1. Overview
Dynamic Smart VPN (DMVPN) with Hub-and-Spoke topology is one of the most scalable and most efficient VPN types supported by Huawei with a high scalability and minimal configuration complexity is required in connecting a central HQ (Hub) to branch offices in different geographical locations (Spokes). It is a best VPN solution designed to enterprise communication and reduces communication costs with dynamic routing protocol such as OSPF.
In this article will demonstrate how to configure DSVPN Hub and Spokes with OSPF dynamic routing protocol between Huawei routers.
2. Prerequisites
In this tutorial, it is assumed that:
a. You already have Huawei routers on eNSP up and running. In case that you don’t, please follow this link. Huawei Network Device Simulation With eNSP
b. You need to understand about OSPF dynamic routing protocol concept and configuration on Huawei device.
3. Lab Scenario Set up
Below is the network diagram of eNSP Lab that will be used to demonstrate configuring DSVPN Hub and Spoke with OSPF dynamic routing protocol between Huawei routers.
In headquarter there is an Huawei router with host name of AR1 and there is also a Huawei router locates in each branch office with host name AR3 and AR4. The following is the IP configuration of each device.
On PC1, 10.20.1.10/24
On PC3, 10.20.3.10/24
On PC4,10.20.4.10/24
On AR1
#int g0/0/0 ip add 10.1.3.1 24 #int g0/0/1 ip add 10.20.1.1 24
On AR3
#int g0/0/0 ip add 10.1.3.3 24 #int g0/0/1 ip add 10.20.3.1 24
On AR4
#int g0/0/0 ip add 10.1.3.4 24 #int g0/0/1 ip add 10.20.4.1 24
5. Configuration
5.1 Configure DSVPN
To configure DSVPN apply the following configuration on Huawei router as the below.
On AR1 in head office, Hub device.
# int tun0/0/0
ip add 172.16.1.1 24
tunnel-protocol gre p2mp
source g0/0/0
ospf network-type p2mp
nhrp redirect
nhrp entry multicast dynami
On AR3 in branch office 01, Spoke device 01.
# int tun0/0/0
ip address 172.16.1.3 24
tunnel-protocol gre p2mp
source g0/0/0
ospf network-type p2mp
nhrp shortcut
nhrp entry 172.16.1.1 10.1.3.1 registe
On AR4 in branch office 02, Spoke device 02.
# int tun0/0/0
ip address 172.16.1.4 24
tunnel-protocol gre p2mp
source g0/0/0
ospf network-type p2mp
nhrp shortcut
nhrp entry 172.16.1.1 10.1.3.1 regist
5.2 Configure OSPF Dynamic Routing Protocol
After tunnel interface are created, the next step to configure OSPF dynamic routing protocol for these tunnel interfaces. So, the local network of each router will reach each other through tunnel interfaces not through the real physical interfaces.
On AR1 in head office, Hub device.
# ospf 1 router-id 172.16.1.1
area 0
net 10.20.1.0 0.0.0.255
net 172.16.1.0 0.0.0.255
On AR3 in branch office 01, Spoke device 01.
# ospf 1 router-id 172.16.1.3
area 0
net 10.20.3.0 0.0.0.255
net 172.16.1.0 0.0.0.255
On AR4 in branch office 02, Spoke device 02.
# ospf 1 router-id 172.16.1.4
area 0
net 10.20.4.0 0.0.0.255
net 172.16.1.0 0.0.0.255
5.3 Test and Verify the Configuration
check if the tunnel interface is up and can ping each other among the routers as the following.
# sh ip int bri Interface IP-Address OK? Method Status Protocol FastEthernet0/0 10.10.10.1 YES NVRAM up up FastEthernet0/1 1.1.1.1 YES NVRAM up up Tunnel1 2.2.2.1 YES NVRAM up up# ping 2.2.2.2 Type escape sequence to abort. Sending 5, 100-byte ICMP Echos to 2.2.2.2, timeout is 2 seconds: !!!!! Success rate is 100 percent (5/5), round-trip min/avg/max = 12/17/20 ms # ping 2.2.2.3 Type escape sequence to abort. Sending 5, 100-byte ICMP Echos to 2.2.2.3, timeout is 2 seconds: !!!!! Success rate is 100 percent (5/5), round-trip min/avg/max = 8/20/32 ms
Check if PC in headquarter can ping to PCs in each remote branches.
PC>ping 10.20.3.10 Ping 10.20.3.10: 32 data bytes, Press Ctrl_C to break Request timeout! From 10.20.3.10: bytes=32 seq=2 ttl=126 time=31 ms From 10.20.3.10: bytes=32 seq=3 ttl=126 time=47 ms From 10.20.3.10: bytes=32 seq=4 ttl=126 time=47 ms From 10.20.3.10: bytes=32 seq=5 ttl=126 time=31 ms --- 10.20.3.10 ping statistics --- 5 packet(s) transmitted 4 packet(s) received 20.00% packet loss round-trip min/avg/max = 0/39/47 ms PC>ping 10.20.4.10 Ping 10.20.4.10: 32 data bytes, Press Ctrl_C to break Request timeout! From 10.20.4.10: bytes=32 seq=2 ttl=126 time=31 ms From 10.20.4.10: bytes=32 seq=3 ttl=126 time=47 ms From 10.20.4.10: bytes=32 seq=4 ttl=126 time=47 ms From 10.20.4.10: bytes=32 seq=5 ttl=126 time=46 ms --- 10.20.4.10 ping statistics --- 5 packet(s) transmitted 4 packet(s) received 20.00% packet loss round-trip min/avg/max = 0/42/47 ms
Execute the following command on Hub router to see a new DSVPN tunnel has been established.
<AR1>dis nhrp peer all ------------------------------------------------------------------------------- Protocol-addr Mask NBMA-addr NextHop-addr Type Flag ------------------------------------------------------------------------------- 172.16.1.3 32 10.1.3.3 172.16.1.3 dynamic route tunnel ------------------------------------------------------------------------------- Tunnel interface: Tunnel0/0/0 Created time : 01:53:47 Expire time : 01:36:13 ------------------------------------------------------------------------------- Protocol-addr Mask NBMA-addr NextHop-addr Type Flag ------------------------------------------------------------------------------- 172.16.1.4 32 10.1.3.4 172.16.1.4 dynamic route tunnel ------------------------------------------------------------------------------- Tunnel interface: Tunnel0/0/0 Created time : 01:44:04 Expire time : 01:55:07 Number of nhrp peers: 2
Check OSPF routing protocol make sure the route leaned is via tunnel interfaces not via the real physical interfaces.
<AR1>dis ospf routing OSPF Process 1 with Router ID 172.16.1.1 Routing Tables Routing for Network Destination Cost Type NextHop AdvRouter Area 10.20.1.0/24 1 Stub 10.20.1.1 172.16.1.1 0.0.0.0 172.16.1.1/32 0 Stub 172.16.1.1 172.16.1.1 0.0.0.0 10.20.3.0/24 1563 Stub 172.16.1.3 172.16.1.3 0.0.0.0 10.20.4.0/24 1563 Stub 172.16.1.4 172.16.1.4 0.0.0.0 172.16.1.3/32 1562 Stub 172.16.1.3 172.16.1.3 0.0.0.0 172.16.1.4/32 1562 Stub 172.16.1.4 172.16.1.4 0.0.0.0 Total Nets: 6 Intra Area: 6 Inter Area: 0 ASE: 0 NSSA: 0
In case you that you can ping from PC in head office each PC in branch offices, please check if the GRE tunnel interface is up and we can ping tunnel IP address each other.
<AR1>dis ip int bri
*down: administratively down
^down: standby
(l): loopback
(s): spoofing
The number of interface that is UP in Physical is 4
The number of interface that is DOWN in Physical is 0
The number of interface that is UP in Protocol is 4
The number of interface that is DOWN in Protocol is 0
Interface IP Address/Mask Physical Protocol
GigabitEthernet0/0/0 10.1.3.1/24 up up
GigabitEthernet0/0/1 10.20.1.1/24 up up
NULL0 unassigned up up(s)
Tunnel0/0/0 172.16.1.1/24 up up
<AR1>ping 172.16.1.3
PING 172.16.1.3: 56 data bytes, press CTRL_C to break
Reply from 172.16.1.3: bytes=56 Sequence=1 ttl=255 time=60 ms
Reply from 172.16.1.3: bytes=56 Sequence=2 ttl=255 time=50 ms
Reply from 172.16.1.3: bytes=56 Sequence=3 ttl=255 time=40 ms
Reply from 172.16.1.3: bytes=56 Sequence=4 ttl=255 time=40 ms
Reply from 172.16.1.3: bytes=56 Sequence=5 ttl=255 time=50 ms
--- 172.16.1.3 ping statistics ---
5 packet(s) transmitted
5 packet(s) received
0.00% packet loss
round-trip min/avg/max = 40/48/60 ms
<AR1>ping 172.16.1.4
PING 172.16.1.4: 56 data bytes, press CTRL_C to break
Reply from 172.16.1.4: bytes=56 Sequence=1 ttl=255 time=60 ms
Reply from 172.16.1.4: bytes=56 Sequence=2 ttl=255 time=50 ms
Reply from 172.16.1.4: bytes=56 Sequence=3 ttl=255 time=50 ms
Reply from 172.16.1.4: bytes=56 Sequence=4 ttl=255 time=40 ms
Reply from 172.16.1.4: bytes=56 Sequence=5 ttl=255 time=50 ms
--- 172.16.1.4 ping statistics ---
5 packet(s) transmitted
5 packet(s) received
0.00% packet loss
round-trip min/avg/max = 40/50/60 ms
6. Conclusion
Having finished this article, you should be able to configure DSVPN hub and spokes with OSPF dynamic routing protocol between Huawei routers. It is a great idea if you could practice with Huawei eNSP to verify your understanding. If you have any questions or suggestions you can always leave your comments below. I will try all of my best to review and reply them.
