No relevant resource is found in the selected language.

This site uses cookies. By continuing to browse the site you are agreeing to our use of cookies. Read our privacy policy>Search

Reminder

To have a better experience, please upgrade your IE browser.

upgrade

S12700 V200R011C10 Configuration Guide - VPN

This document describes the VPN configuration procedures and provides configuration examples.
Rate and give feedback:
Huawei uses machine translation combined with human proofreading to translate this document to different languages in order to help you better understand the content of this document. Note: Even the most advanced machine translation cannot match the quality of professional translators. Huawei shall not bear any responsibility for translation accuracy and it is recommended that you refer to the English document (a link for which has been provided).
MCE

MCE

Definition

A multi-VPN-instance CE (MCE) device functions as a CE device for multiple VPN instances in BGP/MPLS IP VPN networking. The MCE function helps reduce network device expenses.

Background

BGP/MPLS IP VPN uses tunnels to transmit private network data on a public network. In the traditional BGP/MPLS IP VPN architecture, each VPN instance must use a CE device to connect to a PE device.

Figure 3-19 shows a network diagram without an MCE device.
Figure 3-19  Networking without an MCE device

Private networks often need to be divided into multiple VPNs to implement fine-grained service management and enhanced security. User services in different VPNs must be completely isolated. Deploying a CE device for each VPN increases the cost of device procurement and maintenance. If multiple VPNs share one CE device, data security cannot be ensured since all of the VPNs use the same routing and forwarding table.

MCE technology ensures data security between different VPNs while reducing network construction and maintenance costs. Figure 3-20 shows MCE networking.

Figure 3-20  Networking with an MCE device

An MCE device has certain PE functions. An MCE device creates and maintains an independent VRF for each VPN by binding each VPN instance to a different interface. This application is called multi-VRF application. The MCE device isolates forwarding paths of different VPNs on a private network and advertises routes of each VPN to the peer PE device, ensuring that VPN packets are correctly transmitted on the public network.

Implementation

An MCE device maintains a VRF for each VPN and binds each VPN instance to an interface. When the MCE device receives a route, it checks the receiving interface to determine the origin of the route. The MCE device also adds the route to the VRF of the VPN instance bound to the interface.

The PE interfaces connected to the MCE device must also be bound to the VPN instances. The bindings between interfaces and VPN instances on the PE device must be the same as those on the MCE device. When the PE device receives a packet, it checks the receiving interface to determine which VPN the packet belongs to, and then transmits the packet in the corresponding tunnel.

In Figure 3-20:
  • The MCE device saves routes learned from VPN1 in VRF1.
  • The PE device saves routes of VPN1 learned from the MCE device in VRF1.
  • Routes of VPN2 and VPN3 are isolated from routes of VPN1, and are not saved in VRF1.
The MCE device exchanges routes with VPN sites and PE device in the following ways:
  • Route exchange between the MCE device and VPN sites

    Route Exchange Method

    Implementation

    Static routes

    Static routes are bound to VPN instances on the MCE device. Static routes of different VPNs are isolated even if VPNs use overlapping address spaces.

    Routing Information Protocol (RIP)

    Each VPN instance is bound to a RIP process on the MCE device so that different VPN routes can be exchanged between the MCE device and VPN sites, using different RIP processes. This isolates different VPN routes and ensures VPN route security.

    Open Shortest Path First (OSPF)

    Each VPN instance is bound to an OSPF process on the MCE device to isolate routes of different VPNs.

    Intermediate System to Intermediate System (IS-IS)

    Each VPN instance is bound to an IS-IS process on the MCE device to isolate routes of different VPNs.

    Border Gateway Protocol (BGP)

    Each VPN instance is configured with a BGP peer on the MCE device. The MCE imports IGP routes of each VPN to the BGP routing table of the VPN.

  • Route exchange between MCE and PE devices

    Routes of different VPN instances are isolated on the MCE device. The MCE and PE devices identify packets of different VPN instances according to bindings between interfaces and VPN instances. An administrator only needs to perform simple routing configuration on the MCE and PE devices, and to import the VPN routes of the MCE device to the routing protocol running between the MCE and PE devices.

    The MCE and PE devices use static routes, RIP, OSPF, IS-IS, or BGP to exchange routes.

Translation
Download
Updated: 2019-04-01

Document ID: EDOC1000178118

Views: 159297

Downloads: 159

Average rating:
This Document Applies to these Products
Related Documents
Related Version
Share
Previous Next