No relevant resource is found in the selected language.

This site uses cookies. By continuing to browse the site you are agreeing to our use of cookies. Read our privacy policy>Search

Reminder

To have a better experience, please upgrade your IE browser.

upgrade

CLI-based Configuration Guide - VPN

AR100, AR120, AR150, AR160, AR200, AR1200, AR2200, AR3200, and AR3600 V200R010

This document describes VPN features on the device and provides configuration procedures and configuration examples.
Rate and give feedback:
Huawei uses machine translation combined with human proofreading to translate this document to different languages in order to help you better understand the content of this document. Note: Even the most advanced machine translation cannot match the quality of professional translators. Huawei shall not bear any responsibility for translation accuracy and it is recommended that you refer to the English document (a link for which has been provided).
Basic Networking

Basic Networking

Intranet VPN

In an intranet VPN, all the users in the VPN can transmit packets to each other, but cannot communicate with users outside the VPN. The sites within an intranet VPN usually belong to the same organization.

In intranet VPN networking, each VPN is allocated a VPN target as the export target and import target. The VPN target of a VPN cannot be used by other VPNs.

Figure 7-9  Intranet VPN networking

As shown in Figure 7-9, PE devices allocate the VPN target 100:1 to VPN1 and the target 200:1 to VPN2. The two sites in the same VPN can communicate with each other, whereas sites in different VPNs cannot communicate.

Extranet VPN

If users in a VPN need to access some sites of another VPN, extranet networking can be used.

In extranet networking, if a VPN needs to access a shared site, its export target must be included in the import target of the VPN instance covering the shared site, and its import target must be included in the export target of the VPN instance covering the shared site.

Figure 7-10  Extranet VPN networking

As shown in Figure 7-10, VPN1 and VPN2 can access Site3 of VPN1.

  • PE3 can receive VPN-IPv4 routes advertised by PE1 and PE2.

  • PE1 and PE2 can receive VPN-IPv4 routes advertised by PE3.

Site1 and Site3 of VPN1 can communicate with each other. Site2 of VPN2 and Site3 of VPN1 communicate with each other.

PE3 does not advertise the VPN-IPv4 routes learned from PE1 to PE2 and does not advertise the VPN-IPv4 routes learned from PE2 to PE1. Therefore, Site1 of VPN1 and Site2 of VPN2 cannot communicate with each other.

Hub and Spoke

If a central access control device needs to be deployed to control communication between VPN users, the Hub and Spoke networking can be used. The site with the access control device deployed is the Hub site, and other sites are Spoke sites. The following devices are used in Hub and Spoke networking:
  • Hub-CE: is deployed in the Hub site and connected to the VPN backbone network.
  • Spoke-CE: is deployed in a Spoke site and connected to the VPN backbone network.
  • Hub-PE: is deployed on the VPN backbone network and connected to the Hub site.
  • Spoke-PE: is deployed on the VPN backbone network and connected to a Spoke site.

A Spoke site advertises routes to the Hub site, and then the Hub site advertises the routes to other Spoke sites. Spoke sites do not advertise routes to each other. The Hub site controls communication between all Spoke sites.

In Hub and Spoke networking, two VPN targets are configured to represent Hub and Spoke respectively. Figure 7-11 shows the Hub and Spoke networking.
Figure 7-11  Hub and Spoke networking

The VPN targets of a PE device must comply with the following rules:

  • The export target and import target of a Spoke-PE device are Spoke and Hub respectively. The import target of any Spoke-PE device must be different from the export target of any other Spoke-PE device.

  • A Hub-PE device requires two interfaces or sub-interfaces.

    • One interface or sub-interface receives routes from Spoke-PE devices. The import target of the VPN instance on the interface is Spoke.

    • The other interface or sub-interface advertises routes to Spoke-PE devices. The export target of the VPN instance on the interface is Hub.

As shown in Figure 7-11, the Hub site controls communication between Spoke sites. The arrows show the process of advertising a route from Site2 to Site1:

  • The Hub-PE device can receive VPN-IPv4 routes advertised by all the Spoke-PE devices.

  • All the Spoke-PE devices can receive VPN-IPv4 routes advertised by the Hub-PE.

  • The Hub-PE device advertises the routes learned from Spoke-PE devices to the Hub-CE device, and advertises the routes learned from the Hub-CE device to all the Spoke-PE devices. By doing this, the Spoke sites can access each other through the Hub site.

  • The import target of any Spoke-PE device is different from the export targets of other Spoke-PE devices. Therefore, any two Spoke-PE devices do not directly advertise VPN-IPv4 routes to each other. The Spoke sites cannot directly communicate with each other.

Translation
Download
Updated: 2019-08-07

Document ID: EDOC1100033725

Views: 144874

Downloads: 361

Average rating:
This Document Applies to these Products
Related Version
Related Documents
Share
Previous Next