No relevant resource is found in the selected language.

This site uses cookies. By continuing to browse the site you are agreeing to our use of cookies. Read our privacy policy>Search


To have a better experience, please upgrade your IE browser.


CLI-based Configuration Guide - VPN

AR100, AR120, AR150, AR160, AR200, AR1200, AR2200, AR3200, and AR3600 V200R010

This document describes VPN features on the device and provides configuration procedures and configuration examples.
Rate and give feedback:
Huawei uses machine translation combined with human proofreading to translate this document to different languages in order to help you better understand the content of this document. Note: Even the most advanced machine translation cannot match the quality of professional translators. Huawei shall not bear any responsibility for translation accuracy and it is recommended that you refer to the English document (a link for which has been provided).



A multi-VPN-instance CE (MCE) device can function as a CE device for multiple VPN instances in BGP/MPLS IP VPN networking. The MCE function helps reduce expenses of network devices.


BGP/MPLS IP VPN uses tunnels to transmit data of private networks on a public network. In the traditional BGP/MPLS IP VPN architecture, each VPN instance must use a CE device to connect to a PE device, as shown in Figure 7-22.
Figure 7-22  Networking without an MCE device

In many cases, a private network must be divided into multiple VPNs to implement fine-grained service management and enhance security. Services of users in different VPNs must be completely isolated. Deploying a CE device for each VPN increases the cost of device procurement and maintenance. If multiple VPNs share one CE device, data security cannot be ensured because all the VPNs use the same routing and forwarding table.

MCE technology ensures data security between different VPNs while reducing network construction and maintenance costs. Figure 7-23 shows MCE networking.

Figure 7-23  Networking with an MCE device

An MCE device has some PE functions. By binding each VPN instance to a different interface, an MCE device creates and maintains an independent VRF for each VPN. This application is also called multi-VRF application. The MCE device isolates forwarding paths of different VPNs on a private network and advertises routes of each VPN to the peer PE device, ensuring that VPN packets are correctly transmitted on the public network.


An MCE device maintains a VRF for each VPN and binds each VPN instance to an interface. When the MCE device receives a route, it checks the receiving interface to determine the origin of the route and adds the route to the VRF of the VPN instance bound to the interface.

The PE interfaces connected to the MCE device must also be bound to the VPN instances. The bindings between interfaces and VPN instances on the PE device must be the same as those on the MCE device. When the PE device receives a packet, it checks the receiving interface to determine to which VPN the packet belongs, and then transmits the packet in the corresponding tunnel.

In Figure 7-23:
  • The MCE device saves routes learned from VPN1 in VRF1.
  • The PE device saves routes of VPN1 learned from the MCE device in VRF1.
  • Routes of VPN2 and VPN3 are isolated from routes of VPN1, and are not saved in VRF1.
The MCE device exchanges routes with VPN sites and PE device in the following ways:
  • Route exchange with VPN sites

    Route Exchange Method


    Static routes

    Static routes are bound to VPN instances on the MCE device. Static routes of different VPNs are isolated even if VPNs use overlapping address spaces.

    Routing Information Protocol (RIP)

    Each VPN instance is bound to a RIP process on the MCE device so that routes of different VPNs are exchanged between the MCE device and VPN sites using different RIP processes. This isolates routes of different VPNs and ensures security of VPN routes.

    Open Shortest Path First (OSPF)

    Each VPN instance is bound to an OSPF process on the MCE device to isolate routes of different VPNs.

    Intermediate System to Intermediate System (IS-IS)

    Each VPN instance is bound to an IS-IS process on the MCE device to isolate routes of different VPNs.

    Border Gateway Protocol (BGP)

    Each VPN instance is configured with a BGP peer on the MCE device. The MCE imports IGP routes of each VPN to the BGP routing table of the VPN.

  • Route exchange with the PE device

    Routes of different VPN instances are isolated on the MCE device. The MCE and PE devices identify packets of different VPN instances according to bindings between interfaces and VPN instances. An administrator only needs to perform simple routing configuration on the MCE and PE devices, and to import the VPN routes of the MCE device to the routing protocol running between the MCE and PE devices.

    The MCE and PE devices can use static routes, RIP, OSPF, IS-IS, or BGP to exchange routes.

Updated: 2019-08-07

Document ID: EDOC1100033725

Views: 153307

Downloads: 369

Average rating:
This Document Applies to these Products
Related Version
Related Documents
Previous Next