No relevant resource is found in the selected language.

This site uses cookies. By continuing to browse the site you are agreeing to our use of cookies. Read our privacy policy>Search

Reminder

To have a better experience, please upgrade your IE browser.

upgrade

Configuration Guide - VPN

S1720, S2700, S5700, and S6720 V200R010C00

This document describes the VPN configuration procedures and provides configuration examples.
Rate and give feedback :
Huawei uses machine translation combined with human proofreading to translate this document to different languages in order to help you better understand the content of this document. Note: Even the most advanced machine translation cannot match the quality of professional translators. Huawei shall not bear any responsibility for translation accuracy and it is recommended that you refer to the English document (a link for which has been provided).
HVPN

HVPN

Definition

Most networking designs currently use hierarchical architecture. For example, a metropolitan area network (MAN) typically uses a three-layer architecture consisting of an access layer, an aggregation layer, and a core layer. A BGP/MPLS IP VPN network, however, uses a flat model. All PE devices are located on the same plane. To deploy VPN services in a hierarchical network structure, the flat model of BGP/MPLS IP VPN must be converted into a hierarchical model. The hierarchy of VPN (HVPN) solution assists with this conversion process.

The HVPN solution distributes the functions of one PE to multiple PEs. These PEs playing different roles and form a hierarchical architecture. The HVPN solution is also called the hierarchy of PE (HoPE) solution.

Figure 3-18 shows a basic HVPN architecture consisting of mainly user-end PEs (UPEs), superstratum PEs (SPEs), and network PEs (NPEs).
Figure 3-18  HVPN architecture

  • UPE: directly connected to CEs and provides access services for users.
  • SPE: connected to UPEs and located on the core of a network. SPEs manage and advertise VPN routes.
  • NPE: connected to SPEs and located on the network side.
NOTE:

The roles of UPEs and SPEs are relative. On an HVPN, a superstratum PE is the SPE of an understratum PE, and an understratum PE is the UPE of a superstratum PE.

An HoPE is compatible with common PEs on an MPLS network.

HVPN can be implemented in HoVPN or H-VPN mode. Both modes implement hierarchical BGP/MPLS IP VPN deployment. Table 3-1 lists the advantages of HoVPN and H-VPN modes.

Table 3-1  Advantages of HoVPN and H-VPN

Modes

Characteristics

Advantages

HoVPN

An SPE advertises only default or summarized routes to UPEs.
  • An export policy must be configured on an SPE so the SPE only advertises specific routes, such as default routes, to UPEs.

  • VPN instances must be configured on an SPE. This allows the SPE to import default routes locally or aggregate routes received from remote SPEs or NPEs.

As SPEs advertise only default or summarized routes to UPEs, devices that have low route management capabilities can be used as UPEs. Therefore, the HoVPN mode requires lower network deployment cost than the H-VPN mode.

H-VPN

An SPE advertises all VPN routes to UPEs.
  • VPN instances do not need to be configured on SPEs.

  • MP-BGP peer relationships must be configured between SPEs and NPEs and between SPEs and UPEs. The NPEs and UPEs must be configured as the clients of SPEs that function as RRs, and next hops of SPE/UPE neighbors must be modified.

UPEs obtain detailed routes from SPEs. Therefore, the H-VPN mode provides more refined route management and traffic forwarding control than the HoVPN mode.

Implementation

Label forwarding is used between an SPE and a UPE; only one SPE interface is required to connect to the UPE. The SPE does not need to provide numerous interfaces to connect to users.

MP-IBGP or MP-EBGP can be used between a UPE and an SPE, depending on whether they belong to the same or different ASs. When MP-IBGP is used, an SPE functions as an RR of multiple UPEs to advertise routes between IBGP peers. To reduce the number of routes on the UPEs, avoid using the SPE as an RR for other PEs.

The following describes the route exchanging and packet forwarding processes on HoVPN and H-VPN modes.
NOTE:

In the following figures, N indicates a next hop, and L indicates a label.

  • Route Advertisement on an HVPN Network
    • Route advertisement from CE1 to CE2 (in HoVPN or H-VPN mode)
      Figure 3-19 shows route advertisement from CE1 to CE2 in HoVPN or H-VPN mode.
      1. CE1 advertises IPv4 routes to the UPE using the IP protocol.

      2. The UPE applies for label L1 for the received IPv4 routes and converts them to VPNv4 routes. The UPE then sets itself as the next hops of these routes and advertises them to the SPE.

      3. The SPE saves label L1 locally and applies for label L2. The SPE then sets itself as the next hop of these routes and advertises them to the NPE.

      4. The NPE converts these routes to IPv4 routes and imports routes with reachable next hops to its VPN IPv4 routing table. The NPE retains label L2 and iteration tunnel ID information for later packet forwarding.

      5. The NPE advertises the IPv4 routes to CE2 using the IP protocol.

      Figure 3-19  Route advertisement from CE1 to CE2 in HoVPN or H-VPN mode

    • Route advertisement from CE2 to CE1 (in HoVPN mode)
      Figure 3-20 shows route advertisement from CE2 to CE1 in HoVPN mode.
      1. CE2 advertises IPv4 routes to the NPE using the IP protocol.

      2. The NPE applies for label L3 for the received IPv4 routes and converts these routes to VPNv4 routes. The NPE then sets itself as the next hop of these routes and advertises them to the SPE.

      3. The SPE saves label L3 locally and converts these routes to IPv4 routes and imports routes with reachable next hops to its VPN IPv4 routing table.

      4. The SPE imports a default route to its VPN IPv4 routing table or generates a summarized VPN route based on the received IPv4 routes in its VPN IPv4 routing table. The SPE also applies for label L4 for the default route or summarized VPN route. The SPE then converts the default route or summarized VPN route to a VPNv4 route, sets itself as the next hop of the VPNv4 route, and advertises the route to the UPE.

      5. The UPE converts the route to an IPv4 route and imports the route to its VPN IPv4 routing table if the next hop of the route is reachable.

      6. The UPE advertises the IPv4 route to CE1 using the IP protocol.

      Figure 3-20  Route advertisement from CE2 to CE1 in HoVPN mode

    • Route advertisement from CE2 to CE1 (in H-VPN mode)
      Figure 3-21 shows route advertisement from CE2 to CE1 in H-VPN mode.
      1. CE2 advertises IPv4 routes to the NPE using the IP protocol.

      2. The NPE applies for label L3 for the received IPv4 routes and converts these routes to VPNv4 routes. Then, the NPE sets itself as the next hops of these routes and advertises them to the SPE.

      3. The SPE receives the VPNv4 routes, saves label L3 locally, and applies for label L4 for these VPNv4 routes. The SPE then sets itself as the next hop of these routes and advertises them to the UPE.

      4. The UPE converts these routes to IPv4 routes and imports routes with reachable next hops to its VPN IPv4 routing table.

      5. The UPE advertises the IPv4 routes to CE1 using the IP protocol.

      Figure 3-21  Route advertisement from CE2 to CE1 in H-VPN mode

  • Packet Forwarding on an HVPN Network
    • Packet transmission from CE2 to CE1 (in HoVPN or H-VPN mode)
      Figure 3-22 shows packet forwarding from CE2 to CE1 in HoVPN or H-VPN mode.
      1. CE2 sends a VPN packet to the NPE.

      2. The NPE receives the packet and searches its VPN forwarding table for a tunnel to forward the packet based on the destination address. Then, the NPE adds an inner label L2 and an outer label Lu to the packet and sends the packet to the SPE over this tunnel.

      3. The SPE receives the packet and replaces the outer label Lu with Lv and the inner label L2 with L1. Then, the SPE sends the packet to the UPE over the same tunnel.

      4. The UPE receives the packet and removes the outer label Lv, searches for a VPN instance corresponding to the packet based on the inner label L1, and removes the inner label L1 after the VPN instance is found. Then, the UPE searches the VPN forwarding table of this VPN instance for the outbound interface of the packet based on the destination address of the packet and sends a pure IP packet with no label through this outbound interface to CE2.

      Figure 3-22  Packet forwarding from CE2 to CE1 (in HoVPN or H-VPN mode)

    • Packet transmission from CE1 to CE2 (in HoVPN mode)
      Figure 3-23 shows packet forwarding from CE1 to CE2 in HoVPN mode.
      1. CE1 sends a VPN packet to the UPE.

      2. The UPE receives the packet and searches its VPN forwarding table for a tunnel to forward the packet based on the destination address of the packet (the UPE matches the destination address of the packet with the forwarding entry for the default route or summarized route). The UPE then adds an inner label L4 and an outer label Lv to the packet and sends the packet to the SPE over the discovered tunnel.

      3. The SPE removes the outer label Lv and searches for the VPN instance corresponding to the packet based on the inner label L4. The SPE then removes the inner label L4 and searches the VPN forwarding table of the discovered VPN instance for a tunnel to forward the packet based on the destination address of the packet. The UPE adds an inner label L3 and an outer label Lu to the packet and sends the packet to the NPE over the discovered tunnel.

      4. The NPE receives the packet and removes the outer label Lu. The NPE then searches for a VPN instance corresponding to the packet based on the inner label L3 and removes the inner label L3 after the VPN instance is discovered. The NPE then searches the VPN forwarding table of this VPN instance for the outbound interface of the packet based on the destination address of the packet. The NPE sends a pure IP packet (with no label) through the outbound interface to CE2.

      Figure 3-23  Packet forwarding from CE1 to CE2 (in HoVPN mode)

    • Packet transmission from CE1 to CE2 (in H-VPN mode)
      Figure 3-24 shows packet forwarding from CE1 to CE2 in H-VPN mode.
      1. CE1 sends a VPN packet to the UPE.

      2. The UPE receives the packet and searches its VPN forwarding table for a tunnel to forward the packet based on the destination address of the packet (the UPE matches the destination address of the packet with the forwarding entries for specific routes received from the SPE). The UPE then adds an inner label L4 and an outer label Lv to the packet and sends the packet to the SPE over the discovered tunnel.

      3. The SPE receives the packet and replaces the outer label Lv with Lu and the inner label L2 with L3. The SPE then sends the packet to the NPE over the same tunnel.

      4. The NPE receives the packet and removes the outer label Lu. The NPE searches for a VPN instance corresponding to the packet based on the inner label L3. After the VPN instance is found, the NPE removes the inner label L3. The NPE then searches the VPN forwarding table of this VPN instance for the outbound interface of the packet based on the destination address of the packet. The NPE sends a pure IP packet (with no label) through the outbound interface to CE2.

      Figure 3-24  Packet forwarding from CE1 to CE2 (in H-VPN mode)

HVPE Embedding

HVPN supports HoPE embedding and can be repeatedly embedded in the two following methods:

  • An HoPE can function as a UPE and connect to an SPE to form a new HoPE.

  • An HoPE can function as an SPE and connect to multiple UPEs to form a new HoPE.

HoPE embedding, theoretically, infinitely expands a VPN.

Figure 3-25 shows a diagram of HoPE embedding. The network has a three-layer H-VPN with the PEs in the middle referred to as middle-level PEs (MPEs). MP-BGP runs between SPE and MPEs and between MPEs and UPEs.

NOTE:

MPE is introduced solely for descriptive purposes and does not actually exist in an H-VPN model.

Figure 3-25  HoPE embedding

Benefits of HVPN Networking

HVPN networking provides the following benefits:

  • Flexible expandability

    If UPE performance is insufficient, add an SPE for the UPE to access. If SPE access capabilities are insufficient, add more UPEs to the SPE.

  • Reduced interface resource requirements

    Since a UPE and an SPE exchange packets based on labels, they only need to be connected over a single link.

  • Reduced burdens on UPEs

    A UPE only needs to maintain local VPN routes. Remote VPN routes are represented by a default or summarized route, lightening the burdens on UPEs.

  • Simple configuration

    SPEs and UPEs use MP-BGP, a dynamic routing protocol, to exchange routes and advertise labels. Each UPE only needs to establish a single MP-BGP peer relationship with an SPE.

Translation
Download
Updated: 2019-04-18

Document ID: EDOC1000141944

Views: 86777

Downloads: 521

Average rating:
This Document Applies to these Products
Related Documents
Related Version
Share
Previous Next