We have been waiting and finally we have a simulator of Huawei firewall USG5500. They also added WDS function of WLAN and a new simulation device of WLAN – AC6605.

I am just downloading the newest version…

For those who are interested I am sending a link to it:

Let’s imagine that we have a simple topology like below:

Configure subinterfaces on both AR routers for VLAN tag termination:

[R1]interface GigabitEthernet 0/0/0.100
[R1-GigabitEthernet0/0/0.100]ip address 10.0.0.1 24
[R1-GigabitEthernet0/0/0.100]dot1q termination vid 100

[R2]int GigabitEthernet 0/0/0.100
[R2-GigabitEthernet0/0/0.100]ip address 10.0.0.2 24
[R2-GigabitEthernet0/0/0.100]dot1q termination vid 100

Try to ping IP address of neighboring router:

[R1]ping 10.0.0.2
  PING 10.0.0.2: 56  data bytes, press CTRL_C to break
    Request time out
    Request time out
    Request time out
    Request time out
    Request time out

  --- 10.0.0.2 ping statistics ---
    5 packet(s) transmitted
    0 packet(s) received
    100.00% packet loss

Let’s troubleshoot this problem by checking ARP table:

[R1]display arp all
IP ADDRESS      MAC ADDRESS     EXPIRE(M) TYPE        INTERFACE   VPN-INSTANCE 
VLAN/CEVLAN PVC                      
------------------------------------------------------------------------------
10.0.0.1        5489-98d1-3ea6            I -         GE0/0/0.100
------------------------------------------------------------------------------
Total:1         Dynamic:0       Static:0     Interface:1

Why can’t we see neighboring router in ARP table?

Because subinterfaces for VLAN tag termination discard broadcast packets after receiving the packets.

How to deal with it?

Just enable ARP broadcast on subinterfaces and check again:

[R1-GigabitEthernet0/0/0.100]arp broadcast enable

[R1]ping 10.0.0.2
  PING 10.0.0.2: 56  data bytes, press CTRL_C to break
    Reply from 10.0.0.2: bytes=56 Sequence=1 ttl=255 time=110 ms
    Reply from 10.0.0.2: bytes=56 Sequence=2 ttl=255 time=40 ms
    Reply from 10.0.0.2: bytes=56 Sequence=3 ttl=255 time=10 ms
    Reply from 10.0.0.2: bytes=56 Sequence=4 ttl=255 time=20 ms
    Reply from 10.0.0.2: bytes=56 Sequence=5 ttl=255 time=50 ms

  --- 10.0.0.2 ping statistics ---
    5 packet(s) transmitted
    5 packet(s) received
    0.00% packet loss
    round-trip min/avg/max = 10/46/110 ms

[R1]dis arp all
IP ADDRESS      MAC ADDRESS     EXPIRE(M) TYPE        INTERFACE   VPN-INSTANCE 
VLAN/CEVLAN PVC                      
------------------------------------------------------------------------------
10.0.0.1        5489-98d1-3ea6            I -         GE0/0/0.100
10.0.0.2        5489-9898-4fc2  20        DF0         GE0/0/0.100
 100/-
------------------------------------------------------------------------------
Total:2         Dynamic:1       Static:0     Interface:1

A packet can be forwarded, without ARP broadcast on the subinterface for VLAN tag termination, if the access device can send ARP packets.

If the access device cannot send ARP packets, the system discards the packet, when the arp broadcast enable command is not run on the subinterface for VLAN tag termination.

The system tags an ARP broadcast packet and forwards it through the subinterface for VLAN tag termination, when the arp broadcast enable command is run on the subinterface for VLAN tag termination.

And we have 2014 …

I hope you are doing well.

First of all, I’d like to thank you for your comments and suggestions. Not always I have time to respond for all your emails or comments but believe that all are appreciated. I maintain this blog after work but having 2 small absorbing children, it is not easy to reply for all your emails or even prepare a new post. I’ll do my best to publish new interesting and informative articles in the new year.

I believe that this year will be better for all of us.

So, let’s start 2014 with a new Huawei eNSP release:

Some time ago we talked about a basic configuration of BGP/MPLS VPNs. Let’s go on with hub&spoke networking today. Such solution can be adopted to control the mutual access of users, when an access control device is set. In this case no direct route exists between spoke sites. A spoke site advertises routes to a hub site and then the hub site advertises the routes to other spoke sites. Thus, communication between spoke sites is controlled by hub site.

Let’s look at our topology:

Configuration roadmap:

1. Configure IP addresses (omitted here).
2. Configure IGP protocol between PE routers (omitted here).
3. Configure MPLS and LDP on PE routers (omitted here).
4. Configure MP-BGP relationship between spoke PEs and hub PE (omitted here).
5. Create VPN instance on spoke PEs and set different vpn-targets for export and import.
6. Create two VPN instances on hub PE.
7. Configure static routes between spoke PEs and spoke CEs.
8. Configure EBGP between hub PE and hub CE (the hub PE must be configured to permit the existence of repeated local AS numbers).

Create VPN instance on spoke PEs:

spoke_PE1
#
ip vpn-instance labnario
 ipv4-family
  route-distinguisher 500:1
  vpn-target 200:1 export-extcommunity
  vpn-target 300:1 import-extcommunity
#
interface GigabitEthernet0/0/0
 ip binding vpn-instance labnario
 ip address 110.1.1.2 255.255.255.0

spoke_PE2
#
ip vpn-instance labnario
 ipv4-family
  route-distinguisher 500:2
  vpn-target 300:1 200:1 export-extcommunity
  vpn-target 200:1 300:1 import-extcommunity
#
interface GigabitEthernet0/0/0
 ip binding vpn-instance labnario
 ip address 120.1.1.2 255.255.255.0

Create VPN instances on hub PE:

#
ip vpn-instance labnario_in
 ipv4-family
  route-distinguisher 500:500
  vpn-target 200:1 import-extcommunity
#
ip vpn-instance labnario_out
 ipv4-family
  route-distinguisher 500:510
  vpn-target 300:1 export-extcommunity
#
interface GigabitEthernet0/0/2
 ip binding vpn-instance labnario_in
 ip address 150.1.1.1 255.255.255.0
#
interface GigabitEthernet0/0/3
 ip binding vpn-instance labnario_out
 ip address 150.2.2.1 255.255.255.0

The configuration of a VPN target on a PEs must comply with the following rules:

• The export target of spoke PE must be equal to the import target of hub PE. The import target of spoke PE must be equal to the export target of hub PE. The import route target of a spoke PE is different from the export route targets of other spoke PEs.
• A hub PE requires two interfaces or sub-interfaces. One for receiving routes from spoke PEs, and the import target of the VPN instance on the interface is spoke. The other advertises the routes to spoke PEs, and the export target of the VPN instance on the interface is hub.

Configure static routes between spoke PEs and spoke CEs:

[spoke_PE1]ip route-static vpn-instance labnario 1.1.1.1 255.255.255.255 110.1.1.1
[spoke_PE2]ip route-static vpn-instance labnario 2.2.2.2 255.255.255.255 120.1.1.1

Configure EBGP between hub PE and hub CE:

hub_PE
#
ipv4-family vpn-instance labnario_in
  import-route direct
  peer 150.1.1.2 as-number 200
 #
 ipv4-family vpn-instance labnario_out
  import-route direct
  peer 150.2.2.2 as-number 200
  peer 150.2.2.2 allow-as-loop

hub_CE
#
bgp 200
 peer 150.1.1.1 as-number 100
 peer 150.2.2.1 as-number 100
 #
 ipv4-family unicast
  undo synchronization
  import-route direct
  peer 150.1.1.1 enable
  peer 150.2.2.1 enable

If EBGP runs between a hub PE and a hub CE, the hub PE performs the AS-Loop detection on the route. If the hub PE detects its own AS number in the route, it discards the route. In this case, to implement the hub&spoke networking, the hub PE must be configured to permit the existence of repeated local AS numbers. We don’t have such situation in case of IGB connection between hub PE and hub CE.

Let’s look how it works.

Check communication between spoke PEs (use Ping and tracert command):

[spoke_CE1]ping 2.2.2.2
  PING 2.2.2.2: 56  data bytes, press CTRL_C to break
    Reply from 2.2.2.2: bytes=56 Sequence=1 ttl=250 time=390 ms
    Reply from 2.2.2.2: bytes=56 Sequence=2 ttl=250 time=170 ms
    Reply from 2.2.2.2: bytes=56 Sequence=3 ttl=250 time=120 ms
    Reply from 2.2.2.2: bytes=56 Sequence=4 ttl=250 time=180 ms
    Reply from 2.2.2.2: bytes=56 Sequence=5 ttl=250 time=160 ms

  --- 2.2.2.2 ping statistics ---
    5 packet(s) transmitted
    5 packet(s) received
    0.00% packet loss
    round-trip min/avg/max = 120/204/390 ms

[spoke_CE1]tracert 2.2.2.2
 traceroute to  2.2.2.2(2.2.2.2), max hops: 30 ,packet length: 40,press CTRL_C to break 
 1 110.1.1.2 130 ms  40 ms  70 ms 
 2 150.2.2.1 90 ms  60 ms  80 ms 
 3 150.2.2.2 90 ms  80 ms  80 ms 
 4 150.1.1.1 90 ms  80 ms  80 ms 
 5 120.1.1.2 110 ms  120 ms  130 ms 
 6 120.1.1.1 170 ms  220 ms  140 ms 

[spoke_CE2]ping 1.1.1.1
  PING 1.1.1.1: 56  data bytes, press CTRL_C to break
    Reply from 1.1.1.1: bytes=56 Sequence=1 ttl=250 time=170 ms
    Reply from 1.1.1.1: bytes=56 Sequence=2 ttl=250 time=180 ms
    Reply from 1.1.1.1: bytes=56 Sequence=3 ttl=250 time=140 ms
    Reply from 1.1.1.1: bytes=56 Sequence=4 ttl=250 time=190 ms
    Reply from 1.1.1.1: bytes=56 Sequence=5 ttl=250 time=130 ms

  --- 1.1.1.1 ping statistics ---
    5 packet(s) transmitted
    5 packet(s) received
    0.00% packet loss
    round-trip min/avg/max = 130/162/190 ms

[spoke_CE2]tracert 1.1.1.1
 traceroute to  1.1.1.1(1.1.1.1), max hops: 30 ,packet length: 40,press CTRL_C to break 
 1 120.1.1.2 70 ms  40 ms  50 ms 
 2 150.2.2.1 80 ms  110 ms  70 ms 
 3 150.2.2.2 100 ms  110 ms  90 ms 
 4 150.1.1.1 80 ms  80 ms  110 ms 
 5 110.1.1.2 140 ms  150 ms  130 ms 
 6 110.1.1.1 170 ms  170 ms  170 ms

Display routing for each VPN instance on hub PE:

[hub_PE]dis ip rout vpn-instance labnario_in
Route Flags: R - relay, D - download to fib
------------------------------------------------------------------------------
Routing Tables: labnario_in
         Destinations : 8        Routes : 8        

Destination/Mask    Proto   Pre  Cost      Flags NextHop         Interface

        1.1.1.1/32  IBGP    255  0          RD   3.3.3.3         GigabitEthernet0/0/1
        2.2.2.2/32  IBGP    255  0          RD   4.4.4.4         GigabitEthernet0/0/0
        6.6.6.6/32  EBGP    255  0           D   150.1.1.2       GigabitEthernet0/0/2
      110.1.1.0/24  IBGP    255  0          RD   3.3.3.3         GigabitEthernet0/0/1
      120.1.1.0/24  IBGP    255  0          RD   4.4.4.4         GigabitEthernet0/0/0
      150.1.1.0/24  Direct  0    0           D   150.1.1.1       GigabitEthernet0/0/2
      150.1.1.1/32  Direct  0    0           D   127.0.0.1       GigabitEthernet0/0/2
      150.2.2.0/24  EBGP    255  0           D   150.1.1.2       GigabitEthernet0/0/2

[hub_PE]dis ip rout vpn-instance labnario_out
Route Flags: R - relay, D - download to fib
------------------------------------------------------------------------------
Routing Tables: labnario_out
         Destinations : 8        Routes : 8        

Destination/Mask    Proto   Pre  Cost      Flags NextHop         Interface

        1.1.1.1/32  EBGP    255  0           D   150.2.2.2       GigabitEthernet0/0/3
        2.2.2.2/32  EBGP    255  0           D   150.2.2.2       GigabitEthernet0/0/3
        6.6.6.6/32  EBGP    255  0           D   150.2.2.2       GigabitEthernet0/0/3
      110.1.1.0/24  EBGP    255  0           D   150.2.2.2       GigabitEthernet0/0/3
      120.1.1.0/24  EBGP    255  0           D   150.2.2.2       GigabitEthernet0/0/3
      150.1.1.0/24  EBGP    255  0           D   150.2.2.2       GigabitEthernet0/0/3
      150.2.2.0/24  Direct  0    0           D   150.2.2.1       GigabitEthernet0/0/3
      150.2.2.1/32  Direct  0    0           D   127.0.0.1       GigabitEthernet0/0/3

Comparing these outputs we can notice that the routing information, advertised by a spoke CE, is forwarded to the hub CE and hub PE, before being transmitted to other spoke PEs.