No relevant resource is found in the selected language.

This site uses cookies. By continuing to browse the site you are agreeing to our use of cookies. Read our privacy policy>Search

Reminder

To have a better experience, please upgrade your IE browser.

upgrade

Configuration Guide - VPN

S1720, S2700, S5700, and S6720 V200R010C00

This document describes the VPN configuration procedures and provides configuration examples.
Rate and give feedback :
Huawei uses machine translation combined with human proofreading to translate this document to different languages in order to help you better understand the content of this document. Note: Even the most advanced machine translation cannot match the quality of professional translators. Huawei shall not bear any responsibility for translation accuracy and it is recommended that you refer to the English document (a link for which has been provided).
Connecting CE Devices to an MPLS VPN

Connecting CE Devices to an MPLS VPN

The MPLS VPN solution provides better services than the traditional IP VPN solution. Therefore, MPLS VPN technology is the preferred VPN technology. However, since the Internet is IP based, a large number of backbone networks still use IP technology.

In the MPLS VPN solution, a customer edge (CE) device must have a direct physical link to a provider edge (PE) device on the MPLS backbone network to connect to the VPN. That is, the CE and PE devices must be on the same network. In this case, you must associate the VPN instance with the PE device's physical interface connected to the CE device.

CE and PE devices may not be directly connected by physical links. For example, the CE devices of multiple organizations that are connected to the Internet or an IP-based backbone network may be far away from the PE devices on the MPLS backbone network; therefore, they cannot be connected directly. These organizations cannot directly connect to the internal sites of the MPLS VPN through the Internet or the IP backbone network.

Figure 2-5  Connecting CE devices to an MPLS VPN backbone network through an IP backbone network

To connect a CE device to an MPLS VPN backbone network, create a logical direct connection between the CE and PE devices. You can connect the CE and PE devices using a public or private network, and create a GRE tunnel between the two. Then, the CE and PE devices can communicate as if they were directly connected, and the GRE tunnel can be associated with the VPN as a physical interface.

A GRE tunnel can be set up in the following ways to connect CE devices to an MPLS VPN network:

  • Over a public network

    The GRE tunnel is associated with a VPN instance. However, the source address and destination address of the GRE tunnel are public IP addresses and do not belong to the VPN instance.

  • Over a VPN

    The GRE tunnel is associated with a VPN instance (such as VPN1), while the source interface of the GRE tunnel is bound to another VPN instance (such as VPN2). The GRE tunnel traverses VPN2.

  • Over a private network

    The GRE tunnel is associated with a VPN instance. The source interface (or the source address) and the destination address of the GRE tunnel belong to this VPN instance.

GRE Tunnel over a Public Network

In this example, the CE and PE devices must have one interface using a public IP address. The CE and PE devices must have a route to each other in their public network routing tables.

Figure 2-6  GRE tunnel over a public network

GRE Tunnel over a VPN

GRE tunnel over a VPN differs from a GRE tunnel over a public network in that the CE device is connected to the PE device across a VPN but not a public network. In the example shown in Figure 2-7, both the outbound interface of the private data from the CE device and the PE device belong to VPN2.

Figure 2-7  GRE tunnel over a VPN

PE1 and PE2 are the edge devices of the first carrier on the MPLS backbone network. VPN2 is a VPN of a second carrier network. CE1 and CE2 are customer devices.

To deploy a VPN (VPN1 in this example) based on the MPLS network, you can set up a GRE tunnel between PE1 and CE1 across VPN2. CE1 and PE1 then are directly connected through the GRE tunnel.

GRE Tunnel over a Private Network

In this example, the source address and the destination address of the GRE tunnel belong to the private network. However, a tunnel on a private network serves no purpose; therefore, this networking is not recommended. As shown in Figure 2-8, R1 can be used as a CE device so no GRE tunnel is required.

Figure 2-8  GRE tunnel over a private network

Translation
Download
Updated: 2019-04-18

Document ID: EDOC1000141944

Views: 86832

Downloads: 521

Average rating:
This Document Applies to these Products
Related Documents
Related Version
Share
Previous Next