No relevant resource is found in the selected language.

This site uses cookies. By continuing to browse the site you are agreeing to our use of cookies. Read our privacy policy>Search


To have a better experience, please upgrade your IE browser.


Configuration Guide - VPN

S9300, S9300E, and S9300X V200R010C00

This document describes the VPN configuration procedures and provides configuration examples.
Rate and give feedback:
Huawei uses machine translation combined with human proofreading to translate this document to different languages in order to help you better understand the content of this document. Note: Even the most advanced machine translation cannot match the quality of professional translators. Huawei shall not bear any responsibility for translation accuracy and it is recommended that you refer to the English document (a link for which has been provided).
Configuration Task Summary

Configuration Task Summary

After basic BGP/MPLS IP VPN configurations are complete, a simple VPN network can be established using MPLS technology. To deploy special BGP/MPLS IP VPN networking, perform other configuration tasks according to the reference sections provided in the following table.

Table 2-3 lists the BGP/MPLS IP VPN configuration tasks.

Table 2-3  BGP/MPLS IP VPN configuration tasks




Configure basic BGP/MPLS IP VPN functions

This configuration establishes a simple BGP/MPLS IP L3VPN network with basic functions.

Configuring Basic BGP/MPLS IP VPN Functions

Configure BGP/MPLS IP VPN in various networking modes

You adjust the basic BGP/MPLS IP L3VPN configurations in different networking mode to implement flexible communication and isolation between VPNs:
  • Intranet VPN and extranet VPN networking: The configurations are same as the configurations in basic BGP/MPLS IP VPN networking except for the VPN target setting.
  • Hub and Spoke networking: configure the Hub and Spoke.
  • Mutual Access Between Local VPNs networking: configure Mutual Access Between Local VPNs

Configuring Basic BGP/MPLS IP VPN Functions

Configuring Hub and Spoke

Configuring Mutual Access Between Local VPNs

Configure inter-AS VPN

Configure inter-AS VPN if the backbone network spans multiple ASs. Three inter-AS VPN solutions are available, applicable to different scenarios:
  • Inter-AS VPN Option A: Use this solution when only a few VPNs are configured on the PE devices. The ASBRs must support VPN instances.
  • Inter-AS VPN Option B: Use this solution when many VPNs are configured on the PE devices, and the ASBRs do not have enough interfaces to reserve an interface for each inter-AS VPN. The ASBRs must be able to maintain and advertise VPN-IPv4 routes.

Configuring Inter-AS VPN Option A

Configuring Inter-AS VPN Option B

Configure an MCE device

An MCE device can connect to multiple VPNs. The MCE solution isolates services of different VPNs while reducing cost of CE devices.

Configuring an MCE Device

Configure HVPN

On an HVPN, PEs play different roles and provide different functions. These PEs form a hierarchical architecture to provide functions that are provided by one PE on a non-hierarchical VPN. HVPNs lower the performance requirements for PEs.

Configuring HVPN

Configure OSPF sham links

To ensure that VPN traffic is forwarded over the backbone network but not through backdoor routes, configure OSPF sham links between PE devices. Then routes on the MPLS VPN backbone network change into intra-area OSPF routes and can be preferred in VPN traffic forwarding.

Configuring an OSPF Sham Link

Configure BGP/MPLS IP VPN reliability

To improve VPN network reliability, you can deploy a VPN networking with full-mesh connections on the backbone network, nested PE devices on the MPLS network, and CE dual-homing (or multi-homing) on the access layer. In this networking, a BGP route reflector (RR) can be configured to reduce the number of MP-IBGP connections. This configuration mitigates loads on the network devices and facilitates device maintenance and management.

The following technologies can also be used to improve VPN network reliability:

  • FRR for BGP/MPLS IP VPN: implements fast switching of VPN traffic upon a link failure to minimize the VPN service interruption time.
  • VPN graceful restart (VPN GR): ensures uninterrupted VPN traffic forwarding during an active/standby switchover on a PE, P, or CE device. This technology minimizes the impact of PE or CE failures on VPN services.

Configuring Route Reflection to Optimize the VPN Backbone Layer

Configuring FRR for BGP/MPLS IP VPN

Configuring VPN GR

Configure VPN tunnel policies

When VPN services need to be transmitted over a specified traffic engineering (TE) tunnel or when load balancing needs to be performed among multiple tunnels to fully use network resources, configure VPN tunnel policies.

Configuring Tunnel Policies

Connect VPNs to the Internet

If users in a VPN need to connect to the Internet, configure interconnection between the VPN and the Internet.

Connecting a VPN to the Internet

Updated: 2019-08-21

Document ID: EDOC1000142068

Views: 119341

Downloads: 212

Average rating:
This Document Applies to these Products
Related Version
Related Documents
Previous Next