.76 Mbit/s and downstream 42 Mbit/s
LTE FDD: upstream 50 Mbit/s and downstream 100 Mbit/s
Table 2 lists the frequency bands and rates supported by a USB data card (E392).
The DCC initiates a dial-up connection to the PGW immediately after the router starts.
The dial-up process does not need to be triggered by data packets. If the DCC fails to set
up a connection with the PGW, it retries after an interval.
This mode applies to users who are not charged based on the traffic or time, for example,
users who have subscribed to yearly-package services.
The router sets up a connection only when data needs to be transmitted. When no traffic
is transmitted on the connection within a specified period, the router tears down the
connection to save traffic.
This mode applies to users who are charged based on the traffic or time. For example,
users of a traffic-package service can use a certain volume of traffic within a specified
period, and the dial-on-demand model applies to these users.
As shown in Figure 1, when data needs to be transmitted or the dial-up timer expires, the router
uses C-DCC to initiate a dial-up on a cellular interface and enables the LTE modem to connect to
the PGW.
Figure 1 LTE dial-up connection setup
1. When data needs to be transmitted or the dial-up timer expires, the router uses C-DCC to
initiate a dial-up on a cellular interface. The cellular interface sends a connection setup
request message to the LTE modem.
2. The LTE modem sends a connection setup request message to the PGW. The message
contains user authentication information including the access point name (APN), user
name, and password.
3. The PGW authenticates the user identity. After authentication succeeds, the PGW sets up
a connection with the LTE modem and assigns an IP address to the LTE modem.
4. The LTE modem instructs the cellular interface to go Up physically.
5. The cellular interface negotiates with the LTE modem to obtain an IP address.
6. The cellular interface sets up a connection with the PGW and forwards data services.
NOTE:
The LTE module of the device does not support forwarding of DHCP packets.
7.3.3.13.2.4 APN
Definition
An access point name (APN) identifies an external packet data network (PDN) that a user needs
to access. Users connect to a PDN using the APN of the PDN. As shown in Figure 1, a router can
connect to the carrier's PDN and the enterprise's gateway using the APNs configured for the
carrier and enterprise. For example, APN1 is used to access the IMS network, and APN2 is used
access the enterprise data gateway.
LTE Multi-APN
In Figure 2, the 1LTE-L interface card on the router supports two APNs that share the same
cellular interface. You need to bind each APN to a cellular channel interface configured on the
cellular interface. Each cellular channel interface is a logical service interface that has its own IP
address, DCC dial-up configuration, and services (such as voice, data, and VPN).
None.
License Support
LTE Cellular Interface is a basic capability of an AR router and is not under license control.
In addition to 1LTE-L, 1LTE-LV, and 1LTEC interface cards, Table 1 lists the 3G data card that
can be selected.
Only the LTE cellular interface Cellular 0/0/0 on the AR161FG-L, AR169FGW-L,
AR169FGVW-L, AR169G-L, AR161G-L, and AR161FGW-L with built-in ME906E modules
supports the multi-APN configuration.
The dual-SIM functions can be configured only on the LTE cellular interface (Cellular 0/0/0)
supported by the AR121GW-L, AR129GW-L, AR161FG-L, AR169FGW-L, AR169FGVW-L,
AR169G-L, AR161G-L, AR161FGW-La, and AR161FGW-L.
LTE interface cards support the multi-APN configuration. LTE interface cards support the dual-
SIM configuration.
NOTE:
The LTE data card used by Huawei devices must be E392 or E8278. Otherwise, configuration
faults may occur.
Authorized frequencies vary according to countries and carriers. When enterprises use LTE data
cards to provide LTE services, check whether the frequencies provided by carriers are the
frequencies supported by LTE data cards.
When the E392 data cards are inserted into two USB interfaces on the device to connect to the
Internet through dual uplinks, the two LTE links formed by the E392 data cards must use PPP as
the link-layer protocol and obtain IP addresses through PPP negotiation.
7.3.3.13.4 Applications
This section describes the applicable scenario of LTE Cellular Interfaces.
In Figure 2, an enterprise branch has two LTE links to connect to the headquarters. LTE link 1 is
the primary link and connects to LTE network 1 of Carrier A. LTE link 2 is the backup link and
connects to LTE network 2 of Carrier B. If the primary link fails, traffic is immediately switched
to the backup LTE link, enhancing reliability of Internet access from the enterprise branch.
In Figure 1, an enterprise branch dials up to the Internet through an LTE link and sets up an IPSec
VPN tunnel with the headquarters. The tunnel protects traffic between the enterprise branch and
the headquarters.
Figure 1 Communication between the enterprise branch and the headquarters using an IPSec
VPN tunnel
To improve data transmission reliability of the LTE link, the branch uses an LTE cellular
interface supporting dual SIM cards. One SIM card functions as the master SIM card to connect
to LTE network 1, the other SIM card functions as the backup SIM card to connect to LTE
network 2. If dial-up fails because the account balance of the master SIM card is insufficient, the
master SIM card is faulty, the LTE link signal quality is poor, or the connected LTE network is
faulty, traffic is automatically switched to the backup SIM card, ensuring uninterrupted
enterprise services.
Figure 1 Networking diagram for accessing different LTE networks using dual SIM cards
To configure LTE cellular interfaces, set the interface connection parameters and configure C-
DCC for dial-up connection so that the LTE cellular interfaces can connect to the LTE network.
You can also configure the PIN management function to ensure security of SIM cards.
NOTE:
This chapter describes the connection parameters of LTE cellular interfaces, C-DCC for dial-up
connection, and PIN management. Based on enterprise service requirements, you probably need
to configure PPP, DHCP, DNS, NAT, firewall, and backup interface functions. For details, see
relevant configuration guides.
Pre-configuration Tasks
Before setting the connection parameters of LTE cellular interfaces, complete the following
tasks:
Procedure
Follow the steps to set the connection parameters of LTE cellular interfaces. You can perform
Configuring an APN Profile (A Single SIM Card and A Single APN), Configuring an APN Profile (A Single SIM Card
and Dual APNs), and Configuring APN Profiles (Dual SIM Cards and a Single APN) in any sequence. Other
steps must be performed in sequence.
Some carriers require that devices connect to LTE networks through the default APN, whereas
other carriers do not have such requirements. You can determine whether to configure the default
APN for an LTE network based on the carrier's requirements. By default, no default APN is
configured for an LTE network.
NOTE:
Procedure
1. Run:
system-view
2. Run:
3. Run:
To delete the default APN configured for an LTE network, run the profile delete lte-default
command.
Parent Topic: Setting Connection Parameters of LTE Cellular Interfaces
Huawei Proprietary and Confidential Copyright © Huawei Technologies Co., Ltd.
Huawei Proprietary and Confidential
Copyright © Huawei Technologies Co., Ltd.
Next topic >
< Home
You can manually select a Public Land Mobile Network (PLMN) for an LTE data card or
configure the data card to automatically select a PLMN.
By default, an LTE data card automatically selects a PLMN. If you have subscribed to LTE
services and obtained the mobile country code (MCC) and mobile network code (MNC), you can
manually select a PLMN.
Procedure
1. Run:
system-view
2. Run:
3. Run:
plmn search
The 3G network supports both the CS domain and PS domain. The LTE network supports only
the PS domain. To prevent services in the CS domain from changing the network from an LTE
network to a 3G network, you can configure an LTE modem to work only in the PS domain
when it connects to an LTE network.
Procedure
1. Run:
system-view
2. Run:
3. Run:
NOTE:
You can run the service domain ps-only command to configure an LTE modem to work
only in the PS domain when it connects to an LTE network.
GSM/WCDMA/LTE networks of network carriers can provide multiple frequency bands for user
access. When the frequency band of a GSM/WCDMA/LTE network changes after LTE cellular
interfaces are connected to the GSM/WCDMA/LTE network, the LTE data card automatically
adjusts the frequency band accordingly, which affects stability of LTE links.
When the frequency band of a GSM/WCDMA/LTE network that you access is fixed, you can set
the frequency band of the GSM/WCDMA/LTE network that LTE cellular interfaces are
connected to. This prevents frequency band changes caused by frequency interference and
ensures LTE link stability.
Procedure
system-view
2. Run:
3. Run:
The frequency band of the GSM network that LTE cellular interfaces are
connected to is manually configured.
system-view
2. Run:
3. Run:
The frequency band of the WCDMA network that LTE cellular interfaces are
connected to is manually configured.
system-view
2. Run:
3. Run:
The frequency band of the LTE network that LTE cellular interfaces are
connected to is manually configured.
LTE cellular interfaces can connect to the 3G or LTE network only when the 3G or LTE network
connection mode is configured for an LTE modem based on the type of the network provided by
the carrier. If the 3G or LTE network connection mode configured for an LTE modem is
inconsistent with the network type of the provided by the carrier, configure a correct network
connection mode.
Procedure
1. Run:
system-view
2. Run:
3. Run:
By default, the 3G or LTE network connection mode is auto for an LTE modem.
An access point name (APN) identifies an external PDN network (for example, the Internet or
IMS network) that users want to access.
You can create an APN profile to configure APN. In the scenario where a single single SIM card
and a single APN are available, create an APN profile and bind the profile to an LTE cellular
interface so that the APN can be used to access the Internet for data communication.
Procedure
NOTE:
You are advised to create an APN profile to configure an APN. You are not advised to
run the profile create profile-number { dynamic | static apn } command in the LTE
cellular interface view to configure an APN by creating a 3G modem parameter profile.
a. Run:
system-view
b. Run:
c. Run:
apn apn-name
By default, no APN is configured in the APN profile. During LTE dial-up, apn
profile name specifies an access point name (APN) user name.
NOTE:
APNs are provided by the carrier.
Generally, China Mobile provides the APN CMNET, China Telecom
provides the APN CTLTE, and China Unicom provides the APN 3GNET.
After an APN is configured, it is permanently recorded in an LTE data
card. If the APN changes, reconfigure it.
d. (Optional) Run:
The user name, password, and authentication mode for accessing the external
PDN network are configured.
By default, the user name, password, and authentication mode for accessing an
external PDN network are not configured.
Contact the carrier when configuring the user name, password, and authentication
mode.
NOTE:
quit
b. Run:
If track nqa is specified, the device performs an NQA probe on the LTE network
when the dial-up initiated through an LTE cellular interface succeeds. The device
terminates the LTE link after three consecutive NQA probe failures. Additionally,
you can run the dialer timer probe-interval command to set the NQA probe interval.
An access point name (APN) identifies an external PDN network (for example, the Internet or
IMS network) that users want to access.
You can create an APN profile to configure APN. In the scenario where a single single SIM card
and dual APNs are available, create two APN profiles and bind the APN profiles respectively to
the two LTE channel interfaces configured for an LTE cellular interface. One APN connects to
the Internet for data communication, and the other connects to the IMS network for VoIP
communication.
Procedure
system-view
b. Run:
c. Run:
apn apn-name
NOTE:
APNs are provided by the carrier.
Generally, China Mobile provides the APN CMNET, China Telecom
provides the APN CTLTE, and China Unicom provides the APN 3GNET.
After an APN is configured, it is permanently recorded in an LTE data
card. If the APN changes, reconfigure it.
d. (Optional) Run:
The user name, password, and authentication mode for accessing the external
PDN network are configured.
By default, the user name, password, and authentication mode for accessing an
external PDN network are not configured.
Contact the carrier when configuring the user name, password, and authentication
mode.
NOTE:
quit
b. Run:
multi-apn enable
c. Run:
quit
b. Run:
If track nqa is specified, the device performs an NQA probe on the LTE network
when the dial-up initiated through an LTE channel interface succeeds. The device
terminates the LTE link after three consecutive NQA probe failures. Additionally,
you can run the dialer timer probe-interval command to set the NQA probe interval.
6. NOTE:
7. You need to repeat this step to bind APN profiles to another 3G channel interface.
Follow-up Procedure
The two APNs share uplink bandwidth on the LTE cellular interface. QoS is required to schedule
services based on APNs. For example, if one APN is used to transmit voice services and the
other APN is used to transmit data services, voice services must be transmitted with a higher
priority. You must configure QoS on the LTE cellular interface to ensure that voice services are
preferentially scheduled .For details on how to configure QoS, See Huawei
AR120&AR150&AR160&AR200&AR1200&AR2200&AR3200&AR3600 Series Enterprise
Routers Configuration Guide - QoS
An access point name (APN) identifies an external PDN network (for example, the Internet or
IMS network) that users want to access.
You can create an APN profile to configure an APN. In the scenario where dual SIM cards and a
single APN are available, you can create two APN profiles, bind one to the master SIM card and
the other to the backup SIM card, and bind the two APN profiles to the same LTE cellular
interface. The two SIM cards connect to different LTE networks. If dial-up fails because the
account balance of the master SIM card is insufficient, the master SIM card is faulty, the LTE
link signal quality is poor, or the connected LTE network is faulty, traffic is automatically
switched to the backup SIM card, ensuring uninterrupted enterprise services.
NOTE:
The master and backup SIM cards cannot simultaneously work. Upon a SIM card switchover,
traffic is interrupted for a short period.
Procedure
system-view
The system view is displayed.
b. Run:
c. Run:
apn apn-name
NOTE:
sim-id sim-id
The SIM card ID is set to specify the master or backup SIM card to which the
APN profile is bound.
sim-id can be 1 or 2.
The value 1 indicates that the APN profile is bound to the master SIM
card.
The value 2 indicates that the APN profile is bound to the backup SIM
card.
e. (Optional) Run:
The user name, password, and authentication mode for accessing the external
PDN network are configured.
By default, the user name, password, and authentication mode for accessing an
external PDN network are not configured.
Contact the carrier when configuring the user name, password, and authentication
mode.
NOTE:
quit
2. NOTE:
3. After the APN profile to be bound to the master SIM card is created, you need to repeat
Creating an APN profile to create an APN profile to be bound to the backup SIM card.
4. Binding the APN profiles to the LTE cellular interface
a. Run:
b. Run:
For the parameter priority, a larger value indicates a higher priority. When dual
SIC cards are available, you are advised to set the priority of the APN profile
bound to the master SIM card to higher than that of the APN profile bound to the
backup SIM card.
NOTE:
After an APN profile is bound to the master SIM card, you need to repeat this step
to bind another APN profile to the backup SIM card.
c. Run:
The SIM cards are configured with automatic switchover based on the RSSI
threshold.
By default, an LTE cellular interface does not switch between SIM cards based on
the RSSI threshold.
d. (Optional) Run:
Traffic is automatically switched from the backup SIM card back to the master
SIM card.
By default, traffic on the backup SIM card is not automatically switched back to
the master SIM card.
Follow-up Procedure
When automatic SIM card switchover is not configured or the switchover condition is not met,
you can run the sim switch to sim-id command in the LTE cellular interface view to manually
switch between SIM cards.
The size of data packets is limited at the network layer. Upon receiving an IP packet to be sent,
the network layer checks to which local interface the packet needs to be sent and obtains the
maximum transmission unit (MTU) configured on the interface. Then the network layer
compares the MTU with the packet length. If the packet length is longer than the MTU, the
network layer disassembles the packet to fragments, each no longer than the MTU.
If the MTU is too small whereas the packet size is large, the packet is split into many
fragments. Therefore, the packet may be discarded due to insufficient QoS queue length.
If the MTU is too large, packets are transmitted slowly or even lost.
Procedure
1. Run:
system-view
2. Run:
The LTE cellular interface view or LTE channel interface view is displayed.
3. Run:
mtu mtu
The MTU is configured for the LTE cellular interfaces or LTE channel interfaces.
By default, the MTU is 1500 bytes for the LTE cellular interfaces or LTE channel
interfaces.
Run the display cellular interface-number { all | hardware | security | network | profile |
radio } command to check information about call sessions on the LTE modem.
Run the display interface cellular [ interface-number ] command to check the running status
and statistics of LTE cellular interfaces.
Context
Based on different triggering mode, the LTE link dial-up modes can be classified into the
following types:
The DCC attempts to dial the PGW immediately after the device starts. The dialing
process does not need to be triggered by data packets. If a connection cannot be
established with the PGW, the DCC retries at an interval.
This mode applies to the scenarios in which users are not charged based on traffic or
time. For example, if a yearly-package service is used, users are not charged based on
link traffic or time within the service duration.
The device triggers link establishment only when data needs to be transferred. When the
time during which no traffic is transmitted on the link exceeds the timeout duration, the
device disconnects the link to reduce traffic volume.
This mode applies to the scenarios in which users are charged based on traffic or time.
For example, if a traffic-package service is used, users are allowed to use certain traffic
within the service duration.
Based on different link-layer protocols used by an LTE link, the LTE link dial-up modes can be
classified into the following types:
PPP dial-up: In this mode, PPP is used as the link-layer protocol and the LTE link obtains
an IP address through PPP negotiation (configured using the ip address ppp-negotiate
command).
WWAN dial-up: In this mode, WWAN is used as the link-layer protocol and the LTE
link dynamically obtains an IP address (configured using the ip address negotiate
command).
Pre-configuration Tasks
Before configuring C-DCC for dial-up connection, complete the following tasks:
Procedure
NOTE:
a. Run:
system-view
b. Run:
dialer-rule
c. Run:
A dialer control list is specified for a dialer access group to define conditions for
initiating calls.
d. Run:
quit
2. Enable C-DCC.
a. Run:
When the multi-APN function is configured, the LTE channel interface view is
displayed; otherwise, the LTE cellular interface view is displayed.
b. Run:
dialer enable-circular
c. Run:
dialer-group group-number
NOTE:
Make sure that the value of group-number in the dialer-group command is the same
as that of dialer-rule-number in the dialer-rule command.
d. (Optional) Run:
rssi-threshold rssi-threshold
The received signal strength indicator (RSSI) threshold is set for successfully
establishing LTE links.
By default, an LTE data card does not establish an LTE link based on the RSSI
threshold.
3. Obtain IP addresses.
o When two LTE data cards are used to connect to the Internet through dual
uplinks, the LTE links use the PPP dial-up mode.
a. Run:
ip address ppp-negotiate
Run:
ip address negotiate
4. Run:
The autodial parameter indicates the automatic dial-up mode. By default, the automatic
dial-up interval is 300 seconds. You can run the dialer timer autodial command to set the
automatic dial-up interval. If the autodial parameter is not specified in the command, the
dial-on-demand mode is used.
5. Run:
quit
6. Run:
Run the display cellular interface-number { all | hardware | security | network | profile |
radio } command to check information about all call sessions on the LTE data card.
Context
A PIN identifies the user of the SIM card and prevents unauthorized access to the SIM card.
If a user enters incorrect PINs three consecutive times, the PIN is locked to protect security of
the SIM card. To unlock the PIN, enter the PIN unblocking key (PUK).
NOTE:
A PIN is a decimal integer of 4 to 8 digits. Obtain the initial PIN from the carrier.
PUKs are provided by carriers. If a user enters incorrect PUKs ten consecutive times, the SIM
card is permanently locked and the user needs to obtain a new one from the carrier.
Procedure
PIN authentication prevents unauthorized users from using a SIM card. A user can use an
LTE modem only after the PIN is authenticated. If PIN authentication is disabled, anyone
can use the SIM card.
1. Run:
system-view
2. Run:
3. Run:
Authenticating a PIN
After PIN authentication is enabled for an LTE modem, the PIN must be authenticated
every time you start the SIM card. If PIN authentication fails, the LTE modem cannot
provide data communication functions.
1. Run:
system-view
2. Run:
3. Run:
In this step, you must enter the PIN. When the message "PIN has been verified
successfully." is displayed, the PIN has been authenticated.
Changing a PIN
After PIN authentication is enabled, you are advised to change the PIN periodically to
improve the SIM card security.
1. Run:
system-view
2. Run:
pin modify
In this step, you must enter the old PIN and enter a new PIN twice. When the
message "PIN has been changed successfully." is displayed, the PIN has been
changed.
system-view
2. Run:
3. Run:
pin unlock
In this step, you must enter the PUK and enter a new PIN twice. When the
message "Warning: PIN will be unlocked and changed. Continue? [Y/N]:" is
displayed, enter Y. When the message "PIN has been unlocked and changed
successfully." is displayed, the SIM card has been unlocked.
Run the display cellular interface-number { all | hardware | security | network | profile |
radio } command to check information about all call sessions on the LTE modem.
Context
The device can use the SMS to send SMS messages to users and save SMS messages received
from users in the SIM card. You can check received SMS messages on the device. If the number
of SMS messages saved in the SIM card exceeds the maximum number, you can delete the SMS
messages.
Procedure
The device can use the SMS to send SMS messages to a user with a specified mobile
number. You need to specify the short message center (SMC) number when configuring
the device to send SMS messages.
1. Run:
system-view
2. Run:
3. Run:
4. Run:
The device saves SMS messages received from users in the SIM card. You can check and
delete received SMS messages.
Run:
system-view
2. Run:
Run the display sms interface cellular interface-number statistics command to check
statistics about SMS messages.
Context
The device can send short messages to users' mobile phones through SMS.
In the scenario of active/standby interface backup, when the active and standby links are
switched, the active/standby interface status changes. Users can view the alarm on the device to
know the interface status change. If users want to sense the interface status change anytime and
anywhere, configure the SMS alarm function on the service interface. After the function is
configured, the alarm with the interface status change is sent to users in a short message.
For example, a user connects to the Internet through an ADSL interface (active link) and a
cellular interface (standby link). When the active link is faulty and services are switched to the
standby link after the SMS alarm function is configured, a short message can be immediately
sent to specific users. When the standby link is working properly and services are not switched
back to the active link within the specified time, a short message can be sent to specific users
again. If services are switched back to the active link within the specified time, no short message
needs to be sent again.
Procedure
An SMS service pool contains the preset SMS services, user phone numbers specified to
receive short messages, and short message content.
a. Run:
system-view
b. Run:
sms-pool
c. Run:
The phone numbers specified to receive short messages, and short message
content are configured in the SMS service pool.
By default, no SMS service is configured in the SMS service pool.
d. Run:
quit
Configure the SMS alarm function, specify the triggering condition for sending short
message, and invoke the preset SMS service in the SMS service pool to send specified
short messages to specific users.
a. Run:
system-view
b. Run:
c. Run:
The preset short message is sent to specific users when the LTE cellular interface
status changes.
If after time is not configured, a short message is sent immediately when the
interface status changes. If after time is configured, a short message is sent only
when the interface status changes and remains unchanged within the value of
time. This configuration prevents the device from frequently sending short
messages when frequent Up/Down status changes occur on an interface.
NOTE:
Before running this command, ensure that the SMS service with a specified ID is
configured using the sms item command.
Currently, the SMS alarm function can be configured on interfaces only when
cellular, ATM, and serial interfaces are used as the active and standby interfaces.
This command can be run on each interface at most four times, and the latest
configuration does not override the previous ones.
d. Run:
Run the display sms send-history command to view records of sent short messages saved in
the memory.
An LTE modem restarts automatically when it detects an exception. If the LTE modem cannot
automatically restart, you can manually restart it.
NOTE:
The SIM card is not hot swappable. To ensure that the installed SIM card works properly,
manually restart the LTE modem after hot swapping the SIM card.
Procedure
1. Run:
system-view
2. Run:
3. Run:
modem reboot
NOTE:
After you manually restart the LTE modem, the services on the LTE cellular interface are
interrupted.
When an LTE modem is not attached to a Packet Switch (PS) domain, you can configure an LTE
modem to automatically restart and set the interval at which the LTE modem automatically
restarts. Then the LTE modem automatically restarts and starts dialing until it is attached to a PS
domain.
Procedure
1. Run:
system-view
2. Run:
3. Run:
An LTE modem is configured to automatically restart and the interval at which an LTE
modem automatically restarts is set.
When a 3G or LTE link is unstable because of weak 3G or LTE signals or interference, you may
fail to access external networks through the 3G or LTE link even if the dialup succeeds. To solve
this problem, configure the device to use an NQA test instance to detect the 3G or LTE link
status. When the 3G or LTE link is unstable, the device triggers an action to recover the 3G or
LTE link.
Procedure
1. Run:
system-view
2. Run:
3. Run:
The device is configured to use an NQA test instance to detect a 3G or LTE link.
By default, a device does not use an NQA test instance to detect a 3G or LTE link.
NOTE:
The NQA test instance used in this step must be an ICMP NQA test instance. For details
about how to configure such a test instance, see Configuring an ICMP Test Instance in the
Huawei AR120&AR150&AR160&AR200&AR1200&AR2200&AR3200&AR3600 Series
Enterprise Routers Configuration Guide - Network Management Configuration.
4. Run:
The maximum number of 3G or LTE detection failures in an NQA test instance is set.
When the number of consecutive 3G or LTE link detection failures in an NQA test
instance reaches the maximum value, the device triggers an action to recover the 3G or
LTE link.
By default, the maximum number of 3G or LTE link detection failures in an NQA test
instance is not configured. That is, the device does not trigger an action to recover a 3G
or LTE link when 3G or LTE link detection fails for several consecutive times.
NOTE:
When the dial-up initiated through an LTE cellular interface fails multiple times, you can set the
maximum number of dial-up failures. When the number of consecutive dial-up failures reaches
the maximum value, the device restarts the LTE modem so that the fault can be rectified
automatically.
Procedure
1. Run:
system-view
2. Run:
3. Run:
NOTE:
To monitor the status of an LTE cellular interface or locate faults on the interface, collect traffic
statistics about the interface. Before collecting traffic statistics on an LTE cellular interface
within a period, delete the existing traffic statistics on this interface.
NOTICE:
Interface traffic statistics cannot be restored after being cleared. Exercise caution when you run
the reset counters interface cellular [ interface-number ] command.
Procedure
Run the reset counters interface cellular [ interface-number ] command to clear the statistics
on the current LTE cellular interface.
To view changes of the LTE signal strength, cell ID or network type in WWAN logs, you can
enable the WWAN log function.
Procedure
1. Run:
system-view
2. Run:
After enabling the WWAN log function, you can view changes of the LTE signal
strength, cell ID or network type in WWAN logs.
o When the LTE signal strength changes, the device records the
WWAN/5/WWAN_SINR_NORMAL or WWAN/5/WWAN_SINR_WEAK
log.
o When the cell ID changes, the device records the WWAN/5/WWAN_CELLID
log.
o When the network type changes, the device records the
WWAN/5/WWAN_NETWORK log.
NOTE:
3. (Optional) Run:
The SINR threshold used to determine the LTE signal strength is set.
By default, the SINR threshold used to determine the LTE signal strength is 10 dB.
You can perform this step to change the SINR threshold used to determine the LTE
signal strength.
o If the strength of received LTE signals is greater than the SINR threshold 10
consecutive times, and the signal strength becomes normal, the device records the
WWAN/5/WWAN_SINR_NORMAL log.
o If the strength of received LTE signals is not greater than the SINR threshold 10
consecutive times, and the signal strength becomes weak, the device records the
WWAN/5/WWAN_SINR_WEAK log.
NOTE:
Example for Configuring an LTE Cellular Interface as the Primary Interface to Connect to the Internet
Example for Configuring an LTE Cellular Interface as the Backup Interface to Connect to the Internet
Example for Configuring LTE Cellular Interfaces as the Primary/Backup Interfaces to Connect to the Internet
(Using Two 1LTE-L Interfaces Cards)
Configuring LTE Cellular Interfaces to Use the Multi-APN Function for Data and VoIP Communication
Example for Accessing Different LTE Networks Using Dual SIM Cards
Parent Topic: LTE Cellular Interface Configuration
Huawei Proprietary and Confidential Copyright © Huawei Technologies Co., Ltd.
Huawei Proprietary and Confidential
Copyright © Huawei Technologies Co., Ltd.
< Previous topic Next topic >
< Home
The branch intranet is on the network segment 192.168.100.0/24 and all hosts join VLAN 10.
The branch requires that the Router should assign IP addresses to branch intranet users and the
users access external networks.
The branch has subscribed to a yearly-package service and connects to the Internet in dial-
automatic mode. The branch obtains the following information from the carrier:
APN: ltenet
Dialer number: *99#
Figure 1 Networking diagram of configuring an LTE cellular interface as the primary interface
to connect to the Internet
Configuration Roadmap
NOTE:
Run dialer enable-circular, the dialer number and IP address assigns automatically, a dialer
control list not required.
Procedure
[Router] dialer-rule
[Router-dialer-rule] dialer-rule 1 ip permit
[Router-dialer-rule] quit
[Router-Cellular0/0/0] dialer-group 1
NOTE:
Ensure that the group-number value in the dialer-group command is the same as the
dialer-rule-number value in the dialer-rule command.
# Enable DHCP.
10. Configure a default route and specify Cellular0/0/0 as the outbound interface.
# View the interface status and traffic statistics. The command output shows that if traffic
is forwarded through the interface, both the physical layer status and link layer status of
the interface are Up and the IP address dynamically obtained by the interface is
20.1.1.2/24.
# View information about all call sessions on the LTE data card. The following command
output shows that the APN is ltenet, the network type is Automatic, and the network
connection mode is LTE(LTE).
Example
As shown in Figure 1, Router is the egress gateway of the enterprise, and the VDSL interface
functions as the primary interface to connect to the Internet.
To ensure reliable access, the enterprise requires that the LTE cellular interface should function
as a backup interface to connect enterprise users to the Internet when the primary interface is
faulty.
NOTE:
The following figure shows only the access-side networking. Deploy devices on the aggregation
and core networks according to site requirements.
Figure 1 Networking diagram of configuring an LTE cellular links as the backup interface to
connect to the Internet
Configuration Roadmap
Procedure
NOTE:
This example only describes the configuration of the uplink primary interface. For details
about other uplink devices, see the related manuals.
20. Configure the LTE cellular interface as the uplink backup interface.
# In this example, set the dialer number to *99#.
# Use the APN specified by the carrier. In this example, set the APN to ltenet.
NOTE:
Before configuring the backup interface, ensure that the LTE data cards and SIM cards
are available.
This example only describes the configuration of the uplink backup interface. For details
about other uplink devices, see the related manuals.
[Router] dialer-rule
[Router-dialer-rule] dialer-rule 1 ip permit
[Router-dialer-rule] quit
[Router] apn profile ltenet
[Router-apn-profile-ltenet] quit
[Router] interface cellular 0/0/0
[Router-Cellular0/0/0] ip address negotiate
[Router-Cellular0/0/0] dialer enable-circular
[Router-Cellular0/0/0] dialer-group 1
[Router-Cellular0/0/0] dialer timer idle 50
[Router-Cellular0/0/0] dialer number *99# autodial
[Router-Cellular0/0/0] nat outbound 3002
[Router-Cellular0/0/0] mode lte auto
[Router-Cellular0/0/0] apn-profile ltenet
[Router-Cellular0/0/0] shutdown
[Router-Cellular0/0/0] undo shutdown
[Router-Cellular0/0/0] quit
# After the configuration is complete, run the display standby state command on the
Router to check the status of the primary and backup interfaces. The command output
shows that ATM1/0/0 is in Up state and Cellular0/0/0 is in Standby state.
Backup-flag meaning:
M---MAIN B---BACKUP V---MOVED U---USED
D---LOAD P---PULLED
-----------------------------------------------------------------------
-----
Below is track BFD information:
Bfd-Name Bfd-State BackupInterface State
-----------------------------------------------------------------------
-----
Below is track IP route information:
Destination/Mask Route-State BackupInterface State
-----------------------------------------------------------------------
-----
Below is track NQA Information:
Instance Name BackupInterface State
# Run the shutdown command on ATM1/0/0 to simulate a link fault. Run the display
standby state command on the Router to check the status of the primary and backup
interfaces. The command output shows that ATM1/0/0 is in Down state and Cellular0/0/0
is in Up state, indicating that the backup interface has started.
[Router-Atm1/0/0] shutdown
[Router-Atm1/0/0] quit
[RouterA] display standby state
Interface Interfacestate Backupstate Backupflag Pri
Loadstate
ATM1/0/0 DOWN MDOWN MU
Cellular0/0/0 UP UP BU 0
Backup-flag meaning:
M---MAIN B---BACKUP V---MOVED U---USED
D---LOAD P---PULLED
-----------------------------------------------------------------------
-----
Below is track BFD information:
Bfd-Name Bfd-State BackupInterface State
-----------------------------------------------------------------------
-----
Below is track IP route information:
Destination/Mask Route-State BackupInterface State
-----------------------------------------------------------------------
-----
Below is track NQA Information:
Instance Name BackupInterface State
Configuration Files
Configuration file of the Router
#
sysname Router
#
vlan batch 10
#
dhcp enable
#
acl number 3002
rule 5 permit ip source 192.168.100.0 0.0.0.255
#
apn profile ltenet
#
ip pool lan
gateway-list 192.168.100.1
network 192.168.100.0 mask 255.255.255.0
#
interface Vlanif10
ip address 192.168.100.1 255.255.255.0
dhcp select global
#
interface Ethernet2/0/0
port hybrid pvid vlan 10
port hybrid untagged vlan 10
#
interface Cellular0/0/0
dialer enable-circular
dialer-group 1
apn-profile ltenet
dialer timer idle 50
dialer number *99# autodial
nat outbound 3002
ip address negotiate
#
interface Atm1/0/0
pvc voip 1/35
map ppp Virtual-Template10
standby interface Cellular0/0/0
#
interface Virtual-Template10
ip address ppp-negotiate
nat outbound 3002
#
dialer-rule
dialer-rule 1 ip permit
#
ip route-static 0.0.0.0 0.0.0.0 Virtual-template10 preference 40
ip route-static 0.0.0.0 0.0.0.0 Cellular0/0/0 preference 80
#
return
Parent Topic: Configuration Examples
Huawei Proprietary and Confidential Copyright © Huawei Technologies Co., Ltd.
Huawei Proprietary and Confidential
Copyright © Huawei Technologies Co., Ltd.
< Previous topic Next topic >
< Home
A remote branch of the enterprise needs to exchange large volumes of service traffic with
external networks, but it cannot obtain the wired WAN access service. As shown in Figure 1, the
branch uses the RouterA as the egress gateway and uses an LTE cellular interface Cellular1/0/0
to connect to the Internet through LTE network 1, meeting service transmission requirements.
The enterprise leases a link connected to the Internet through LTE network 2 as the backup link,
so the backup link can transmit services when Cellular1/0/0 or LTE network 1 is faulty.
NOTE:
This example applies to the scenario where two 1LTE-L interface cards are used or one 1LTE-L
interface card and one E392 data card are used to connect to the Internet through dual uplinks. In
this scenario, two LTE links both use the WWAN dial-up mode.
In this example:
For LTE network 1, the connection mode is LTE, the APN is ltenet1, and the dialer
number is *99#.
For LTE network 2, the connection mode is AUTO, the APN is ltenet2, and the dialer
number is *98#.
Configuration Roadmap
Procedure
1. Configure Cellular1/0/0.
<Huawei> system-view
[Huawei] sysname RouterA
[RouterA] apn profile ltenet1
[RouterA-apn-profile-ltenet1] quit
2. Configure Cellular2/0/0.
7. Configure C-DCC.
# Create dialer access group 1 and configure a dialer rule in the group.
[RouterA] dialer-rule
[RouterA-dialer-rule] dialer-rule 1 ip permit
[RouterA-dialer-rule] quit
# After the configuration is complete, run the display standby state command on the
RouterA to check the status of the primary and backup interfaces. The command output
shows that Cellular1/0/0 is in Up state and Cellular2/0/0 is in Standby state.
Backup-flag meaning:
M---MAIN B---BACKUP V---MOVED U---USED
D---LOAD P---PULLED
-----------------------------------------------------------------------
-----
Below is track BFD information:
Bfd-Name Bfd-State BackupInterface State
-----------------------------------------------------------------------
-----
Below is track IP route information:
Destination/Mask Route-State BackupInterface State
-----------------------------------------------------------------------
-----
Below is track NQA Information:
Instance Name BackupInterface State
# Run the shutdown command on Cellular1/0/0 to simulate a link fault. Run the display
standby state command on the RouterA to check the status of the primary and backup
interfaces. The command output shows that Cellular1/0/0 is in Down state and
Cellular2/0/0 is in Up state, indicating that the backup interface has started.
[RouterA-Cellular1/0/0] shutdown
[RouterA-Cellular1/0/0] quit
[RouterA] display standby state
Interface Interfacestate Backupstate Backupflag Pri
Loadstate
Cellular1/0/0 DOWN MDOWN MU
Cellular2/0/0 UP UP BU 0
Backup-flag meaning:
M---MAIN B---BACKUP V---MOVED U---USED
D---LOAD P---PULLED
-----------------------------------------------------------------------
-----
Below is track BFD information:
Bfd-Name Bfd-State BackupInterface State
-----------------------------------------------------------------------
-----
Below is track IP route information:
Destination/Mask Route-State BackupInterface State
-----------------------------------------------------------------------
-----
Below is track NQA Information:
Instance Name BackupInterface State
Configuration Files
A remote branch of the enterprise cannot obtain wired WAN access service, and needs to
exchange heavy traffic with the headquarters. The branch wants to communicate with the
headquarters through the Internet. In addition, the branch also wants to exchange voice services
with the headquarters at a low cost, so VoIP communication needs to be used.
The branch intranet is on the network segment 192.168.100.0/24 and all hosts join VLAN 10.
The branch requires that the Router should assign IP addresses to branch intranet users and the
users access external networks.
A remote branch of the enterprise cannot obtain the wired WAN access service to provide data
and VoIP communication. As shown in Figure 1, the branch uses the Router as the egress gateway
and uses an LTE cellular interface to connect to the PGW through the LTE network, meeting
service transmission requirements. The PGW connects to the Internet through the Internet
gateway and connects to the IMS network through the IMS gateway.
Figure 1 Networking diagram of configuring LTE cellular interfaces to use the multi-APN
function for data and VoIP communication
Configuration Roadmap
The enterprise can use the multi-APN function of LTE cellular interfaces to implement data and
VoIP communication. Two LTE channel interfaces can be configured for an LTE cellular
interface. You can bind two APN profiles respectively to the two LTE channel interfaces. One
APN connects to the Internet for data communication, and the other connects to the IMS network
for VoIP communication. The PGW assigns an IP address to each LTE channel interface of the
LTE cellular interface.
Create two APN profiles. One profile is named the APN connecting to the Internet, and
the other is named the APN connecting to the IMS network.
Configure an LTE cellular interface, configure a network connection mode for the
interface, and enable the multi-APN function.
Configure C-DCC for dial-up connection on the LTE cellular interface.
Bind the APN profiles to the LTE cellular interface.
Configure the enterprise intranet and configure the Router to assign IP addresses to
branch intranet users.
Configure the NAT function and set the IP address of the LTE channel interface as the
public IP address of the enterprise branch.
Configure a default route and specify the LTE channel interface as the outbound interface
so that traffic from the branch intranet can be forwarded to the LTE network through the
LTE channel interface.
Procedure
[Router] dialer-rule
[Router-dialer-rule] dialer-rule 1 ip permit
[Router-dialer-rule] quit
# Configure C-DCC for dial-up connection on LTE channel interface 1 and bind the APN
profile datanet to LTE channel interface 1.
# Configure C-DCC for dial-up connection on LTE channel interface 2 and bind the APN
profile voicenet to LTE channel interface 2.
[Router] interface cellular 1/0/0:2
[Router-Cellular1/0/0:2] ip address negotiate
[Router-Cellular1/0/0:2] dialer enable-circular
[Router-Cellular1/0/0:2] dialer-group 1
[Router-Cellular1/0/0:2] dialer timer autodial 20
[Router-Cellular1/0/0:2] dialer number *99# autodial
[Router-Cellular1/0/0:2] apn-profile voicenet
[Router-Cellular1/0/0:2] shutdown
[Router-Cellular1/0/0:2] undo shutdown
[Router-Cellular1/0/0:2] quit
[Router] vlan 10
[Router-vlan10] quit
[Router] interface ethernet 2/0/0
[Router-Ethernet2/0/0] port link-type trunk
[Router-Ethernet2/0/0] port trunk allow-pass vlan 10
[Router-Ethernet2/0/0] quit
# Enable DHCP.
# After the configuration is complete, traffic of the branch intranet is transmitted to the
LTE network through the LTE cellular interface and the branch users can exchange both
data and VoIP services through the LTE cellular interface.
Example
As shown in Figure 1, the headquarters and branch of an enterprise are located in different places.
Router is the egress gateway of the branch and connects to the headquarters through an LTE
network (LTE network 1).
To improve data transmission reliability of the LTE link, the branch uses an LTE cellular
interface supporting dual SIM cards. One SIM card functions as the master SIM card to connect
to LTE network 1, the other SIM card functions as the backup SIM card to connect to LTE
network 2. If dial-up fails because the account balance of the master SIM card is insufficient, the
master SIM card is faulty, the LTE link signal quality is poor, or the connected LTE network is
faulty, traffic is automatically switched to the backup SIM card, ensuring uninterrupted
enterprise services.
Figure 1 Networking diagram for accessing different LTE networks using dual SIM cards
Configuration Roadmap
Create two APN profiles. Bind one APN profile to the master SIM card and the other to
the backup SIM card.
Configure C-DCC for the dial-up connection on the LTE cellular interface.
Bind the APN profiles to the LTE cellular interface.
Configure the enterprise intranet and use Router to assign IP addresses to the branch
intranet users.
Configure the NAT function and specify the IP address of the LTE cellular interface as
the public IP address of the enterprise branch.
Configure a default route and specify the LTE cellular interface as the outbound interface
so that traffic from the branch intranet is forwarded to the Internet through the LTE
cellular interface.
Procedure
# Configure APN profile mainCard and bind it to the master SIM card to connect to
LTE network 1. According to the carrier, the APN of LTE network 1 is LTENET1.
<Huawei> system-view
[Huawei] sysname Router
[Router] apn profile mainCard
[Router-apn-profile-mainCard] sim-id 1
[Router-apn-profile-mainCard] apn LTENET1
[Router-apn-profile-mainCard] quit
# Configure APN profile backupCard and bind it to the backup SIM card to connect to
LTE network 2. According to the carrier, the APN of LTE network 2 is LTENET2.
2. Configure C-DCC for the dial-up connection on the LTE cellular interface.
[Router] dialer-rule
[Router-dialer-rule] dialer-rule 1 ip permit
[Router-dialer-rule] quit
# Configure C-DCC for the dial-up connection on the LTE cellular interface.
[Router] vlan 10
[Router-vlan10] quit
[Router] interface ethernet 2/0/0
[Router-Ethernet2/0/0] port link-type trunk
[Router-Ethernet2/0/0] port trunk allow-pass vlan 10
[Router-Ethernet2/0/0] quit
# Enable DHCP.
# After the previous configurations, traffic on the branch intranet is transmitted to LTE
network 1 through the master SIM card. If dial-up fails because the account balance of
the master SIM card is insufficient, the master SIM card is faulty, the LTE link signal
quality is poor, or the connected LTE network is faulty, traffic is automatically switched
to the backup SIM card and transmitted to the LTE network 2.
Example
7.3.3.13.14 References
This section lists references of 3G and LTE.
3GPP Release 99
3GPP Release 4
3GPP Release 5
3GPP Release 6
3GPP Release 7
3GPP Release 8
Overview
This section describes the definition and functions of DSVPN.
Principles
This section describes the implementation of DSVPN.
Applications
This section describes the applicable scenario of DSVPN.
Configuration Notes
This section describes DSVPN configuration notes.
Default Configuration
This section provides the default DSVPN configuration.
Configuring DSVPN
After DSVPN is configured, a Spoke can dynamically obtain the public network address
of its peer device and establish a tunnel with the peer device to exchange data.
Maintaining DSVPN
This section describes how to clear and check the DSVPN statistics.
Configuration Examples
This section describes how to configure DSVPN in different application scenarios when
different routing plans are used.
Common Configuration Errors
This section describes common faults caused by incorrect DSVPN configurations and
provides the troubleshooting procedure.
References
This section lists references of DSVPN.
Parent Topic: VPN Configuration Guide
Huawei Proprietary and Confidential Copyright © Huawei Technologies Co., Ltd.
Huawei Proprietary and Confidential
Copyright © Huawei Technologies Co., Ltd.
< Previous topic Next topic >
< Home
7.3.10.6.1 Overview
This section describes the definition and functions of DSVPN.
Definition
Dynamic Smart Virtual Private Network (DSVPN) is a technology that allows virtual private
networks (VPNs) to be established dynamically between enterprise branches and between
branches and central offices in the Hub-Spoke model.
Purpose
The DSVPN technology allows enterprises to connect their central offices (Hubs) and branches
(Spokes) in different areas through the public network. Branches can dynamically establish
VPNs with the central office and with each other.
When a new branch is added to the network, the Hub needs to add and maintain the VPN
configuration for this branch. When a large number of branches exist on the network,
configuration on the Hub is complicated. Additionally, the configuration on the Hub must
be modified each time the network topology changes.
If traffic between two branches passes through the central office, forwarding the traffic
consumes resources of the central office and causes an extra delay transmission. It is
obvious when IP Security (IPSec) is used to decrypt data, because the central office must
decrypt data packets sent from the source branch, and then encrypt the data packets to
send them to the destination branch.
If traffic between two branches does not pass through the central office and outbound
interfaces in the branches use dynamic addresses, they cannot obtain the address of each
other. Therefore, the two branches cannot establish a direct tunnel.
DSVPN uses the Next Hop Resolution Protocol (NHRP) to collect and maintain dynamic public
network addresses. This allows a device to obtain the public network address of its peer in
advance.
As shown in Figure 2, branches use dynamic addresses to access the public network and establish
Spoke-Spoke tunnels dynamically with each other for direct communication between them.
Besides, the multipoint Generic Routing Encapsulation (mGRE) technology allows one mGRE
tunnel interface to have multiple GRE tunnels. DSVPN uses the mGRE technology to simplify
subnet traffic management and configuration of GRE and IPSec.
Benefits
DSVPN implements dynamic connections between the central office and branches, and
between branches. Branches do not need to purchase static public network addresses.
The Hub and Spokes use an mGRE tunnel interface but not multiple GRE tunnel
interfaces to establish tunnels. When a new Spoke is added to the network, the network
administrator does not need to change configurations on the Hub or any existing Spokes.
The administrator only needs to configure the new Spoke, and then the Spoke
dynamically registers with the Hub.
Branches can dynamically establish tunnels to directly exchange service data, reducing
the forwarding delay and improving forwarding performance and efficiency.
7.3.10.6.2 Principles
This section describes the implementation of DSVPN.
Basic Concepts
Basic Principles
DSVPN NAT Traversal
DSVPN Dual-Hub Backup
IPSec-based DSVPN
Parent Topic: DSVPN Configuration
Huawei Proprietary and Confidential Copyright © Huawei Technologies Co., Ltd.
Huawei Proprietary and Confidential
Copyright © Huawei Technologies Co., Ltd.
< Previous topic Next topic >
< Home
On a network shown in Figure 1, the public network address is a Non-Broadcast Multiple Access
(NBMA) address and the tunnel address is a protocol address (see RFC2332).
DSVPN Node
A DSVPN node is a device on which DSVPN is deployed. A DSVPN node can be a Spoke or
Hub.
Spoke
A Spoke is the network gateway of a branch office. Generally, a Spoke uses a dynamic
public network address.
Hub
A Hub is a device in the central office and also an important device of the DSVPN
network. The Hub receives registration packets from Spokes. On the DSVPN network,
the Hub can use a fixed public network address or a domain name.
mGRE and mGRE Tunnel Interface
Source tunnel address: used by the transmission protocol to identify the packet source.
The source tunnel address is the source address of a GRE encapsulated packet, that is, the
public network address (NBMA address) in Figure 1.
Destination tunnel address: used by the transmission protocol to identify the packet
destination. The destination tunnel address is the destination address of the GRE
encapsulated packet.
Tunnel interface IP address: protocol address in Figure 1. Same as IP addresses of other
physical interfaces, a tunnel interface IP address contains routing information used for
communication between devices.
NOTE:
The destination IP address of a GRE tunnel interface is manually configured, whereas the
destination IP address of an mGRE tunnel is resolved by the NHRP protocol. An mGRE
tunnel interface has multiple remote ends and allows multiple GRE tunnels to be
established on the interface.
mGRE tunnel interfaces do not support keealive detection.
NHRP
NHRP enables a source Spoke on an NBMA network to obtain a dynamic public network
address from a destination Spoke. When a Spoke connects to an NBMA network, it sends NHRP
Registration Request packets to the Hub by using the public network address of the outbound
interface as the source address. The Hub creates or updates NHRP mapping entries based on the
packets received. Two Spokes send NHRP Resolution Request and Reply packets to each other
to create or update their NHRP mapping entries.
Hub-Spoke Tunnel
The tunnel between the Hub and a Spoke shown in Figure 1 is a Hub-Spoke tunnel. Other Spokes
can also establish Hub-Spoke tunnels with the Hub.
On a DSVPN network, Spoke information is not configured on the Hub, but the public network
address or domain name of the Hub is statically configured on Spokes. When a Spoke connects
to the NBMA network, it sends NHRP Registration Request packets to the Hub to report the
public network address of its outbound interface. The Hub creates or updates NHRP mapping
entries based on the packets received.
Spoke-Spoke Tunnel
The tunnel between the Spokes shown in Figure 1 is a Spoke-Spoke tunnel.
When one Spoke transmits data to another Spoke, the source Spoke checks the routing table to
obtain the private address of the next hop. If the Spoke fails to obtain the public network address
corresponding to the private address in the local NHRP mapping entries, it sends NHRP
Resolution Request packets to obtain the public network address of the destination Spoke. After
obtaining the NHRP Resolution Reply packets, the Spokes use the mGRE interface to
dynamically establish a VPN tunnel for data transmission between them. The tunnel is
automatically removed if no packet is forwarded through it within a period.
A small- or medium-sized network has a few of branches, and the branches can learn
routes from each other by deploying Non-Shortcut Scenario of DSVPN. In this scenario,
the next hop to a destination subnet is the tunnel address of the destination branch. This
deployment has a low requirement on the performance of the Hub and Spokes because
the devices only have to learn a small number of routes.
Shortcut Scenario of DSVPN: Branches have only summarized routes to the central office.
On a large-sized network with many branch subnets, Spokes need to learn many routes
from other branches. If the shortcut function is not configured, the Spokes have to save
routing information on the entire network. This requires Spokes to maintain a large
routing table and provide high performance because many CPU and memory resources
are consumed for computing of dynamic routing protocols. To reduce the number of
routes saved on Spokes, Shortcut Scenario of DSVPN can be deployed. In this scenario,
the next hop to a destination subnet is the tunnel address of the Hub.
Route Deployment
In the Non-Shortcut Scenario, Spokes establish direct tunnels between each other. The next hop
to a destination subnet is the tunnel address of the destination Spoke. Two routing plans are
provided to enable a Spoke to learn the route to its peer:
Each branch has static routes to the other branches. The destination address of a static
route is the subnet of the destination subnet, and the next hop is the tunnel address of the
destination Spoke.
DSVPN supports the Routing Information Protocol (RIP), Open Shortest Path First
(OSPF), and Border Gateway Protocol (BGP) to allow routes to be learned between
branches, and between branches and the central office. Configure the routing protocols on
the Hub and Spokes so that they can learn the routes dynamically.
Branches learn routes from each other, and each Spoke saves the routes to all branch subnets.
DSVPN uses the Next Hop Resolution Protocol (NHRP) to obtain dynamic public network
addresses of peer devices. Figure 1 shows the DSVPN working process in an application scenario
without the shortcut function.
Figure 1 Non-Shortcut Scenario of DSVPN
1. The public network address or domain name of the Hub is statically configured on
Spokes. All Spokes on the network send NHRP Registration Request packets to the Hub.
2. The Hub receives NHRP Registration Request packets, generates NHRP mapping entries,
and sends NHRP Registration Reply packets to the Spokes.
3. Spokes obtain routes to destination subnets using static routing or a dynamic routing
protocol. For a branch, the next hop address of the route to the destination branch is the
tunnel address of peer Spoke.
4. To forward a packet, a source Spoke need to obtain the public network address mapping
the tunnel address of the destination Spoke.
5. If local NHRP mapping table does not contain the public network address mapping the
tunnel address of the destination Spoke, the source Spoke needs to obtain the public
network address from the Hub.
6. The source Spoke sends an NHRP Resolution Request packet to request the public
network address mapping the tunnel address of the destination Spoke.
7. The Hub receives the NHRP Resolution Request packet and forwards the packet to the
destination Spoke.
8. The destination Spoke sends an NHRP Resolution Reply packet to the source Spoke in
response to the received NHRP Resolution Request packet.
9. The source and destination Spokes can directly exchange data traffic.
In the Shortcut Scenario, the next hop to a destination subnet is the tunnel address of the Hub.
Two routing plans are provided to enable branch Spokes to save only summarized routes to the
Hub:
Each branch has static routes that the next hop to a destination subnet is the tunnel
address of the Hub.
DSVPN supports RIP, OSPF and BGP. Configure route summarization on the Hub and
dynamic routing protocols on the Spokes. Then Spokes learn only the summarized routes
to the Hub. The routing configuration on the Hub and Spokes varies according to the
routing protocol used on the network.
In the second routing plan, data traffic is sent to the Hub by default. Spokes do not learn routes
from each other. The Hub summarizes the routes to branch subnets and advertises the
summarized routes to Spokes. NHRP Resolution Request packets sent from a source Spoke is
forwarded to the destination Spoke by the Hub, and the destination Spoke resolves the received
NHRP Resolution Request packets and sends NHRP Resolution Reply packets in response.
DSVPN uses NHRP to obtain dynamic public network addresses of peer devices. Figure 2 shows
the DSVPN working process in an application scenario with the shortcut function.
Figure 2 Working principle of Shortcut Scenario of DSVPN
1. The public network address or domain name of the Hub is statically configured on
Spokes. All Spokes on the network send NHRP Registration Request packets to the Hub.
2. The Hub receives NHRP Registration Request packets, generates NHRP mapping entries
and sends NHRP Registration Reply packets to the Spokes.
3. Branch Spokes obtain the summarized routes to the central office according to static
configurations or using a routing protocol.
4. The source Spoke finds the public network address of the next hop, encapsulates a data
packet, and forwards the packet to the Hub.
5. After receiving the packet, the Hub sends the packet to the destination Spoke and sends
an NHRP Redirect packet to the source Spoke.
6. The source Spoke receives the NHRP Redirect packet and sends an NHRP Resolution
Request packets to the destination Spoke.
7. After receiving the NHRP Resolution Request packets, the Hub forwards the packets to
the destination Spoke.
8. The destination Spoke sends an NHRP Resolution Reply packet to the source Spoke in
response to the received NHRP Resolution Request packet.
9. The source and destination Spokes can directly exchange data traffic.
Parent Topic: Principles
Huawei Proprietary and Confidential Copyright © Huawei Technologies Co., Ltd.
Huawei Proprietary and Confidential
Copyright © Huawei Technologies Co., Ltd.
< Previous topic Next topic >
< Home
1. The Spokes send NHRP Registration Request packets to the Hub. The NHRP
Registration Request packets contain the public network addresses of the Spokes.
2. The NHRP module in the Hub detects whether NAT devices exist on the routes to the
Spokes. If NAT devices exist, the Hub sends NHRP Registration Reply packets to report
the translated public network addresses to the Spokes.
3. The source Spoke sends an NHRP Resolution Request packet with its original address
and the translated address to the destination Spoke.
4. The destination Spoke sends an NHRP Resolution Reply packet with with its original
address and the translated address to the source Spoke.
5. The source Spoke and destination Spoke obtain each other's public network addresses
and establish a tunnel based on the addresses translated by NAT devices.
NOTE:
NAT traversal cannot be implemented on a DSVPN network if two branches use the
same NAT device and their original addresses are translated to the same public network
address.
NAT traversal cannot be implemented if two Spokes are behind different NAT devices,
and Port Address Translation (PAT) is enabled on the NAT devices.
When branches need to communicate with each other, the NAT devices must be
configured with an NAT server or static NAT. NAT traversal cannot be implemented if
inbound or outbound NAT is configured on the NAT devices.
As shown in Figure 1, the DSVPN network uses two Hubs. The detailed principles are as follows:
1. All branch Spokes send NHRP Registration Request packets to Hub1 (the master) and
Hub2 (the backup) simultaneously. An NHRP Registration Request packet contains
tunnel address and public network address of the sender Spoke. Meanwhile, the Spokes
generate local NHRP mapping entries to record the mappings between the tunnel
addresses and public network addresses of the two Hubs.
2. Hub1 and Hub2 generate local NHRP mapping entries between tunnel addresses and
public network addresses of the Spokes based on the NHRP Registration Request packets
received, and send NHRP Registration Reply packets to the Spokes.
3. Routing policies are deployed on the Spokes so that routes to Hub1 have a higher priority
than those to Hub2. When the Spokes communicate with each other, they prefer to send
NHRP Resolution Request packets to Hub1.
4. For details about how Spokes establish tunnels based on the data traffic, see Non-Shortcut
Scenario of DSVPN and Shortcut Scenario of DSVPN.
5. When Hub1 fails, the Spokes send NHRP Resolution Request packets to Hub2. When
Hub1 recovers, the Spokes choose Hub1 for data transmission based on the defined
routing policies.
On the DSVPN network, IPSec profiles are configured on mGRE interfaces on the Hub and
Spokes. The mechanism of DSVPN over IPSec is as follows:
1. All the Spokes on the network send NHRP Registration Request packets to the Hub and
report the NHRP mapping entries to IPSec. The Internet Key Exchange (IKE) modules of
the Spokes and the Hub negotiate with each other for IPSec tunnel parameters.
2. The Hub generates local NHRP mapping entries between tunnel addresses and public
network addresses of the Spokes based on the NHRP Registration Request packets
received. The Hub then sends NHRP Registration Reply packets to the Spokes.
3. The Spokes trigger an mGRE tunnel immediately when they transmit traffic. For details
about how to establish an mGRE tunnel, see Non-Shortcut Scenario of DSVPN and Shortcut
Scenario of DSVPN.
4. After the Spokes establish an mGRE tunnel, the IPSec module obtains NHRP mapping
entries, adds or deletes IPSec peers based on the mapping entries, and triggers the Spokes
to dynamically establish an IPSec tunnel.
5. After an IPSec tunnel is established between the Spokes, packets are routed based on the
destination IP addresses. If the outbound interface is an mGRE interface, the Spoke
searches the NHRP mapping table for the public network address mapping the next hop
private address. After obtaining the public network address, the Spoke searches for the
IPSec security association (SA) matching the public network address to encrypt the
packets and send them.
7.3.10.6.3 Applications
This section describes the applicable scenario of DSVPN.
As shown in Figure 1, Spoke1 and Spoke2 connect to the Hub through the public network.
DSVPN is deployed to enable Spoke1 and Spoke2 to learn routes from each other. Spoke1 and
Spoke2 can communicate with each other directly because they are each other's next hop.
As shown in Figure 1, all the Spokes only have routes to the Hub. When two Spokes need to
communicate with each other, the first packet is sent to the Hub. After that, a tunnel is
established between the Spokes, and the Spokes can directly exchange data traffic.
None
DSVPN License
The DSVPN function is used with a license. By default, the DSVPN function cannot be used on
the device.
To use the DSVPN function, apply for and purchase the following license from the Huawei local
office:
NOTE:
DSVPN is a Huawei proprietary protocol and can only be used to interconnect AR routers.
AR150&AR160&AR200 series:
o AR150&160&200 Value-Added Security Package
o AR150&160&200 DSVPN (Dynamic Smart VPN) Function
AR1200 series:
o AR1200 Value-Added Security Package
o AR1200 DSVPN (Dynamic Smart VPN) Function
AR2200 series:
o AR2200 Value-Added Security Package
o AR2200 DSVPN (Dynamic Smart VPN) Function
AR3200 series:
o AR3200 Value-Added Security Package
o AR3200 DSVPN (Dynamic Smart VPN) Function
AR3600 series:
o AR3600 Value-Added Security Package
o AR3600 DSVPN (Dynamic Smart VPN) Function
When IPSec tunnels are deployed on the DSVPN network, rapidly updating the NHRP mapping
table will cause IKE re-negotiation and may even interrupt services. Do not update the NHRP
mapping table frequently.
Pre-configuration Tasks
Configuring public network addresses to ensure that routes between nodes are reachable
Configuration Process
Perform the following operations on the Hub and Spokes to configure DSVPN. Configuring an
IPSec profile is optional. You are advised to perform this operation to protect packets against
attacks because NHRP does not provide the encryption and decryption functions.
Configuring mGRE
Configuring Routes
Configuring NHRP
(Optional) Configuring an IPSec Profile
Checking the Configuration
Parent Topic: DSVPN Configuration
Huawei Proprietary and Confidential Copyright © Huawei Technologies Co., Ltd.
Huawei Proprietary and Confidential
Copyright © Huawei Technologies Co., Ltd.
< Previous topic Next topic >
< Home
To implement DSVPN, create a tunnel interface and set the interface type to Multipoint GRE
(mGRE). You only need to configure the source address or source interface but not the
destination address on the mGRE interface. An mGRE tunnel interface has multiple remote ends
and allows multiple GRE tunnels to be established on the interface. This simplifies GRE
configuration on devices.
Procedure
1. Run:
system-view
2. Run:
3. Run:
4. Run:
NOTICE:
Changing the encapsulation mode of a tunnel interface deletes other parameters of the
tunnel interface, including the source address or source interface configured for the
tunnel interface, and NHRP parameters.
5. Run:
The source address or source interface is configured for the tunnel interface.
6. (Optional) Run:
When multiple mGRE tunnel interfaces are configured with the same source address or
source interface, run this command to set a key number for each interface.
NOTICE:
If plain is selected, the password is saved in the configuration file in plain text. This
brings security risks. It is recommended that you select cipher to save the password in
cipher text.
The routes forwarded by a tunnel must be available on branches and the central office so that
packets encapsulated with mGRE can be forwarded correctly. These routes can be static routes
or dynamic routes.
DSVPN provides two route deployments to meet the requirements in different scenarios.
Non-Shortcut Scenario of DSVPN: Branches learn routes from each other.
A small- or medium-sized network has a few branches, and the branches can learn routes
from each other by deploying Non-Shortcut Scenario of DSVPN. In this scenario, the
next hop to a destination subnet is the tunnel address of the destination branch. This
deployment has a low requirement on the performance of the Hub and Spokes because
the devices only have to learn a small number of routes.
Shortcut Scenario of DSVPN: Branches have only summarized routes to the central
office.
On a large-sized network with many branch subnets, Spokes need to learn many routes
from other branches. If the shortcut function is not configured, the Spokes must save
routing information on the entire network. This requires Spokes to maintain a large
routing table and provide high performance because many CPU and memory resources
are consumed for computing of dynamic routing protocols. To reduce the number of
routes saved on Spokes, Shortcut Scenario of DSVPN can be deployed. In this scenario,
the next hop to a destination subnet is the tunnel address of the Hub.
Perform the following operations on the Hub and Spokes to deploy routes in a non-shortcut
scenario and a shortcut scenario.
Procedure
system-view
2. Run:
NOTE:
You must configure static routes on both the Hub and Spokes, and set the
next hop as the address of the tunnel interface on the peer device.
system-view
Dynamic routes can be implemented using RIP, OSPF, or BGP. For the
configuration of a dynamic routing protocol, see Huawei
AR120&AR150&AR160&AR200&AR1200&AR2200&AR3200&AR3600 Series
Enterprise Routers Configuration Guide - IP Unicast Routing.
NHRP enables a source Spoke on a public network to dynamically obtain the public network
address of a destination Spoke. When a Spoke connects to a public network, it sends NHRP
Registration Request packets to the Hub by using the public network address of the outbound
interface. The Hub creates or updates NHRP mapping entries based on the packets received. Two
Spokes exchange NHRP Resolution Request and Reply packets to create or update NHRP
mapping entries between them.
Perform the following operations on the Hub and Spokes in a non-shortcut scenario and a
shortcut scenario.
NOTICE:
When configuring the NHRP authentication string, if simple is selected, the password is saved in
the configuration file in plain text. This brings security risks. It is recommended that you select
cipher to save the password in cipher text.
Procedure
system-view
2. Run:
3. (Optional) Run:
4. Run:
nhrp entry multicast dynamic
Dynamically registered branches are added to the NHRP multicast member table.
5. (Optional) Run:
6. (Optional) Run:
7. Run:
nhrp redirect
Perform this operation only in the non-shortcut scenario. By default, the NHRP
redirect function is disabled.
system-view
2. Run:
3. (Optional) Run:
4. Run:
When the track apn parameter is specified, whether the NHRP mapping entry
takes effect depends on the APN status. If the APN is valid, the NHRP mapping
entry takes effect; otherwise, the configuration is saved but the NHRP mapping
entry does not take effect.
5. (Optional) Run:
New NHRP mapping entries are allowed to override conflicting NHRP mapping
entries during NHRP registration.
6. (Optional) Run:
NOTE:
7. (Optional) Run:
9. Run:
nhrp shortcut
Perform this operation on the Spoke only in the shortcut scenario. By default, the
NHRP shortcut function is disabled.
Data transmitted between the central office and a branch, and between branches can be encrypted
to increase data security. Binding an IPSec profile to DSVPN can dynamically establish an
mGRE over IPSec tunnel.
Before configuring an IPSec profile for DSVPN, you need to perform the following operations:
After completing the preceding configuration, perform the following operations on the Hub and
Spokes.
Procedure
1. Run:
system-view
2. Run:
3. Run:
ike-peer peer-name
4. Run:
proposal proposal-name
5. (Optional) Run:
NOTICE:
If PFS is specified on the local end, you also need to specify PFS on the remote peer. The
Diffie-Hellman groups specified on the two ends must be the same. Otherwise, the
negotiation fails.
6. Run:
quit
7. Run:
9. Run:
Procedure
Run the display nhrp peer command to check NHRP mapping entries.
Run the display nhrp peer maximum-history command to check the history statistics on
NHRP peer entries.
Run the display ipsec profile [ brief | name profile-name ] command to check the IPSec
profile configuration.
Run the display ipsec sa profile profile-namecommand to check the information of IPSec
SA.
NOTICE:
Statistics cannot be restored after being cleared. Therefore, confirm the action before you run the
command.
Procedure
Run the reset nhrp statistics interface tunnel interface-number command in the user view
to clear the NHRP packet statistics on a specified tunnel interface.
Run the reset nhrp peer maximum-history command in the user view to clear the history
statistics on NHRP peer entries.
Procedure
Run the display nhrp statistics interface tunnel interface-number command to check
NHRP packet statistics.
A small enterprise has a central office (Hub) and two branches (Spoke1 and Spoke2) which are
located in different areas. The network between the Hub and Spokes is stable. The Spokes use
dynamic addresses to connect to the public network.
Configuration Roadmap
1. Because a Spoke uses a dynamic address to connect to the public network, it does not
know the public IP address of the other Spoke. DSVPN is implemented to establish a
VPN between the Spokes.
2. Non-Shortcut Scenario of DSVPN is implemented because the enterprise has a small
number of branches.
3. Static routes can be configured to realize communication between the Hub and Spokes
because the network is stable. This simplifies configuration and maintenance.
Procedure
<Huawei> system-view
[Huawei] sysname Hub
[Hub] interface gigabitethernet 1/0/0
[Hub-GigabitEthernet1/0/0] ip address 202.1.1.10 255.255.255.0
[Hub-GigabitEthernet1/0/0] quit
[Hub] interface tunnel 0/0/0
[Hub-Tunnel0/0/0] ip address 172.16.1.1 255.255.255.0
[Hub-Tunnel0/0/0] quit
[Hub] interface loopback 0
[Hub-LoopBack0] ip address 192.168.0.1 255.255.255.0
[Hub-LoopBack0] quit
Configure IP addresses for interfaces of the Spoke1 and Spoke2 as shown in Figure 1. The
specific configuration is not mentioned here.
# Configure OSPF on each Router to provide reachable routes to the public network.
[Hub] ospf 2
[Hub-ospf-2] area 0.0.0.1
[Hub-ospf-2-area-0.0.0.1] network 202.1.1.0 0.0.0.255
[Hub-ospf-2-area-0.0.0.1] quit
[Hub-ospf-2] quit
[Spoke1] ospf 2
[Spoke1-ospf-2] area 0.0.0.1
[Spoke1-ospf-2-area-0.0.0.1] network 202.1.2.0 0.0.0.255
[Spoke1-ospf-2-area-0.0.0.1] quit
[Spoke1-ospf-2] quit
[Spoke2] ospf 2
[Spoke2-ospf-2] area 0.0.0.1
[Spoke2-ospf-2-area-0.0.0.1] network 202.1.3.0 0.0.0.255
[Spoke2-ospf-2-area-0.0.0.1] quit
[Spoke2-ospf-2] quit
# Configure Hub.
# Configure Spoke1.
# Configure Spoke2.
[Spoke2] ip route-static 192.168.0.0 255.255.255.0 172.16.1.1
[Spoke2] ip route-static 192.168.1.0 255.255.255.0 172.16.1.2
Configure tunnel interfaces on Hub and Spokes and configure static NHRP peer entries
of Spoke1 and Spoke2.
# Configure a tunnel interface and a static NHRP peer entry of Hub on Spoke1.
# Configure a tunnel interface and a static NHRP mapping entry of Hub on Spoke2.
After the preceding configurations are complete, check the NHRP mapping entries of
Spoke1 and Spoke2.
# Run the display nhrp peer all command on Spoke1. The command output is as
follows:
# Run the display nhrp peer all command on Spoke2. The command output is as
follows:
NOTE:
If you run the display nhrp peer all command on Spoke1 and Spoke2, you can view
only the NHRP mapping entry of Hub.
Run the display nhrp peer all command on Hub. The command output is as follows:
Run the display ip routing-table protocol static command on Hub. The command
output is as follows:
# Run the display ip routing-table protocol static command on Spoke1. The command
output is as follows:
# Run the display ip routing-table protocol static command on Spoke2. The command
output is as follows:
Ping 192.168.2.1 on Spoke1. You can see that Spoke1 and Spoke2 have learned dynamic
NHRP mapping entries from each other.
# Run the ping -a 192.168.1.1 192.168.2.1 command on Spoke1. The command output is
as follows:
# Run the display nhrp peer all command on Spoke1. The command output is as
follows:
# Run the display nhrp peer all command on Spoke2. The command output is as
follows:
Configuration Files
A small enterprise has a central office (Hub) and two branches (Spoke1 and Spoke2) which are
located in different areas. The networks of the central office and branches frequently change. The
Spokes use dynamic addresses to connect to the public network. Routing Information Protocol
(RIP) is used on the enterprise network.
1. Because a Spoke uses a dynamic address to connect to the public network, it does not
know the public IP address of the other Spoke. DSVPN is implemented to establish a
VPN between the Spokes.
2. Non-Shortcut Scenario of DSVPN is implemented because the enterprise has a small
number of branches.
3. The networks of the central office and branches frequently change. RIP is deployed to
realize communication between the Hub and Spokes and to simplify maintenance.
Procedure
<Huawei> system-view
[Huawei] sysname Hub
[Hub] interface gigabitethernet 1/0/0
[Hub-GigabitEthernet1/0/0] ip address 202.1.1.10 255.255.255.0
[Hub-GigabitEthernet1/0/0] quit
[Hub] interface tunnel 0/0/0
[Hub-Tunnel0/0/0] ip address 172.16.1.1 255.255.255.0
[Hub-Tunnel0/0/0] quit
[Hub] interface loopback 0
[Hub-LoopBack0] ip address 192.168.0.1 255.255.255.0
[Hub-LoopBack0] quit
Configure IP addresses for interfaces of the Spoke1 and Spoke2 as shown in Figure 1. The
specific configuration is not mentioned here.
# Configure OSPF on each Router to provide reachable routes to the public network.
[Hub] ospf 2
[Hub-ospf-2] area 0.0.0.1
[Hub-ospf-2-area-0.0.0.1] network 202.1.1.0 0.0.0.255
[Hub-ospf-2-area-0.0.0.1] quit
[Hub-ospf-2] quit
[Spoke2] ospf 2
[Spoke2-ospf-2] area 0.0.0.1
[Spoke2-ospf-2-area-0.0.0.1] network 202.1.3.0 0.0.0.255
[Spoke2-ospf-2-area-0.0.0.1] quit
[Spoke2-ospf-2] quit
# Configure Hub.
[Hub] rip 1
[Hub-rip-1] version 2
[Hub-rip-1] undo summary
[Hub-rip-1] network 172.16.0.0
[Hub-rip-1] quit
# Configure Spoke1.
[Spoke1] rip 1
[Spoke1-rip-1] version 2
[Spoke1-rip-1] network 172.16.0.0
[Spoke1-rip-1] network 192.168.1.0
[Spoke1-rip-1] quit
# Configure Spoke2.
[Spoke2] rip 1
[Spoke2-rip-1] version 2
[Spoke2-rip-1] network 172.16.0.0
[Spoke2-rip-1] network 192.168.2.0
[Spoke2-rip-1] quit
NOTE:
The RIP configuration on a Spoke subnet is given as an example. Perform the same
configuration on other Spoke subnets.
When the subnet of a branch changes, you only need to configure the dynamic routing
policy on the local device.
# Configure a tunnel interface and a static NHRP mapping entry of Hub on Spoke1.
# Configure a tunnel interface and a static NHRP mapping entry of Hub on Spoke2.
After the preceding configurations are complete, check the NHRP mapping entries of
Spoke1 and Spoke2.
# Run the display nhrp peer all command on Spoke1. The command output is as
follows:
NOTE:
If you run the display nhrp peer all command on Spoke1 and Spoke2, you can view
only the NHRP mapping entry of Hub.
# Run the display nhrp peer all command on Hub. The command output is as follows:
# Run the display rip 1 route command on Hub. The command output is as follows:
# Run the display rip 1 route command on Spoke1. The command output is as follows:
# Run the display rip 1 route command on Spoke2. The command output is as follows:
Ping 192.168.2.1 on Spoke1. You can see that Spoke1 and Spoke2 have learned dynamic
NHRP mapping entries from each other.
# Run the ping -a 192.168.1.1 192.168.2.1 command on Spoke1. The command output is
as follows:
[Spoke1] ping -a 192.168.1.1 192.168.2.1
PING 192.168.2.1: 56 data bytes, press CTRL_C to break
Reply from 192.168.2.1: bytes=56 Sequence=1 ttl=254 time=2 ms
Reply from 192.168.2.1: bytes=56 Sequence=2 ttl=255 time=2 ms
Reply from 192.168.2.1: bytes=56 Sequence=3 ttl=255 time=1 ms
Reply from 192.168.2.1: bytes=56 Sequence=4 ttl=255 time=2 ms
Reply from 192.168.2.1: bytes=56 Sequence=5 ttl=255 time=1 ms
# Run the display nhrp peer all command on Spoke1. The command output is as
follows:
Configuration Files
A small enterprise has a central office (Hub) and two branches (Spoke1 and Spoke2) which are
located in different areas. The networks of the central office and branches frequently change. The
Spokes use dynamic addresses to connect to the public network. Open Shortest Path First
(OSPF) is used on the enterprise network.
Configuration Roadmap
1. Because a Spoke uses a dynamic address to connect to the public network, it does not
know the public IP address of the other Spoke. DSVPN is implemented to establish a
VPN between the Spokes.
2. Non-Shortcut Scenario of DSVPN is implemented because the enterprise has a small
number of branches.
3. The networks of the central office and branches frequently change. OSPF is deployed to
realize communication between the Hub and Spokes and to simplify maintenance.
Procedure
<Huawei> system-view
[Huawei] sysname Hub
[Hub] interface gigabitethernet 1/0/0
[Hub-GigabitEthernet1/0/0] ip address 202.1.1.10 255.255.255.0
[Hub-GigabitEthernet1/0/0] quit
[Hub] interface tunnel 0/0/0
[Hub-Tunnel0/0/0] ip address 172.16.1.1 255.255.255.0
[Hub-Tunnel0/0/0] quit
[Hub] interface loopback 0
[Hub-LoopBack0] ip address 192.168.0.1 255.255.255.0
[Hub-LoopBack0] quit
Configure IP addresses for interfaces of the Spoke1 and Spoke2 as shown in Figure 1. The
specific configuration is not mentioned here.
# Configure OSPF on each Router to provide reachable routes to the public network.
[Hub] ospf 2
[Hub-ospf-2] area 0.0.0.1
[Hub-ospf-2-area-0.0.0.1] network 202.1.1.0 0.0.0.255
[Hub-ospf-2-area-0.0.0.1] quit
[Hub-ospf-2] quit
[Spoke1] ospf 2
[Spoke1-ospf-2] area 0.0.0.1
[Spoke1-ospf-2-area-0.0.0.1] network 202.1.2.0 0.0.0.255
[Spoke1-ospf-2-area-0.0.0.1] quit
[Spoke1-ospf-2] quit
[Spoke2] ospf 2
[Spoke2-ospf-2] area 0.0.0.1
[Spoke2-ospf-2-area-0.0.0.1] network 202.1.3.0 0.0.0.255
[Spoke2-ospf-2-area-0.0.0.1] quit
[Spoke2-ospf-2] quit
# Configure Hub.
# Configure Spoke1.
[Spoke1] ospf 1 router-id 172.16.1.2
[Spoke1-ospf-1] area 0.0.0.0
[Spoke1-ospf-1-area-0.0.0.0] network 172.16.1.0 0.0.0.255
[Spoke1-ospf-1-area-0.0.0.0] network 192.168.1.0 0.0.0.255
[Spoke1-ospf-1-area-0.0.0.0] quit
[Spoke1-ospf-1] quit
# Configure Spoke2.
NOTE:
The OSPF configuration on a Spoke subnet is given as an example. Perform the same
configuration on other Spoke subnets.
When the subnet of a branch changes, you only need to configure the dynamic routing
policy on the local device.
Set the OSPF network type to broadcast on Hub and Spokes to allow Spokes to learn
routes from each other. Configure static NHRP mapping entries of Hub on Spoke1 and
Spoke2.
# On Spoke1, configure a tunnel interface, OSPF, and a static NHRP mapping entry of
Hub.
After the preceding configurations are complete, check the NHRP mapping entries of
Spoke1 and Spoke2.
# Run the display nhrp peer all command on Spoke1. The command output is as
follows:
# Run the display nhrp peer all command on Spoke2. The command output is as
follows:
NOTE:
If you run the display nhrp peer all command on Spoke1 and Spoke2, you can view
only the NHRP mapping entry of Hub.
Run the display nhrp peer all command on Hub. The command output is as follows:
# Run the display ospf 1 routing command on Hub. The command output is as follows:
Total Nets: 3
Intra Area: 3 Inter Area: 0 ASE: 0 NSSA: 0
Run the display ospf 1 routing command on Spoke1. The command output is as follows:
Total Nets: 3
Intra Area: 3 Inter Area: 0 ASE: 0 NSSA: 0
Run the display ospf 1 routing command on Spoke2. The command output is as follows:
Total Nets: 3
Intra Area: 3 Inter Area: 0 ASE: 0 NSSA: 0
# Run the ping -a 192.168.1.1 192.168.2.1 command on Spoke1. The command output is
as follows:
# Run the display nhrp peer all command on Spoke1. The command output is as
follows:
# Run the display nhrp peer all command on Spoke2. The command output is as
follows:
Configuration Files
A small enterprise has a central office (Hub) and two branches (Spoke1 and Spoke2) which are
located in different areas and belong to different ASs. The networks of the central office and
branches frequently change. The Spokes use dynamic addresses to connect to the public network.
On the enterprise network, Open Shortest Path First (OSPF) is used for intra-AS routing and
External Border Gateway Protocol (EBGP) is used for inter-AS routing.
Configuration Roadmap
1. Because a Spoke uses a dynamic address to connect to the public network, it does not
know the public IP address of the other Spoke. DSVPN is implemented to establish a
VPN between the Spokes.
2. Non-Shortcut Scenario of DSVPN is implemented because the enterprise has a small
number of branches.
3. The networks of the central office and branches frequently change. BGP is deployed to
realize communication between the Hub and Spokes and to simplify maintenance.
Procedure
Configure IP addresses for interfaces of the Spoke1 and Spoke2 as shown in Figure 1. The
specific configuration is not mentioned here.
# Configure OSPF on each Router to provide reachable routes to the public network.
[Hub] ospf 2
[Hub-ospf-2] area 0.0.0.1
[Hub-ospf-2-area-0.0.0.1] network 202.1.1.0 0.0.0.255
[Hub-ospf-2-area-0.0.0.1] quit
[Hub-ospf-2] quit
[Spoke1] ospf 2
[Spoke1-ospf-2] area 0.0.0.1
[Spoke1-ospf-2-area-0.0.0.1] network 202.1.2.0 0.0.0.255
[Spoke1-ospf-2-area-0.0.0.1] quit
[Spoke1-ospf-2] quit
[Spoke2] ospf 2
[Spoke2-ospf-2] area 0.0.0.1
[Spoke2-ospf-2-area-0.0.0.1] network 202.1.3.0 0.0.0.255
[Spoke2-ospf-2-area-0.0.0.1] quit
[Spoke2-ospf-2] quit
Configure OSPF to implement reachable routes between Hub and Spokes that are located
in different ASs.
# Configure Hub.
[Hub] ospf 1
[Hub-ospf-1] area 0.0.0.0
[Hub-ospf-1-area-0.0.0.0] network 192.168.0.0 0.0.0.255
[Hub-ospf-1-area-0.0.0.0] quit
[Hub-ospf-1] quit
# Configure Spoke1.
[Spoke1] ospf 1
[Spoke1-ospf-1] area 0.0.0.0
[Spoke1-ospf-1-area-0.0.0.0] network 192.168.1.0 0.0.0.255
[Spoke1-ospf-1-area-0.0.0.0] quit
[Spoke1-ospf-1] quit
# Configure Spoke2.
[Spoke2] ospf 1
[Spoke2-ospf-1] area 0.0.0.0
[Spoke2-ospf-1-area-0.0.0.0] network 192.168.2.0 0.0.0.255
[Spoke2-ospf-1-area-0.0.0.0] quit
[Spoke2-ospf-1] quit
# Configure Hub.
# Configure Spoke1.
# Configure Spoke2.
NOTE:
The basic BGP configuration on a Spoke subnet is given as an example. Perform the
same configuration on other Spoke subnets.
When the subnet of a branch changes, you only need to configure the dynamic routing
policy on the local device.
Configure route attributes on Hub and Spokes to allow Spokes to learn routes from each
other. Configure static NHRP mapping entries of Hub on Spoke1 and Spoke2.
NOTE:
In the non-shortcut scenario, configure BGP and set relevant attributes in the BGP view.
# Configure a tunnel interface and a static NHRP mapping entry of Hub on Spoke1.
# Configure a tunnel interface and a static NHRP mapping entry of Hub on Spoke2.
Run the display bgp routing-table command on Hub. The command output is as
follows:
Run the display bgp routing-table command on Spoke1. The command output is as
follows:
Run the display bgp routing-table command on Spoke2. The command output is as
follows:
After the preceding configurations are complete, check the NHRP mapping entries of
Spoke1 and Spoke2.
# Run the display nhrp peer all command on Spoke1. The command output is as
follows:
# Run the display nhrp peer all command on Spoke2. The command output is as
follows:
[Spoke2] display nhrp peer all
-----------------------------------------------------------------------
--------
Protocol-addr Mask NBMA-addr NextHop-addr Type Flag
-----------------------------------------------------------------------
--------
172.16.1.1 32 202.1.1.10 172.16.1.1 static hub
-----------------------------------------------------------------------
--------
Tunnel interface: Tunnel0/0/0
Created time : 00:07:38
Expire time : --
-----------------------------------------------------------------------
--------
Protocol-addr Mask NBMA-addr NextHop-addr Type Flag
-----------------------------------------------------------------------
--------
172.16.1.2 32 202.1.2.10 172.16.1.2 dynamic
route tunnel
-----------------------------------------------------------------------
--------
Tunnel interface: Tunnel0/0/0
Created time : 00:07:36
Expire time : 01:52:24
-----------------------------------------------------------------------
--------
Protocol-addr Mask NBMA-addr NextHop-addr Type Flag
-----------------------------------------------------------------------
--------
172.16.1.3 32 202.1.3.10 172.16.1.3 dynamic
local
-----------------------------------------------------------------------
--------
Tunnel interface: Tunnel0/0/0
Created time : 00:07:36
Expire time : 01:52:24
NOTE:
When you run the display nhrp peer all command, you can view the static NHRP
mapping entries of Hub and dynamic NHRP mapping entries of each other on Spoke1
and Spoke2. Exchange of BGP packets triggers the Spokes to establish a dynamic tunnel.
Run the display nhrp peer all command on Hub. The command output is as follows:
# Run the ping -a 192.168.1.1 192.168.2.1 command on Spoke1. The command output is
as follows:
NOTE:
After running the ping command, the NHRP mapping entries in the command output on
Spoke1 and Spoke2 are the same as those displayed in step 7.
Configuration Files
Configuration file of Hub
#
sysname Hub
#
interface GigabitEthernet1/0/0
ip address 202.1.1.10 255.255.255.0
#
interface LoopBack0
ip address 192.168.0.1 255.255.255.0
#
interface Tunnel0/0/0
ip address 172.16.1.1 255.255.255.0
tunnel-protocol gre p2mp
source GigabitEthernet1/0/0
nhrp entry multicast dynamic
#
bgp 100
router-id 172.16.1.1
peer 172.16.1.2 as-number 200
peer 172.16.1.3 as-number 300
#
ipv4-family unicast
undo synchronization
import-route ospf 1
peer 172.16.1.2 enable
peer 172.16.1.3 enable
#
ospf 1
area 0.0.0.0
network 192.168.0.0 0.0.0.255
#
ospf 2
area 0.0.0.1
network 202.1.1.0 0.0.0.255
#
return
Configuration file of Spoke1
#
sysname Spoke1
#
interface GigabitEthernet1/0/0
ip address 202.1.2.10 255.255.255.0
#
interface GigabitEthernet2/0/0
ip address 192.168.1.1 255.255.255.0
#
interface Tunnel0/0/0
ip address 172.16.1.2 255.255.255.0
tunnel-protocol gre p2mp
source GigabitEthernet1/0/0
nhrp entry 172.16.1.1 202.1.1.10 register
#
bgp 200
router-id 172.16.1.2
peer 172.16.1.1 as-number 100
peer 172.16.1.3 as-number 300
#
ipv4-family unicast
undo synchronization
import-route ospf 1
peer 172.16.1.1 enable
peer 172.16.1.3 enable
#
ospf 1
area 0.0.0.0
network 192.168.1.0 0.0.0.255
#
ospf 2
area 0.0.0.1
network 202.1.2.0 0.0.0.255
#
return
Configuration file of Spoke2
#
sysname Spoke2
#
interface GigabitEthernet1/0/0
ip address 202.1.3.10 255.255.255.0
#
interface GigabitEthernet2/0/0
ip address 192.168.2.1 255.255.255.0
#
interface Tunnel0/0/0
ip address 172.16.1.3 255.255.255.0
tunnel-protocol gre p2mp
source GigabitEthernet1/0/0
nhrp entry 172.16.1.1 202.1.1.10 register
#
bgp 300
router-id 172.16.1.3
peer 172.16.1.1 as-number 100
peer 172.16.1.2 as-number 200
#
ipv4-family unicast
undo synchronization
import-route ospf 1
peer 172.16.1.1 enable
peer 172.16.1.2 enable
#
ospf 1
area 0.0.0.0
network 192.168.2.0 0.0.0.255
#
ospf 2
area 0.0.0.1
network 202.1.3.0 0.0.0.255
#
return
Parent Topic: Configuration Examples
Huawei Proprietary and Confidential Copyright © Huawei Technologies Co., Ltd.
Huawei Proprietary and Confidential
Copyright © Huawei Technologies Co., Ltd.
< Previous topic Next topic >
< Home
A large-scale enterprise has a central office (Hub) and multiple branches which are located in
different areas (this example shows only two Spokes Spoke1 and Spoke2). The networks of the
central office and branches frequently change. The Spokes use dynamic addresses to connect to
the public network. Routing Information Protocol (RIP) is used on the enterprise network.
Configuration Roadmap
1. Because a Spoke uses a dynamic address to connect to the public network, it does not
know the public IP address of the other Spoke. DSVPN is implemented to establish a
VPN between the Spokes.
2. Shortcut Scenario of DSVPN is implemented because the enterprise has a large number
of branches.
3. The networks of the central office and branches frequently change. RIP is deployed to
realize communication between the Hub and Spokes and to simplify maintenance.
Procedure
<Huawei> system-view
[Huawei] sysname Hub
[Hub] interface gigabitethernet 1/0/0
[Hub-GigabitEthernet1/0/0] ip address 202.1.1.10 255.255.255.0
[Hub-GigabitEthernet1/0/0] quit
[Hub] interface tunnel 0/0/0
[Hub-Tunnel0/0/0] ip address 172.16.1.1 255.255.255.0
[Hub-Tunnel0/0/0] quit
[Hub] interface loopback 0
[Hub-LoopBack0] ip address 192.168.0.1 255.255.255.0
[Hub-LoopBack0] quit
Configure IP addresses for interfaces of the Spoke1 and Spoke2 as shown in Figure 1. The
specific configuration is not mentioned here.
# Configure OSPF on each Router to provide reachable routes to the public network.
[Hub] ospf 2
[Hub-ospf-2] area 0.0.0.1
[Hub-ospf-2-area-0.0.0.1] network 202.1.1.0 0.0.0.255
[Hub-ospf-2-area-0.0.0.1] quit
[Hub-ospf-2] quit
[Spoke1] ospf 2
[Spoke1-ospf-2] area 0.0.0.1
[Spoke1-ospf-2-area-0.0.0.1] network 202.1.2.0 0.0.0.255
[Spoke1-ospf-2-area-0.0.0.1] quit
[Spoke1-ospf-2] quit
[Spoke2] ospf 2
[Spoke2-ospf-2] area 0.0.0.1
[Spoke2-ospf-2-area-0.0.0.1] network 202.1.3.0 0.0.0.255
[Spoke2-ospf-2-area-0.0.0.1] quit
[Spoke2-ospf-2] quit
# Configure Hub.
[Hub] rip 1
[Hub-rip-1] version 2
[Hub-rip-1] network 172.16.0.0
[Hub-rip-1] network 192.168.0.0
[Hub-rip-1] quit
# Configure Spoke1.
[Spoke1] rip 1
[Spoke1-rip-1] version 2
[Spoke1-rip-1] network 172.16.0.0
[Spoke1-rip-1] network 192.168.1.0
[Spoke1-rip-1] quit
# Configure Spoke2.
[Spoke2] rip 1
[Spoke2-rip-1] version 2
[Spoke2-rip-1] network 172.16.0.0
[Spoke2-rip-1] network 192.168.2.0
[Spoke2-rip-1] quit
NOTE:
The RIP configuration on a Spoke subnet is given as an example. Perform the same
configuration on other Spoke subnets.
When the subnet of a branch changes, you only need to configure the dynamic routing
policy on the local device.
Configure RIP-2 route summarization on Hub and RIP-2 on the Spokes, so that the
Spokes have reachable routes to Hub. Enable the NHRP redirect function on Hub.
Configure NHRP mapping entries of Hub and enable the NHRP shortcut function on
Spoke1 and Spoke2.
# On Hub, configure a tunnel interface, configure RIP, and enable the NHRP redirect
function.
NOTE:
When configuring route summarization, the specified summarized address must exist on
the local device. Therefore, a LoopBack address must be configured.
# On Spoke1, configure a tunnel interface, RIP, and a static NHRP mapping entry of
Hub, and enable the NHRP shortcut function.
# On Spoke2, configure a tunnel interface, RIP, and a static NHRP mapping entry of
Hub, and enable the NHRP shortcut function.
After the preceding configurations are complete, check the NHRP mapping entries of
Spoke1 and Spoke2.
# Run the display nhrp peer all command on Spoke1. The command output is as
follows:
# Run the display nhrp peer all command on Spoke2. The command output is as
follows:
NOTE:
If you run the display nhrp peer all command on Spoke1 and Spoke2, you can view
only the NHRP mapping entry of Hub.
Run the display nhrp peer all command on Hub. The command output is as follows:
# Run the display rip 1 route command on Hub. The command output is as follows:
# Run the display rip 1 route command on Spoke1. The command output is as follows:
# Run the display rip 1 route command on Spoke2. The command output is as follows:
Ping 192.168.2.1 on Spoke1. You can see that Spoke1 and Spoke2 have learned dynamic
NHRP mapping entries from each other.
# Run the ping -a 192.168.1.1 192.168.2.1 command on Spoke1. The command output is
as follows:
# Run the display nhrp peer all command on Spoke1. The command output is as
follows:
Configuration Files
Configuration file of Hub
#
sysname Hub
#
interface GigabitEthernet1/0/0
ip address 202.1.1.10 255.255.255.0
#
interface LoopBack0
ip address 192.168.0.1 255.255.255.0
#
interface Tunnel0/0/0
ip address 172.16.1.1 255.255.255.0
rip version 2 multicast
rip summary-address 192.168.0.0 255.255.0.0
tunnel-protocol gre p2mp
source GigabitEthernet1/0/0
nhrp redirect
nhrp entry multicast dynamic
#
rip 1
version 2
network 172.16.0.0
network 192.168.0.0
#
ospf 2
area 0.0.0.1
network 202.1.1.0 0.0.0.255
#
return
Configuration file of Spoke1
#
sysname Spoke1
#
interface GigabitEthernet1/0/0
ip address 202.1.2.10 255.255.255.0
#
interface LoopBack0
ip address 192.168.1.1 255.255.255.0
#
interface Tunnel0/0/0
ip address 172.16.1.2 255.255.255.0
tunnel-protocol gre p2mp
source GigabitEthernet1/0/0
rip version 2 multicast
nhrp shortcut
nhrp entry 172.16.1.1 202.1.1.10 register
#
rip 1
version 2
network 172.16.0.0
network 192.168.1.0
#
ospf 2
area 0.0.0.1
network 202.1.2.0 0.0.0.255
#
return
Configuration file of Spoke2
#
sysname Spoke2
#
interface GigabitEthernet1/0/0
ip address 202.1.3.10 255.255.255.0
#
interface LoopBack0
ip address 192.168.2.1 255.255.255.0
#
interface Tunnel0/0/0
ip address 172.16.1.3 255.255.255.0
tunnel-protocol gre p2mp
source GigabitEthernet1/0/0
rip version 2 multicast
nhrp shortcut
nhrp entry 172.16.1.1 202.1.1.10 register
#
rip 1
version 2
network 172.16.0.0
network 192.168.2.0
#
ospf 2
area 0.0.0.1
network 202.1.3.0 0.0.0.255
#
return
Parent Topic: Configuration Examples
Huawei Proprietary and Confidential Copyright © Huawei Technologies Co., Ltd.
Huawei Proprietary and Confidential
Copyright © Huawei Technologies Co., Ltd.
< Previous topic Next topic >
< Home
Configuration Roadmap
1. Because a Spoke uses a dynamic address to connect to the public network, it does not
know the public IP address of the other Spoke. DSVPN is implemented to establish a
VPN between the Spokes.
2. Shortcut Scenario of DSVPN is implemented because the enterprise has a large number
of branches.
3. The networks of the central office and branches frequently change. OSPF is deployed to
realize communication between the Hub and Spokes and to simplify maintenance.
Procedure
<Huawei> system-view
[Huawei] sysname Hub
[Hub] interface gigabitethernet 1/0/0
[Hub-GigabitEthernet1/0/0] ip address 202.1.1.10 255.255.255.0
[Hub-GigabitEthernet1/0/0] quit
[Hub] interface tunnel 0/0/0
[Hub-Tunnel0/0/0] ip address 172.16.1.1 255.255.255.0
[Hub-Tunnel0/0/0] quit
[Hub] interface loopback 0
[Hub-LoopBack0] ip address 192.168.0.1 255.255.255.0
[Hub-LoopBack0] quit
Configure IP addresses for interfaces of the Spoke1 and Spoke2 as shown in Figure 1. The
specific configuration is not mentioned here.
# Configure OSPF on each Router to provide reachable routes to the public network.
[Hub] ospf 2
[Hub-ospf-2] area 0.0.0.1
[Hub-ospf-2-area-0.0.0.1] network 202.1.1.0 0.0.0.255
[Hub-ospf-2-area-0.0.0.1] quit
[Hub-ospf-2] quit
[Spoke1] ospf 2
[Spoke1-ospf-2] area 0.0.0.1
[Spoke1-ospf-2-area-0.0.0.1] network 202.1.2.0 0.0.0.255
[Spoke1-ospf-2-area-0.0.0.1] quit
[Spoke1-ospf-2] quit
[Spoke2] ospf 2
[Spoke2-ospf-2] area 0.0.0.1
[Spoke2-ospf-2-area-0.0.0.1] network 202.1.3.0 0.0.0.255
[Spoke2-ospf-2-area-0.0.0.1] quit
[Spoke2-ospf-2] quit
# Configure Hub.
# Configure Spoke1.
# Configure Spoke2.
NOTE:
The OSPF configuration on a Spoke subnet is given as an example. Perform the same
configuration on other Spoke subnets.
When the subnet of a branch changes, you only need to configure the dynamic routing
policy on the local device.
Configure the OSPF network type to Point-to-Multipoint (P2MP) on Hub and Spokes.
Enable the NHRP redirect function on Hub. Configure NHRP mapping entries of Hub
and enable the NHRP shortcut function on Spoke1 and Spoke2.
# On Hub, configure a tunnel interface, configure OSPF, and enable the NHRP redirect
function.
# On Spoke1, configure a tunnel interface, OSPF, and a static NHRP mapping entry of
Hub, and enable the NHRP shortcut function.
[Spoke1] interface tunnel 0/0/0
[Spoke1-Tunnel0/0/0] tunnel-protocol gre p2mp
[Spoke1-Tunnel0/0/0] source gigabitethernet 1/0/0
[Spoke1-Tunnel0/0/0] nhrp entry 172.16.1.1 202.1.1.10 register
[Spoke1-Tunnel0/0/0] ospf network-type p2mp
[Spoke1-Tunnel0/0/0] nhrp shortcut
[Spoke1-Tunnel0/0/0] quit
# On Spoke2, configure a tunnel interface, OSPF, and a static NHRP mapping entry of
Hub, and enable the NHRP shortcut function.
After the preceding configurations are complete, check the NHRP mapping entries of
Spoke1 and Spoke2.
# Run the display nhrp peer all command on Spoke1. The command output is as
follows:
# Run the display nhrp peer all command on Spoke2. The command output is as
follows:
NOTE:
If you run the display nhrp peer all command on Spoke1 and Spoke2, you can view
only the NHRP mapping entry of Hub.
Run the display nhrp peer all command on Hub. The command output is as follows:
# Run the display ospf 1 routing command on Hub. The command output is as follows:
Total Nets: 5
Intra Area: 5 Inter Area: 0 ASE: 0 NSSA: 0
Run the display ospf 1 routing command on Spoke1. The command output is as follows:
Total Nets: 5
Intra Area: 5 Inter Area: 0 ASE: 0 NSSA: 0
Run the display ospf 1 routing command on Spoke2. The command output is as follows:
Total Nets: 5
Intra Area: 5 Inter Area: 0 ASE: 0 NSSA: 0
Ping 192.168.2.1 on Spoke1. You can see that Spoke1 and Spoke2 have learned dynamic
NHRP mapping entries from each other.
# Run the ping -a 192.168.1.1 192.168.2.1 command on Spoke1. The command output is
as follows:
# Run the display nhrp peer all command on Spoke1. The command output is as
follows:
# Run the display nhrp peer all command on Spoke2. The command output is as
follows:
Configuration Files
A large-scale enterprise has a central office (Hub) and multiple branches which are located in
different areas and belong to different ASs (this example shows only two Spokes Spoke1 and
Spoke2). The networks of the central office and branches frequently change. The Spokes use
dynamic addresses to connect to the public network. On the enterprise network, Open Shortest
Path First (OSPF) is used for intra-AS routing and External Border Gateway Protocol (EBGP) is
used for inter-AS routing.
Configuration Roadmap
1. Because a Spoke uses a dynamic address to connect to the public network, it does not
know the public IP address of the other Spoke. DSVPN is implemented to establish a
VPN between the Spokes.
2. Shortcut Scenario of DSVPN is implemented because the enterprise has a large number
of branches.
3. The networks of the central office and branches frequently change. BGP is deployed to
realize communication between the Hub and Spokes and to simplify maintenance.
Procedure
<Huawei> system-view
[Huawei] sysname Hub
[Hub] interface gigabitethernet 1/0/0
[Hub-GigabitEthernet1/0/0] ip address 202.1.1.10 255.255.255.0
[Hub-GigabitEthernet1/0/0] quit
[Hub] interface tunnel 0/0/0
[Hub-Tunnel0/0/0] ip address 172.16.1.1 255.255.255.0
[Hub-Tunnel0/0/0] quit
[Hub] interface loopback 0
[Hub-LoopBack0] ip address 192.168.0.1 255.255.255.0
[Hub-LoopBack0] quit
Configure IP addresses for interfaces of the Spoke1 and Spoke2 as shown in Figure 1. The
specific configuration is not mentioned here.
# Configure OSPF on each Router to provide reachable routes to the public network.
[Hub] ospf 2
[Hub-ospf-2] area 0.0.0.1
[Hub-ospf-2-area-0.0.0.1] network 202.1.1.0 0.0.0.255
[Hub-ospf-2-area-0.0.0.1] quit
[Hub-ospf-2] quit
[Spoke1] ospf 2
[Spoke1-ospf-2] area 0.0.0.1
[Spoke1-ospf-2-area-0.0.0.1] network 202.1.2.0 0.0.0.255
[Spoke1-ospf-2-area-0.0.0.1] quit
[Spoke1-ospf-2] quit
[Spoke2] ospf 2
[Spoke2-ospf-2] area 0.0.0.1
[Spoke2-ospf-2-area-0.0.0.1] network 202.1.3.0 0.0.0.255
[Spoke2-ospf-2-area-0.0.0.1] quit
[Spoke2-ospf-2] quit
Configure OSPF to implement reachable routes between Hub and Spokes that are located
in different ASs.
# Configure Hub.
[Hub] ospf 1
[Hub-ospf-1] area 0.0.0.0
[Hub-ospf-1-area-0.0.0.0] network 192.168.0.0 0.0.0.255
[Hub-ospf-1-area-0.0.0.0] quit
[Hub-ospf-1] quit
# Configure Spoke1.
[Spoke1] ospf 1
[Spoke1-ospf-1] area 0.0.0.0
[Spoke1-ospf-1-area-0.0.0.0] network 192.168.1.0 0.0.0.255
[Spoke1-ospf-1-area-0.0.0.0] quit
[Spoke1-ospf-1] quit
# Configure Spoke2.
[Spoke2] ospf 1
[Spoke2-ospf-1] area 0.0.0.0
[Spoke2-ospf-1-area-0.0.0.0] network 192.168.2.0 0.0.0.255
[Spoke2-ospf-1-area-0.0.0.0] quit
[Spoke2-ospf-1] quit
NOTE:
The BGP configuration on a Spoke subnet is given as an example. Perform the same
configuration on other Spoke subnets.
When the subnet of a branch changes, you only need to configure the dynamic routing
policy on the local device.
# Configure Hub.
NOTE:
When configuring route summarization, the specified summarized address must exist on
the local device. Therefore, a LoopBack address must be configured.
# Configure Spoke1.
# Configure Spoke2.
Configure route attributes on Hub and Spokes to ensure that the routes from the Spokes
to Hub are reachable. Enable the NHRP redirect function on Hub. Configure NHRP
mapping entries of Hub and enable the NHRP shortcut function on Spoke1 and Spoke2.
NOTE:
In the shortcut scenario, configure BGP and set relevant attributes in the BGP view.
# On Hub, configure a tunnel interface and enable the NHRP redirect function.
# On Spoke1, configure a tunnel interface and a static NHRP mapping entry of Hub, and
enable the NHRP shortcut function.
# On Spoke2, configure a tunnel interface and a static NHRP mapping entry of Hub, and
enable the NHRP shortcut function.
Run the display bgp routing-table command on Hub. The command output is as
follows:
[Hub] display bgp routing-table
Run the display bgp routing-table command on Spoke1. The command output is as
follows:
Run the display bgp routing-table command on Spoke2. The command output is as
follows:
After the preceding configurations are complete, check the NHRP mapping entries of
Spoke1 and Spoke2.
# Run the display nhrp peer all command on Spoke1. The command output is as
follows:
# Run the display nhrp peer all command on Spoke2. The command output is as
follows:
NOTE:
If you run the display nhrp peer all command on Spoke1 and Spoke2, you can view
only the NHRP mapping entry of Hub.
Ping 192.168.2.1 on Spoke1. You can see that Spoke1 and Spoke2 have learned dynamic
NHRP mapping entries from each other.
# Run the ping -a 192.168.1.1 192.168.2.1 command on Spoke1. The command output is
as follows:
Configuration Files
Configuration file of Hub
#
sysname Hub
#
interface GigabitEthernet1/0/0
ip address 202.1.1.10 255.255.255.0
#
interface LoopBack0
ip address 192.168.0.1 255.255.255.0
#
interface Tunnel0/0/0
ip address 172.16.1.1 255.255.255.0
tunnel-protocol gre p2mp
source GigabitEthernet1/0/0
nhrp redirect
nhrp entry multicast dynamic
#
bgp 100
router-id 172.16.1.1
peer 172.16.1.2 as-number 200
peer 172.16.1.3 as-number 300
#
ipv4-family unicast
undo synchronization
import-route ospf 1
aggregate 192.168.0.0 16 detail-suppressed
peer 172.16.1.2 enable
peer 172.16.1.3 enable
#
ospf 1
area 0.0.0.0
network 192.168.0.0 0.0.0.255
#
ospf 2
area 0.0.0.1
network 202.1.1.0 0.0.0.255
#
return
Configuration file of Spoke1
#
sysname Spoke1
#
interface GigabitEthernet1/0/0
ip address 202.1.2.10 255.255.255.0
#
interface GigabitEthernet2/0/0
ip address 192.168.1.1 255.255.255.0
#
interface Tunnel0/0/0
ip address 172.16.1.2 255.255.255.0
tunnel-protocol gre p2mp
source GigabitEthernet1/0/0
nhrp shortcut
nhrp entry 172.16.1.1 202.1.1.10 register
#
bgp 200
router-id 172.16.1.2
peer 172.16.1.1 as-number 100
#
ipv4-family unicast
undo synchronization
import-route ospf 1
peer 172.16.1.1 enable
#
ospf 1
area 0.0.0.0
network 192.168.1.0 0.0.0.255
#
ospf 2
area 0.0.0.1
network 202.1.2.0 0.0.0.255
#
return
Configuration file of Spoke2
#
sysname Spoke2
#
interface GigabitEthernet1/0/0
ip address 202.1.3.10 255.255.255.0
#
interface GigabitEthernet2/0/0
ip address 192.168.2.1 255.255.255.0
#
interface Tunnel0/0/0
ip address 172.16.1.3 255.255.255.0
tunnel-protocol gre p2mp
source GigabitEthernet1/0/0
nhrp shortcut
nhrp entry 172.16.1.1 202.1.1.10 register
#
bgp 300
router-id 172.16.1.3
peer 172.16.1.1 as-number 100
#
ipv4-family unicast
undo synchronization
import-route ospf 1
peer 172.16.1.1 enable
#
ospf 1
area 0.0.0.0
network 192.168.2.0 0.0.0.255
#
ospf 2
area 0.0.0.1
network 202.1.3.0 0.0.0.255
#
return
Parent Topic: Configuration Examples
Huawei Proprietary and Confidential Copyright © Huawei Technologies Co., Ltd.
Huawei Proprietary and Confidential
Copyright © Huawei Technologies Co., Ltd.
< Previous topic Next topic >
< Home
An enterprise has a central office (Hub) and multiple branches which are located in different
areas (this example shows only two Spokes Spoke1 and Spoke2). The subnets of the branches
frequently change. The Spokes use addresses translated by NAT devices to connect to the public
network. Open Shortest Path First (OSPF) is used on the enterprise network.
NAT2
Configuration Roadmap
1. Because a Spoke uses a translated address to connect to the public network, it does not
know the translated public address of the other Spoke. DSVPN NAT traversal is
implemented to establish a VPN between the Spokes.
2. Shortcut Scenario of DSVPN is implemented because the enterprise has a large number
of branches.
3. The networks of the central office and branches frequently change. OSPF is deployed to
realize communication between the Hub and Spokes and to simplify maintenance.
Procedure
1. Assign an IP address to each interface.
<Huawei> system-view
[Huawei] sysname Hub
[Hub] interface gigabitethernet 1/0/0
[Hub-GigabitEthernet1/0/0] ip address 202.1.1.10 255.255.255.0
[Hub-GigabitEthernet1/0/0] quit
[Hub] interface tunnel 0/0/0
[Hub-Tunnel0/0/0] ip address 172.16.1.1 255.255.255.0
[Hub-Tunnel0/0/0] quit
[Hub] interface loopback 0
[Hub-LoopBack0] ip address 192.168.0.1 255.255.255.0
[Hub-LoopBack0] quit
Configure IP addresses for interfaces of the Spoke1 and Spoke2 as shown in Figure 1. The
specific configuration is not mentioned here.
# Configure OSPF on each Router to provide reachable routes to the public network.
[Hub] ospf 2
[Hub-ospf-2] area 0.0.0.1
[Hub-ospf-2-area-0.0.0.1] network 202.1.1.0 0.0.0.255
[Hub-ospf-2-area-0.0.0.1] quit
[Hub-ospf-2] quit
[NAT1] ospf 2
[NAT1] import-route unr
[NAT1-ospf-2] area 0.0.0.1
[NAT1-ospf-2-area-0.0.0.1] network 202.1.2.0 0.0.0.255
[NAT1-ospf-2-area-0.0.0.1] network 10.1.1.0 0.0.0.255
[NAT1-ospf-2-area-0.0.0.1] quit
[NAT1-ospf-2] quit
[NAT2] ospf 2
[NAT2] import-route unr
[NAT2-ospf-2] area 0.0.0.1
[NAT2-ospf-2-area-0.0.0.1] network 202.1.3.0 0.0.0.255
[NAT2-ospf-2-area-0.0.0.1] network 10.2.2.0 0.0.0.255
[NAT2-ospf-2-area-0.0.0.1] quit
[NAT2-ospf-2] quit
# Configure OSPF on Spoke1.
[Spoke1] ospf 2
[Spoke1-ospf-2] area 0.0.0.1
[Spoke1-ospf-2-area-0.0.0.1] network 10.1.1.0 0.0.0.255
[Spoke1-ospf-2-area-0.0.0.1] quit
[Spoke1-ospf-2] quit
[Huawei] ospf 2
[Huawei-ospf-2] area 0.0.0.1
[Huawei-ospf-2-area-0.0.0.1] network 10.2.2.0 0.0.0.255
[Huawei-ospf-2-area-0.0.0.1] quit
[Huawei-ospf-2] quit
3. Configure NAT.
# Configure NAT1.
# Configure NAT2.
NOTE:
The NAT devices must be configured with an NAT server or static NAT. NAT traversal
cannot be implemented if outbound NAT is configured on the NAT devices.
# Configure Hub.
# Configure Spoke1.
[Spoke1] ospf 1 router-id 172.16.1.2
[Spoke1-ospf-1] area 0.0.0.0
[Spoke1-ospf-1-area-0.0.0.0] network 172.16.1.0 0.0.0.255
[Spoke1-ospf-1-area-0.0.0.0] network 192.168.1.0 0.0.0.255
[Spoke1-ospf-1-area-0.0.0.0] quit
[Spoke1-ospf-1] quit
# Configure Spoke2.
Configure the OSPF network type to Point-to-Multipoint (P2MP) on Hub and Spokes.
Enable the NHRP redirect function on Hub. Configure NHRP mapping entries of Hub
and enable the NHRP shortcut function on Spoke1 and Spoke2.
# On Hub, configure a tunnel interface, configure OSPF, and enable the NHRP redirect
function.
# On Spoke1, configure a tunnel interface, OSPF, and a static NHRP mapping entry of
Hub, and enable the NHRP shortcut function.
# On Spoke2, configure a tunnel interface, OSPF, and a static NHRP mapping entry of
Hub, and enable the NHRP shortcut function.
After the preceding configurations are complete, check the NHRP mapping entries of
Spoke1 and Spoke2.
# Run the display nhrp peer all command on Spoke1. The command output is as
follows:
# Run the display nhrp peer all command on Spoke2. The command output is as
follows:
NOTE:
If you run the display nhrp peer all command on Spoke1 and Spoke2, you can view
only the NHRP mapping entry of Hub.
# Run the display ospf 1 routing command on Hub. The command output is as follows:
Total Nets: 5
Intra Area: 5 Inter Area: 0 ASE: 0 NSSA: 0
Run the display ospf 1 routing command on Spoke1. The command output is as follows:
Total Nets: 5
Intra Area: 5 Inter Area: 0 ASE: 0 NSSA: 0
Run the display ospf 1 routing command on Spoke2. The command output is as follows:
Ping 192.168.2.1 on Spoke1. You can see that Spoke1 and Spoke2 have learned dynamic
NHRP mapping entries from each other.
# Run the ping -a 192.168.1.1 192.168.2.1 command on Spoke1. The command output is
as follows:
# Run the display nhrp peer all command on Spoke1. The command output is as
follows:
# Run the display nhrp peer all command on Spoke2. The command output is as
follows:
Configuration Files
A large-scale enterprise has a central office (Hub1 and Hub2) and multiple branches which are
located in different areas (this example shows only two Spokes Spoke1 and Spoke2). The
networks of the central office and branches frequently change. The Spokes use dynamic
addresses to connect to the public network. Open Shortest Path First (OSPF) is used on the
enterprise network.
The enterprise wants to establish a VPN between the Spokes. Hub1 functions as the master
device and Hub2 functions as the backup device. Hub2 takes over the services and forwards
protocol packets if Hub1 fails. When Hub1 recovers, services are switched back to Hub1.
Configuration Roadmap
The configuration roadmap is as follows:
1. Because a Spoke uses a dynamic address to connect to the public network, it does not
know the public IP address of the other Spoke. DSVPN is implemented to establish a
VPN between the Spokes.
2. Shortcut Scenario of DSVPN is implemented because the enterprise has a large number
of branches.
3. The networks of the central office and branches frequently change. OSPF is deployed to
realize communication between the Hub and Spokes and to simplify maintenance.
4. Dual-Hub DSVPN is implemented to provide redundant backup by using Hub2.
Procedure
<Huawei> system-view
[Huawei] sysname Hub1
[Hub1] interface gigabitethernet 1/0/0
[Hub1-GigabitEthernet1/0/0] ip address 202.1.1.10 255.255.255.0
[Hub1-GigabitEthernet1/0/0] quit
[Hub1] interface tunnel 0/0/0
[Hub1-Tunnel0/0/0] ip address 172.16.1.1 255.255.255.0
[Hub1-Tunnel0/0/0] quit
[Hub1] interface loopback 0
[Hub1-LoopBack0] ip address 192.168.0.1 255.255.255.0
[Hub1-LoopBack0] quit
Configure IP addresses for interfaces of the Spoke1, Spoke2 and Hub2 as shown in Figure
1. The specific configuration is not mentioned here.
# Configure OSPF on each Router to provide reachable routes to the public network.
[Hub1] ospf 2
[Hub1-ospf-2] area 0.0.0.1
[Hub1-ospf-2-area-0.0.0.1] network 202.1.1.0 0.0.0.255
[Hub1-ospf-2-area-0.0.0.1] quit
[Hub1-ospf-2] quit
[Hub2] ospf 2
[Hub2-ospf-2] area 0.0.0.1
[Hub2-ospf-2-area-0.0.0.1] network 202.1.254.0 0.0.0.255
[Hub2-ospf-2-area-0.0.0.1] quit
[Hub2-ospf-2] quit
[Spoke1] ospf 2
[Spoke1-ospf-2] area 0.0.0.1
[Spoke1-ospf-2-area-0.0.0.1] network 202.1.2.0 0.0.0.255
[Spoke1-ospf-2-area-0.0.0.1] quit
[Spoke1-ospf-2] quit
[Spoke2] ospf 2
[Spoke2-ospf-2] area 0.0.0.1
[Spoke2-ospf-2-area-0.0.0.1] network 202.1.3.0 0.0.0.255
[Spoke2-ospf-2-area-0.0.0.1] quit
[Spoke2-ospf-2] quit
# Configure Hub1.
# Configure Spoke1.
# Configure Spoke2.
[Spoke2] ospf 1 router-id 172.16.1.3
[Spoke2-ospf-1] area 0.0.0.0
[Spoke2-ospf-1-area-0.0.0.0] network 172.16.1.0 0.0.0.255
[Spoke2-ospf-1-area-0.0.0.0] network 192.168.2.0 0.0.0.255
[Spoke2-ospf-1-area-0.0.0.0] quit
[Spoke2-ospf-1] quit
Configure the OSPF network type to Point-to-Multipoint (P2MP) on Hubs and Spokes.
Enable the NHRP redirect function on Hub1 and Hub2. Configure NHRP mapping
entries of Hubs and enable the NHRP shortcut function on Spoke1 and Spoke2.
# Configure a tunnel interface and OSPF on Hub1 and enable the NHRP redirect
function.
# Configure a tunnel interface and OSPF on Hub2 and enable the NHRP redirect
function.
# Configure a tunnel interface, OSPF, and a static NHRP mapping entry of Hubs on
Spoke1, and enable the NHRP shortcut function.
# Configure a tunnel interface, OSPF, and a static NHRP mapping entry of Hubs on
Spoke2, and enable the NHRP shortcut function.
[Spoke2] interface tunnel 0/0/0
[Spoke2-Tunnel0/0/0] tunnel-protocol gre p2mp
[Spoke2-Tunnel0/0/0] source gigabitethernet 1/0/0
[Spoke2-Tunnel0/0/0] nhrp entry 172.16.1.1 202.1.1.10 register
[Spoke2-Tunnel0/0/0] nhrp entry 172.16.1.254 202.1.254.10 register
[Spoke2-Tunnel0/0/0] ospf network-type p2mp
[Spoke2-Tunnel0/0/0] nhrp shortcut
[Spoke2-Tunnel0/0/0] nhrp registration interval 300
[Spoke2-Tunnel0/0/0] quit
NOTE:
o Configure different OSPF cost values on Hub1 and Hub2 to ensure that the
Spokes prefer Hub1 as the next hop device.
o When Hub1 recovers, it restarts to forward OSPF protocol packets when receiving
NHRP Registration Request packets from Spokes. The Spokes learn routes to
Hub1 after the routes they have already learned are aged out. Set the interval for
sending NHRP Registration Request packets to a proper value to ensure that the
Spokes can quick detect Hub1 recovery. The interval is set to 1800 seconds by
default.
5. Verify the configuration.
After the preceding configurations are complete, check the NHRP mapping entries of
Spoke1 and Spoke2.
# Run the display nhrp peer all command on Spoke1. The command output is as
follows:
# Run the display nhrp peer all command on Spoke2. The command output is as
follows:
NOTE:
If you run the display nhrp peer all command on Spoke1 and Spoke2, you can view
only the NHRP mapping entry of Hub1 and Hub2.
# Run the display nhrp peer all command on Hub1. The command output is as follows:
# Run the display nhrp peer all command on Hub2. The command output is as follows:
# Run the display ospf 1 routing command on Hub1. The command output is as follows:
Total Nets: 6
Intra Area: 6 Inter Area: 0 ASE: 0 NSSA: 0
# Run the display ospf 1 routing command on Hub2. The command output is as follows:
Total Nets: 6
Intra Area: 6 Inter Area: 0 ASE: 0 NSSA: 0
# Run the display ospf 1 routing command on Spoke1. The command output is as
follows:
Total Nets: 6
Intra Area: 6 Inter Area: 0 ASE: 0 NSSA: 0
# Run the display ospf 1 routing command on Spoke2. The command output is as
follows:
Total Nets: 6
Intra Area: 6 Inter Area: 0 ASE: 0 NSSA: 0
# Run the ping -a 192.168.1.1 192.168.2.1 command on Spoke1. The command output is
as follows:
# Run the display nhrp peer all command on Spoke1. The command output is as
follows:
# Run the display nhrp peer all command on Spoke2. The command output is as
follows:
8. Shutdown the physical interface GE1/0/0 of Hub1. Check the OSPF routing information.
Check the routing entries on the Spokes if Hub1 fails. The next hop switches to Hub2.
# Run the display ospf 1 routing command on Spoke1. The command output is as
follows:
[Spoke1] display ospf 1 routing
Total Nets: 5
Intra Area: 5 Inter Area: 0 ASE: 0 NSSA: 0
# Run the display ospf 1 routing command on Spoke2. The command output is as
follows:
Total Nets: 5
Intra Area: 5 Inter Area: 0 ASE: 0 NSSA: 0
Ping 192.168.2.1 on Spoke1. You can see that Spoke1 and Spoke2 have learned dynamic
NHRP mapping entries from each other.
NOTICE:
Before you run the ping command, ensure that no default route to Hub1 exists on the
local device.
# Run the ping -a 192.168.1.1 192.168.2.1 command on Spoke1. The command output is
as follows:
# Run the display nhrp peer all command on Spoke1. The command output is as
follows:
# Run the display nhrp peer all command on Spoke2. The command output is as
follows:
NOTE:
Run the undo nhrp peer command to clear the NHRP mapping entries existing on the
Spokes before running the ping command.
Configuration Files
A large-scale enterprise has a central office (Hub) and multiple branches which are located in
different areas (this example shows only two Spokes Spoke1 and Spoke2). The networks of the
central office and branches frequently change. The Spokes use dynamic addresses to connect to
the public network. Open Shortest Path First (OSPF) is used on the enterprise network.
The enterprise wants to establish a VPN between the Spokes and encrypt data transmitted
between the Hub and Spokes, and between Spokes to increase data security.
Figure 1 Networking diagram for IPSec-based DSVPN configuration
Configuration Roadmap
1. Because a Spoke uses a dynamic address to connect to the public network, it does not
know the public IP address of the other Spoke. DSVPN is implemented to establish a
VPN between the Spokes.
2. Shortcut Scenario of DSVPN is implemented because the enterprise has a large number
of branches.
3. The networks of the central office and branches frequently change. OSPF is deployed to
realize communication between the Hub and Spokes and to simplify maintenance.
4. IPSec-based DSVPN is implemented to encrypt data transmitted between the central
office and branches, and between branches.
Procedure
<Huawei> system-view
[Huawei] sysname Hub
[Hub] interface gigabitethernet 1/0/0
[Hub-GigabitEthernet1/0/0] ip address 202.1.1.10 255.255.255.0
[Hub-GigabitEthernet1/0/0] quit
[Hub] interface tunnel 0/0/0
[Hub-Tunnel0/0/0] ip address 172.16.1.1 255.255.255.0
[Hub-Tunnel0/0/0] quit
[Hub] interface loopback 0
[Hub-LoopBack0] ip address 192.168.0.1 255.255.255.0
[Hub-LoopBack0] quit
Configure IP addresses for interfaces of the Spoke1 and Spoke2 as shown in Figure 1. The
specific configuration is not mentioned here.
# Configure OSPF on each Router to provide reachable routes to the public network.
[Hub] ospf 2
[Hub-ospf-2] area 0.0.0.1
[Hub-ospf-2-area-0.0.0.1] network 202.1.1.0 0.0.0.255
[Hub-ospf-2-area-0.0.0.1] quit
[Hub-ospf-2] quit
[Spoke1] ospf 2
[Spoke1-ospf-2] area 0.0.0.1
[Spoke1-ospf-2-area-0.0.0.1] network 202.1.2.0 0.0.0.255
[Spoke1-ospf-2-area-0.0.0.1] quit
[Spoke1-ospf-2] quit
[Spoke2] ospf 2
[Spoke2-ospf-2] area 0.0.0.1
[Spoke2-ospf-2-area-0.0.0.1] network 202.1.3.0 0.0.0.255
[Spoke2-ospf-2-area-0.0.0.1] quit
[Spoke2-ospf-2] quit
# Configure Hub.
# Configure Spoke2.
On Hub, Spoke1, and Spoke2, configure IKE proposals and set the same authentication
mode.
# Configure Hub.
# Configure Spoke1.
# Configure Spoke2.
Configure IKE peers used during IKE negotiation on Hub, Spoke1, and Spoke2.
# Configure Hub.
# Configure Spoke1.
# Configure Spoke2.
# Configure Hub.
# Configure Spoke1.
# Configure Spoke2.
Running the display ipsec proposal command on Hub, Spoke1 and Spoke2, you can
view configurations. Take the display on Hub as an example.
Number of proposals: 1
# Configure Hub.
# Configure Spoke1.
# Configure Spoke2.
Configure the OSPF network type to broadcast on Hub and Spokes. # Configure a static
NHRP mapping entry of Hub on Spoke1 and Spoke2 respectively. Apply the IPSec
profiles to the mGRE interfaces of Hub, Spoke1, and Spoke2.
# On Hub, configure a tunnel interface, configure OSPF, and apply the IPSec profile.
# On Spoke1, configure a tunnel interface, OSPF, and a static NHRP mapping entry of
Hub, and apply the IPSec profile.
# On Spoke2, configure a tunnel interface, OSPF, and a static NHRP mapping entry of
Hub, and apply the IPSec profile.
Running the display ipsec profile command on Hub, Spoke1 and Spoke2, you can view
configurations. Take the display on Hub as an example.
After the preceding configurations are complete, check the NHRP mapping entries of
Spoke1 and Spoke2.
# Run the display nhrp peer all command on Spoke1. The command output is as
follows:
# Run the display nhrp peer all command on Spoke2. The command output is as
follows:
NOTE:
If you run the display nhrp peer all command on Spoke1 and Spoke2, you can view
only the NHRP mapping entry of Hub.
Run the display nhrp peer all command on Hub. The command output is as follows:
[Hub] display nhrp peer all
-----------------------------------------------------------------------
--------
Protocol-addr Mask NBMA-addr NextHop-addr Type Flag
-----------------------------------------------------------------------
--------
172.16.1.2 32 202.1.2.10 172.16.1.2 dynamic
route tunnel
-----------------------------------------------------------------------
--------
Tunnel interface: Tunnel0/0/0
Created time : 00:02:59
Expire time : 01:57:01
-----------------------------------------------------------------------
--------
Protocol-addr Mask NBMA-addr NextHop-addr Type Flag
-----------------------------------------------------------------------
--------
172.16.1.3 32 202.1.3.10 172.16.1.3 dynamic
route tunnel
-----------------------------------------------------------------------
--------
Tunnel interface: Tunnel0/0/0
Created time : 00:00:52
Expire time : 01:59:15
# Run the display ipsec sa command on Hub. The command output is as follows:
===============================
Interface: Tunnel0/0/0
Path MTU: 1500
===============================
-----------------------------
IPSec profile name: "profile1"
Mode : PROF-Template
-----------------------------
Connection ID : 4
Encapsulation mode: Tunnel
Tunnel local : 202.1.1.10
Tunnel remote : 202.1.3.10
Flow source : 202.1.1.10/255.255.255.255 47/0
Flow destination : 202.1.3.10/255.255.255.255 47/0
Qos pre-classify : Disable
[Outbound AH SAs]
SPI: 3188118142 (0xbe06d27e)
Proposal: SHA2-512-256
SA remaining key duration (bytes/sec): 1887436800/2924
Outpacket count : 0
Outpacket encap count : 0
Outpacket drop count : 0
Max sent sequence-number: 87
UDP encapsulation used for NAT traversal: N
[Inbound AH SAs]
SPI: 4023741109 (0xefd56ab5)
Proposal: SHA2-512-256
SA remaining key duration (bytes/sec): 1887436800/2924
Inpacket count : 0
Inpacket decap count : 0
Inpacket drop count : 0
Max received sequence-number: 80
Anti-replay window size: 32
UDP encapsulation used for NAT traversal: N
-----------------------------
IPSec profile name: "profile1"
Mode : PROF-Template
-----------------------------
Connection ID : 2
Encapsulation mode: Tunnel
Tunnel local : 202.1.1.10
Tunnel remote : 202.1.2.10
Flow source : 202.1.1.10/255.255.255.255 47/0
Flow destination : 202.1.2.10/255.255.255.255 47/0
Qos pre-classify : Disable
[Outbound AH SAs]
SPI: 833505824 (0x31ae4a20)
Proposal: SHA2-512-256
SA remaining key duration (bytes/sec): 1887436800/2791
Outpacket count : 0
Outpacket encap count : 0
Outpacket drop count : 0
Max sent sequence-number: 104
UDP encapsulation used for NAT traversal: N
[Inbound AH SAs]
SPI: 3662509166 (0xda4d746e)
Proposal: SHA2-512-256
SA remaining key duration (bytes/sec): 1887436800/2791
Inpacket count : 0
Inpacket decap count : 0
Inpacket drop count : 0
Max received sequence-number: 93
Anti-replay window size: 32
UDP encapsulation used for NAT traversal: N
# Run the display ipsec sa command on Spoke1. The command output is as follows:
===============================
Interface: Tunnel0/0/0
Path MTU: 1500
===============================
-----------------------------
IPSec profile name: "profile1"
Mode : PROF-ISAKMP
-----------------------------
Connection ID : 2
Encapsulation mode: Tunnel
Tunnel local : 202.1.2.10
Tunnel remote : 202.1.1.10
Qos pre-classify : Disable
[Outbound ESP SAs]
SPI: 2485560141 (0x9426a34d)
Proposal: ESP-ENCRYPT-AES-192 SHA2-512-256
SA remaining key duration (bytes/sec): 1887426800/2652
Outpacket count : 0
Outpacket encap count : 0
Outpacket drop count : 0
Max sent sequence-number: 107
UDP encapsulation used for NAT traversal: N
[Outbound AH SAs]
SPI: 3662509166 (0xda4d746e)
Proposal: SHA2-512-256
SA remaining key duration (bytes/sec): 1887436800/2652
Outpacket count : 0
Outpacket encap count : 0
Outpacket drop count : 0
Max sent sequence-number: 107
UDP encapsulation used for NAT traversal: N
[Inbound AH SAs]
SPI: 833505824 (0x31ae4a20)
Proposal: SHA2-512-256
SA remaining key duration (bytes/sec): 1887436800/2652
Inpacket count : 0
Inpacket decap count : 0
Inpacket drop count : 0
Max received sequence-number: 119
Anti-replay window size: 32
UDP encapsulation used for NAT traversal: N
# Run the display ipsec sa command on Spoke2. The command output is as follows:
===============================
Interface: Tunnel0/0/0
Path MTU: 1500
===============================
-----------------------------
IPSec profile name: "profile1"
Mode : PROF-ISAKMP
-----------------------------
Connection ID : 2
Encapsulation mode: Tunnel
Tunnel local : 202.1.3.10
Tunnel remote : 202.1.1.10
Qos pre-classify : Disable
[Outbound AH SAs]
SPI: 4023741109 (0xefd56ab5)
Proposal: SHA2-512-256
SA remaining key duration (bytes/sec): 1887436800/2763
Outpacket count : 0
Outpacket encap count : 0
Outpacket drop count : 0
Max sent sequence-number: 97
UDP encapsulation used for NAT traversal: N
[Inbound AH SAs]
SPI: 3188118142 (0xbe06d27e)
Proposal: SHA2-512-256
SA remaining key duration (bytes/sec): 1887436800/2763
Inpacket count : 0
Inpacket decap count : 0
Inpacket drop count : 0
Max received sequence-number: 105
Anti-replay window size: 32
UDP encapsulation used for NAT traversal: N
# Run the display ospf 1 routing command on Hub. The command output is as follows:
Total Nets: 3
Intra Area: 3 Inter Area: 0 ASE: 0 NSSA: 0
Run the display ospf 1 routing command on Spoke1. The command output is as follows:
Total Nets: 3
Intra Area: 3 Inter Area: 0 ASE: 0 NSSA: 0
Run the display ospf 1 routing command on Spoke2. The command output is as follows:
Total Nets: 3
Intra Area: 3 Inter Area: 0 ASE: 0 NSSA: 0
Ping 192.168.2.1 on Spoke1. You can see that Spoke1 and Spoke2 have learned dynamic
NHRP mapping entries from each other.
# Run the ping -a 192.168.1.1 192.168.2.1 command on Spoke1. The command output is
as follows:
# Run the display nhrp peer all command on Spoke1. The command output is as
follows:
# Run the display nhrp peer all command on Spoke2. The command output is as
follows:
# Run the display ipsec sa command on Spoke1. The command output is as follows:
===============================
Interface: Tunnel0/0/0
Path MTU: 1500
===============================
-----------------------------
IPSec profile name: "profile1"
Mode : PROF-ISAKMP
-----------------------------
Connection ID : 2
Encapsulation mode: Tunnel
Tunnel local : 202.1.2.10
Tunnel remote : 202.1.1.10
Qos pre-classify : Disable
[Outbound AH SAs]
SPI: 3662509166 (0xda4d746e)
Proposal: SHA2-512-256
SA remaining key duration (bytes/sec): 1887436800/2020
Outpacket count : 0
Outpacket encap count : 0
Outpacket drop count : 0
Max sent sequence-number: 175
UDP encapsulation used for NAT traversal: N
[Inbound AH SAs]
SPI: 833505824 (0x31ae4a20)
Proposal: SHA2-512-256
SA remaining key duration (bytes/sec): 1887436800/2020
Inpacket count : 0
Inpacket decap count : 0
Inpacket drop count : 0
Max received sequence-number: 192
Anti-replay window size: 32
UDP encapsulation used for NAT traversal: N
-----------------------------
IPSec profile name: "profile1"
Mode : PROF-ISAKMP
-----------------------------
Connection ID : 5
Encapsulation mode: Tunnel
Tunnel local : 202.1.2.10
Tunnel remote : 202.1.3.10
Qos pre-classify : Disable
[Outbound AH SAs]
SPI: 3363305474 (0xc877f802)
Proposal: SHA2-512-256
SA remaining key duration (bytes/sec): 1887436800/3511
Outpacket count : 0
Outpacket encap count : 0
Outpacket drop count : 0
Max sent sequence-number: 4
UDP encapsulation used for NAT traversal: N
[Inbound AH SAs]
SPI: 3753703982 (0xdfbcfa2e)
Proposal: SHA2-512-256
SA remaining key duration (bytes/sec): 1887436800/3511
Inpacket count : 0
Inpacket decap count : 0
Inpacket drop count : 0
Max received sequence-number: 4
Anti-replay window size: 32
UDP encapsulation used for NAT traversal: N
# Run the display ipsec sa command on Spoke2. The command output is as follows:
===============================
Interface: Tunnel0/0/0
Path MTU: 1500
===============================
-----------------------------
IPSec profile name: "profile1"
Mode : PROF-ISAKMP
-----------------------------
Connection ID : 2
Encapsulation mode: Tunnel
Tunnel local : 202.1.3.10
Tunnel remote : 202.1.1.10
Qos pre-classify : Disable
[Outbound AH SAs]
SPI: 4023741109 (0xefd56ab5)
Proposal: SHA2-512-256
SA remaining key duration (bytes/sec): 1887436800/2002
Outpacket count : 0
Outpacket encap count : 0
Outpacket drop count : 0
Max sent sequence-number: 181
UDP encapsulation used for NAT traversal: N
[Inbound AH SAs]
SPI: 3188118142 (0xbe06d27e)
Proposal: SHA2-512-256
SA remaining key duration (bytes/sec): 1887436800/2002
Inpacket count : 0
Inpacket decap count : 0
Inpacket drop count : 0
Max received sequence-number: 192
Anti-replay window size: 32
UDP encapsulation used for NAT traversal: N
-----------------------------
IPSec profile name: "profile1"
Mode : PROF-ISAKMP
-----------------------------
Connection ID : 6
Encapsulation mode: Tunnel
Tunnel local : 202.1.3.10
Tunnel remote : 202.1.2.10
Qos pre-classify : Disable
[Outbound AH SAs]
SPI: 3753703982 (0xdfbcfa2e)
Proposal: SHA2-512-256
SA remaining key duration (bytes/sec): 1887436800/3359
Outpacket count : 0
Outpacket encap count : 0
Outpacket drop count : 0
Max sent sequence-number: 4
UDP encapsulation used for NAT traversal: N
[Inbound AH SAs]
SPI: 3363305474 (0xc877f802)
Proposal: SHA2-512-256
SA remaining key duration (bytes/sec): 1887436800/3359
Inpacket count : 0
Inpacket decap count : 0
Inpacket drop count : 0
Max received sequence-number: 4
Anti-replay window size: 32
UDP encapsulation used for NAT traversal: N
Configuration Files
In a large-size enterprise, two hubs (Hub1 and Hub2) in the headquarters communicate with
multiple branches (Spoke1 and Spoke2 in this example) over the Internet. Spokes in branches
use dynamic addresses to connect to the Internet.
The enterprise wants to protect traffic exchanged between the headquarters and branch and has
the following requirements: Normally, the branch should communicate with the headquarters
through Hub1. Traffic should be switched to Hub2 when Hub1 becomes faulty but back to Hub1
when Hub1 recovers.
Figure 1 Configuring a dual-hub DSVPN protected by IPSec
Configuration Roadmap
1. Branches use dynamic addresses to connect to the Internet; therefore, they do not know
the public addresses of each other. Configure DSVPN to implement direct
communication between branches.
2. Use the shortcut DSVPN because there are a large number of branches.
3. Subnets of the headquarters and branches frequently change. To simplify maintenance,
configure OSPF based on the enterprise network plan to enable communication between
the headquarters and branches.
4. To protect data transmitted between the headquarters and branch as well as between
branches, configure IPSec for DSVPN.
Procedure
Configure IP addresses for the interfaces of the Router. The configurations of Spoke1,
Spoke2, and Hub2 are similar to that of Hub1, and are not mentioned here.
<Huawei> system-view
[Huawei] sysname Hub1
[Hub1] interface gigabitethernet 1/0/0
[Hub1-GigabitEthernet1/0/0] ip address 1.1.1.10 255.255.255.0
[Hub1-GigabitEthernet1/0/0] quit
[Hub1] interface tunnel 0/0/0
[Hub1-Tunnel0/0/0] ip address 10.2.1.1 255.255.255.0
[Hub1-Tunnel0/0/0] quit
[Hub1] interface loopback 0
[Hub1-LoopBack0] ip address 10.1.0.1 255.255.255.0
[Hub1-LoopBack0] quit
Configure OSPF on each Router to enable reachable routes over the Internet.
[Hub1] ospf 2
[Hub1-ospf-2] area 0.0.0.1
[Hub1-ospf-2-area-0.0.0.1] network 1.1.1.0 0.0.0.255
[Hub1-ospf-2-area-0.0.0.1] quit
[Hub1-ospf-2] quit
[Hub2] ospf 2
[Hub2-ospf-2] area 0.0.0.1
[Hub2-ospf-2-area-0.0.0.1] network 1.1.254.0 0.0.0.255
[Hub2-ospf-2-area-0.0.0.1] quit
[Hub2-ospf-2] quit
[Spoke1] ospf 2
[Spoke1-ospf-2] area 0.0.0.1
[Spoke1-ospf-2-area-0.0.0.1] network 1.1.2.0 0.0.0.255
[Spoke1-ospf-2-area-0.0.0.1] quit
[Spoke1-ospf-2] quit
[Spoke2] ospf 2
[Spoke2-ospf-2] area 0.0.0.1
[Spoke2-ospf-2-area-0.0.0.1] network 1.1.3.0 0.0.0.255
[Spoke2-ospf-2-area-0.0.0.1] quit
[Spoke2-ospf-2] quit
# Configure Hub1.
# Configure Hub2.
# Configure Spoke1.
# Configure Spoke2.
Set the OSPF network type to p2mp on the hubs and spokes. Enable NHRP redirect on
Hub1 and Hub2. Configure static NHRP peer entries of Hub1 and Hub2 and enable
NHRP shortcut on Spoke1 and Spoke2.
# Configure a tunnel interface and OSPF attributes and enable NHRP redirect on Hub1.
# Configure a tunnel interface and OSPF attributes and enable NHRP redirect on Hub2.
[Hub2] interface tunnel 0/0/0
[Hub2-Tunnel0/0/0] tunnel-protocol gre p2mp
[Hub2-Tunnel0/0/0] source gigabitethernet 1/0/0
[Hub2-Tunnel0/0/0] nhrp entry multicast dynamic
[Hub2-Tunnel0/0/0] ospf network-type p2mp
[Hub2-Tunnel0/0/0] nhrp authentication cipher huawei@1
[Hub2-Tunnel0/0/0] nhrp redirect
[Hub2-Tunnel0/0/0] gre key cipher 2999
[Hub2-Tunnel0/0/0] quit
# Configure tunnel interfaces, OSPF attributes, and static NHRP peer entries of Hub1 and
Hub2, and enable NHRP shortcut on Spoke1.
# Configure tunnel interfaces, OSPF attributes, and static NHRP peer entries of Hub1 and
Hub2, and enable NHRP shortcut on Spoke2.
Configure an IKE proposal on the hubs and spokes. Ensure that the authentication mode
is the same on all the devices.
# Configure Hub1.
# Configure Spoke1.
# Configure Spoke2.
Configure an IKE peer for IKE negotiation on the hubs and spokes.
# Configure Hub1.
# Configure Hub2.
# Configure Spoke1.
# Configure Spoke2.
# Configure Hub1.
# Configure Hub2.
# Configure Spoke1.
# Configure Spoke2.
# Configure Hub1.
# Configure Hub2.
# Configure Spoke1.
# Configure Spoke2.
# Configure Hub1.
# Configure Hub2.
# Configure Spoke1.
[Spoke1] interface tunnel 0/0/0
[Spoke1-Tunnel0/0/0] ipsec profile profile1
[Spoke1-Tunnel0/0/0] quit
# Configure Spoke2.
The headquarters and branch as well as branches can communicate with each other, and
data flows between them are protected by IPSec.
Run the display ike sa command to check whether IKE SAs are established. The
command output on Hub1 and Spoke1 is used as an example.
Flag Description:
RD--READY ST--STAYALIVE RL--REPLACED FD--FADING TO--
TIMEOUT
HRT--HEARTBEAT LKG--LAST KNOWN GOOD SEQ NO. BCK--BACKED UP
You can find that Spoke1 establishes IPSec tunnels with Hub1 and Hub2
successfully.
# Run the ping -a 10.1.1.1 10.1.2.1 command on Spoke1, and the command
output is as follows.
Flag Description:
RD--READY ST--STAYALIVE RL--REPLACED FD--FADING TO--
TIMEOUT
HRT--HEARTBEAT LKG--LAST KNOWN GOOD SEQ NO. BCK--BACKED UP
When branches communicate with each other, Spoke1 and Spoke2 establish an
IPSec tunnel.
b. When Hub1 fails, the headquarters and branch as well as branches can still
communicate with each other.
# Run the ping -a 10.1.1.1 10.1.2.1 command on Spoke1, and the command
output is as follows.
Configuration Files
As shown in Figure 1, an enterprise headquarters (Hub_1 as the primary device and Hub_2 as the
secondary device) and branch (Spoke) locate in different areas. The branch connects to the
headquarters through an LTE network, that is, LTE network 1 shown in the figure. The
enterprise requires that the branch communicate with the headquarters through a VPN and data
transmitted between them be encrypted.
To ensure that the enterprise users can still connect to the headquarters even when the primary
SIM card 1 or LTE network 1 is faulty, the enterprise leases the other LTE network, that is LTE
network 2 shown in the figure, to set up a backup link (through the secondary SIM card 2) for
temporary service transmission.
Configuration Roadmap
The branch address is not fixed because it connects to the headquarters through an LTE network;
therefore, the branch and headquarters must be connected through a VPN.
To ensure reliable data transmission, two SIM cards in redundancy mode need to be configured
in the branch and they connect to different LTE networks. A tunnel can be established between
the headquarters and branch based on the association between the LTE dialup status and DSVPN
to ensure uninterrupted data transmission.
1. Configure a cellular interface and APN profile, so that the branch can connect to the LTE
network.
2. Use the non-shortcut DSVPN scenario because the enterprise has only few branches. Use
the RIP protocol to advertise private network routes between the headquarters and branch
and associate NHRP peer information with the APN profile. When the APN profile is in
use, the associated NHRP peer information takes effect; therefore, a tunnel can be
established between the headquarters and branch.
3. Configure the NQA function to implement switching between the primary and secondary
SIM cards.
4. Install a primary and a secondary SIM card on the cellular interface to ensure reliable
data transmission.
5. Bind IPSec policies to the cellular interface on the branch device and the public network
interfaces on the headquarters devices, so that data transmitted between them can be
encrypted.
Procedure
Configure an IP address for each interface on Hub_1 and Hub_2 according to Figure 1.
<Huawei> system-view
[Huawei] sysname Hub_1
[Hub_1] interface gigabitethernet 1/0/0
[Hub_1-GigabitEthernet1/0/0] ip address 202.10.1.2 255.255.255.252
[Hub_1-GigabitEthernet1/0/0] quit
[Hub_1] interface gigabitethernet 2/0/0
[Hub_1-GigabitEthernet2/0/0] ip address 202.10.1.6 255.255.255.252
[Hub_1-GigabitEthernet2/0/0] quit
[Hub_1] interface gigabitethernet 3/0/0
[Hub_1-GigabitEthernet3/0/0] ip address 192.168.1.1 255.255.255.0
[Hub_1-GigabitEthernet3/0/0] quit
[Hub_1] interface tunnel 0/0/1
[Hub_1-Tunnel0/0/1] ip address 172.16.1.1 255.255.255.0
[Hub_1-Tunnel0/0/1] quit
[Hub_1] interface tunnel 0/0/3
[Hub_1-Tunnel0/0/3] ip address 172.16.3.1 255.255.255.0
[Hub_1-Tunnel0/0/3] quit
The configurations of Hub_2 and the Spoke are similar to the configuration of Hub_1,
and are not mentioned here.
[Spoke] dialer-rule
[Spoke-dialer-rule] dialer-rule 1 ip permit
[Spoke-dialer-rule] quit
[Spoke] interface cellular 0/0/0
[Spoke-Cellular0/0/0] ip address negotiate
[Spoke-Cellular0/0/0] dialer enable-circular
[Spoke-Cellular0/0/0] dialer-group 1
[Spoke-Cellular0/0/0] dialer timer autodial 15
[Spoke-Cellular0/0/0] dialer timer probe-interval 15
[Spoke-Cellular0/0/0] dialer number *99# autodial
[Spoke-Cellular0/0/0] mode lte auto
[Spoke-Cellular0/0/0] quit
[Spoke] apn profile ltenet
[Spoke-apn-profile-ltenet] sim-id 1
[Spoke-apn-profile-ltenet] apn LTENET1
[Spoke-apn-profile-ltenet] quit
[Spoke] apn profile ltewap
[Spoke-apn-profile-ltewap] sim-id 2
[Spoke-apn-profile-ltewap] apn LTENET2
[Spoke-apn-profile-ltewap] quit
Configure static routes on each device to ensure that the public network routes between
the devices are reachable.
# Configure Hub_1.
# Configure Hub_2.
Configure tunnel interfaces on the Hubs and Spoke and associate NHRP peer information
with the APN profile. Configure the RIP protocol to advertise private network routes and
configure the Spoke to add different metric values to the routes when different tunnel
interfaces send or receive RIP packets to implement communication between the
headquarters and branch.
# Configure Hub_1.
# Configure Hub_2.
# Associate NHRP peer information with the APN profile on the Spoke and configure the
Spoke to add different metric values to the routes when different tunnel interfaces send or
receive RIP packets.
[Spoke] rip 1
[Spoke-rip-1] version 2
[Spoke-rip-1] network 172.16.0.0
[Spoke-rip-1] network 192.168.3.0
[Spoke-rip-1] quit
[Spoke] interface tunnel 0/0/1
[Spoke-Tunnel0/0/1] tunnel-protocol gre p2mp
[Spoke-Tunnel0/0/1] source cellular 0/0/0
[Spoke-Tunnel0/0/1] gre key 111
[Spoke-Tunnel0/0/1] nhrp authentication cipher Huawei@1
[Spoke-Tunnel0/0/1] nhrp registration interval 20
[Spoke-Tunnel0/0/1] nhrp entry 172.16.1.1 202.10.1.2 register track apn
ltenet
[Spoke-Tunnel0/0/1] rip metricin 1
[Spoke-Tunnel0/0/1] quit
[Spoke] interface tunnel 0/0/2
[Spoke-Tunnel0/0/2] tunnel-protocol gre p2mp
[Spoke-Tunnel0/0/2] source cellular 0/0/0
[Spoke-Tunnel0/0/2] gre key 222
[Spoke-Tunnel0/0/2] nhrp authentication cipher Huawei@2
[Spoke-Tunnel0/0/2] nhrp registration interval 20
[Spoke-Tunnel0/0/2] nhrp entry 172.16.2.1 202.10.1.10 register track
apn ltenet
[Spoke-Tunnel0/0/2] rip metricin 7
[Spoke-Tunnel0/0/2] rip metricout 7
[Spoke-Tunnel0/0/2] quit
[Spoke] interface tunnel 0/0/3
[Spoke-Tunnel0/0/3] tunnel-protocol gre p2mp
[Spoke-Tunnel0/0/3] source cellular 0/0/0
[Spoke-Tunnel0/0/3] gre key 333
[Spoke-Tunnel0/0/3] nhrp authentication cipher Huawei@3
[Spoke-Tunnel0/0/3] nhrp registration interval 20
[Spoke-Tunnel0/0/3] nhrp entry 172.16.3.1 202.10.1.6 register track apn
ltewap
[Spoke-Tunnel0/0/3] rip metricin 4
[Spoke-Tunnel0/0/3] rip metricout 4
[Spoke-Tunnel0/0/3] quit
[Spoke] interface tunnel 0/0/4
[Spoke-Tunnel0/0/4] tunnel-protocol gre p2mp
[Spoke-Tunnel0/0/4] source cellular 0/0/0
[Spoke-Tunnel0/0/4] gre key 444
[Spoke-Tunnel0/0/4] nhrp authentication cipher Huawei@4
[Spoke-Tunnel0/0/4] nhrp registration interval 20
[Spoke-Tunnel0/0/4] nhrp entry 172.16.4.1 202.10.1.14 register track
apn ltewap
[Spoke-Tunnel0/0/4] rip metricin 10
[Spoke-Tunnel0/0/4] rip metricout 10
[Spoke-Tunnel0/0/4] quit
7. Configure the IPSec function to protect data transmitted between the headquarters and
branch.
# Configure Hub_1.
# Configure Hub_2.
After the configuration is complete, run the display nhrp peer all command on Hub_1
and Hub_2 to check the registration information of the Spoke. The display on Hub_1 is
used as an example:
The branch can ping the headquarters successfully and data transmitted between them is
encrypted.
Run the display ipsec sa command on the Spoke. You can see that the Spoke has set up
an IPSec tunnel with Hub_1.
# Shut down GE1/0/0 on Hub_1 and GE2/0/0 on Hub_2 to simulate a fault on LTE
network 1.
Run the display nhrp peer all command on Hub_1 and Hub_2. You can see that the
Spoke registers to the headquarters through LTE network 2. The display on Hub_1 is
used as an example:
[Hub_1] display nhrp peer all
-----------------------------------------------------------------------
--------
Protocol-addr Mask NBMA-addr NextHop-addr Type Flag
-----------------------------------------------------------------------
--------
172.16.3.2 32 202.11.11.11 172.16.3.2 dynamic
route tunnel
-----------------------------------------------------------------------
--------
Tunnel interface: Tunnel0/0/3
Created time : 00:02:59
Expire time : 01:57:01
The branch can ping the headquarters successfully and data transmitted between them is
encrypted.
Configuration Files
After the display nhrp peer command is executed on the Hub, no NHRP mapping entry that
records the mapping between the tunnel address of the Spoke and the public network address is
displayed.
Procedure
1. Check that the Spoke has reachable routes to the remote Spoke and the Hub.
Run the display ip routing-table command on the local Spoke to check whether routes to the
remote Spoke exist in the local IP routing table. Run the display ip routing-table command
on the Hub to check whether routes to the Spoke exist in the local IP routing table.
oIf there is no reachable route between the Spoke and its remote Spoke, or between
the Spoke and Hub, check the configurations of routes on the Spoke and Hub. For
the configurations of routes, see the Huawei
AR120&AR150&AR160&AR200&AR1200&AR2200&AR3200&AR3600 Series
Enterprise Routers Configuration Guide - IP Routing.
o If there are reachable routes between the Spoke and its remote Spoke, and
between the Spoke and Hub, go to step 2.
2. Check that configurations of the Spoke and Hub are correct.
Run the display nhrp peer command on the Spoke and Hub to check NHRP mapping
entries.
If the Hub does not have dynamic NHRP mapping entries of the Spoke, run the display
this command on mGRE tunnel interfaces of the Spoke and Hub to check whether the
configurations on both ends are consistent. The following table lists the fields in the
command output that you need to check the follow-up operations.
Item Check Standard and Operation
nhrp Check whether NHRP authentication string configurations of the Spoke
authentication and Hub are the same. If they are different, run the nhrp authentication
command to modify the configurations.
nhrp entry Check whether the static NHRP mapping entries on the Spoke contain
the interface information of the Hub. If not, run the nhrp entry command
to modify the configurations.
Parent Topic: Common Configuration Errors
Huawei Proprietary and Confidential Copyright © Huawei Technologies Co., Ltd.
Huawei Proprietary and Confidential
Copyright © Huawei Technologies Co., Ltd.
Next topic >
< Home
After Non-Shortcut Scenario of DSVPN is configured, the Spokes cannot communicate with
each other.
Procedure
1. Check whether subnet routes are available between Spokes, and between Spokes and the
Hub, and whether the next hop addresses of subnet routes are the tunnel addresses of the
peer devices.
Run the display ip routing-table command on the local Spoke to check whether routes to the
remote Spoke exist in the local IP routing table. Run the display ip routing-table command
on the Hub to check whether subnet routes to Spokes exist in the local IP routing table.
o If no subnet route is available between Spokes, and between Spokes and the Hub,
configure subnet routes. For the configurations of routes, see the Huawei
AR120&AR150&AR160&AR200&AR1200&AR2200&AR3200&AR3600 Series
Enterprise Routers Configuration Guide - IP Routing.
o If subnet routes are available between Spokes, and between Spokes and the Hub,
but the next hop to the destination subnet is not the tunnel address of the remote
device, configure routing information to set the next hop to the destination subnet
to the tunnel address of remote device. For details, see Configuring Routes.
oIf subnet routes are available between Spokes, and between Spokes and the Hub,
and the next hop to the destination subnet is the tunnel address of remote device,
go to step 2.
2. Check whether NHRP mapping entries of a local Spoke have been generated on the Hub
and the remote Spoke.
Run the display nhrp peer command on the Hub and Spoke to check NHRP mapping
entries.
If no NHRP mapping entry of the Spoke is generated on the Hub, rectify the fault
according to Spoke Fails to Register with a Hub.
After Shortcut Scenario of DSVPN is configured, the Spokes cannot communicate with each
other.
Procedure
1. Check that subnet routes are available between Spokes, and between Spokes and the Hub.
Run the display ip routing-table command on the local Spoke to check whether routes to the
remote Spoke exist in the local IP routing table. Run the display ip routing-table command
on the Hub to check whether subnet routes to Spokes exist in the local IP routing table.
o
If no subnet route is available between Spokes, and between Spokes and the Hub,
configure subnet routes. For the configurations of routes, see the Huawei
AR120&AR150&AR160&AR200&AR1200&AR2200&AR3200&AR3600 Series
Enterprise Routers Configuration Guide - IP Routing.
o If subnet routes are available between Spokes, and between Spokes and the Hub,
go to step 2.
2. Check whether the next hop to the destination subnet is the tunnel address of the Hub.
Run the display ip routing-table command on the local Spoke to check whether routes to the
remote Spoke exist.
oIf the next hop to the destination subnet is not the tunnel address of the Hub,
configure routing information to set the next hop to the destination subnet to the
tunnel address of the remote Spoke. For details, see Configuring Routes.
o If the next hop to the destination subnet is the tunnel address of the Hub, go to
step 3.
3. Check whether NHRP mapping entries of a local Spoke have been generated on the Hub
and the remote Spoke.
Run the display nhrp peer command on the Hub and Spoke to check NHRP mapping
entries.
If no NHRP mapping entry of the Spoke is generated on the Hub, rectify the fault
according to Spoke Fails to Register with a Hub.
In dual-Hub DSVPN scenario, the backup Hub only forwards data after the master Hub fails. No
tunnel can be established between the Spokes.
Procedure
1. Check whether the public addresses configured on the master and backup Hubs are on the
same network segment.
Run the display this command on the mGRE interfaces of the master and backup Hubs to
check whether the IP addresses of the Hubs are on the same network segment.
o
If so, change the IP address of one Hub to an IP address on a different network
segment.
o If not, go to step 2.
2. Check whether routes to the master Hub are available on the Spokes.
Run the display ip routing-table command on the Spokes to check whether routes to the Hub
exist.
If the IP routing table contains routes to the master Hub, deletes the routes. For details,
see Huawei AR120&AR150&AR160&AR200&AR1200&AR2200&AR3200&AR3600
Series Enterprise Routers Configuration Guide - IP Routing.
7.3.10.6.10 References
This section lists references of DSVPN.
Document Description
RFC2332 Next Hop Resolution Protocol
Parent Topic: DSVPN Configuration
Huawei Proprietary and Confidential Copyright © Huawei Technologies Co., Ltd.
Huawei Proprietary and Confidential
Copyright © Huawei Technologies Co., Ltd.
< Previous topic