No relevant resource is found in the selected language.

This site uses cookies. By continuing to browse the site you are agreeing to our use of cookies. Read our privacy policy>Search

Reminder

To have a better experience, please upgrade your IE browser.

upgrade

CLI-based Configuration Guide - VPN

AR100, AR120, AR150, AR160, AR200, AR1200, AR2200, AR3200, and AR3600 V200R010

This document describes VPN features on the device and provides configuration procedures and configuration examples.
Rate and give feedback:
Huawei uses machine translation combined with human proofreading to translate this document to different languages in order to help you better understand the content of this document. Note: Even the most advanced machine translation cannot match the quality of professional translators. Huawei shall not bear any responsibility for translation accuracy and it is recommended that you refer to the English document (a link for which has been provided).
Connecting CE Devices to an MPLS VPN Network

Connecting CE Devices to an MPLS VPN Network

NOTE:

The AR100&AR120&AR150&AR160&AR200 cannot work on an MPLS backbone network.

The MPLS VPN solution provides better services than the traditional IP VPN solution. Therefore, MPLS VPN technology is now carrier's preferred VPN technology. However, the Internet is IP based and a large number of backbone networks still use IP technology.

In the MPLS VPN solution, a customer edge (CE) device must have a direct physical link to a provider edge (PE) device on the MPLS backbone network to connect to the VPN. That is, the CE and PE devices must be on the same network. In this networking, you must associate the VPN instance with the PE device's physical interface connected to the CE device.

In actual networking, the CE and PE devices may not be directly connected by physical links. For example, the CE devices of multiple organizations that are connected to the Internet or an IP-based backbone network may be far away from the PE devices on the MPLS backbone network; therefore, they cannot be connected directly. These organizations cannot directly connect to the internal sites of the MPLS VPN through the Internet or the IP backbone network.

Figure 3-10  Connecting CE devices to an MPLS VPN backbone network through an IP backbone network

To connect a CE device to an MPLS VPN backbone network, create a logical direct connection between the CE and PE devices. You can connect the CE and PE devices using a public or private network, and create a GRE tunnel between the CE and PE devices. Then, the CE and PE devices can communicate as if they were directly connected, and the GRE tunnel can be associated with the VPN as a physical interface.

A GRE tunnel can be set up in the following ways to connect CE devices to an MPLS VPN network:

  • GRE tunnel over a private network: The GRE tunnel is associated with a VPN instance, and the source interface (or the source address) and the destination address of the GRE tunnel belong to this VPN instance.

  • GRE tunnel over a public network: The GRE tunnel is associated with a VPN instance. However, the source address and destination address of the GRE tunnel are public IP addresses and do not belong to the VPN instance.

  • GRE over a VPN: The GRE tunnel is associated with a VPN instance (such as VPN1), while the source interface of the GRE tunnel is bound to another VPN instance (such as VPN2). The GRE tunnel traverses VPN2.

GRE Tunnel over a Public Network

In this networking, the CE and PE devices must have one interface using a public IP address. The CE and PE devices must have a route to each other in their public network routing tables.

Figure 3-11  GRE tunnel over a public network

GRE Tunnel over a VPN

This networking differs from a GRE tunnel over a public network in that the CE device is connected to the PE device across a VPN (VPN2 in this example), but not a public network. Both the outbound interface of the private data from the CE and the outbound interface of the private data from the PE belong to VPN2.

Figure 3-12  GRE tunnel over a VPN

In Figure 3-12, PE1 and PE2 are the edge devices of the first carrier on the MPLS backbone network. VPN2 is a VPN of a second carrier network. CE1 and CE2 are customer devices.

To deploy a VPN (VPN1 in this example) based on the MPLS network, you can set up a GRE tunnel between PE1 and CE1 across VPN2. Then CE1 and PE1 are directly connected through the GRE tunnel.

GRE Tunnel over a Private Network

In this networking, the source address and the destination address of the GRE tunnel belong to the private network. In actual applications, creating a tunnel on a private network serves no purpose; therefore, this networking is not recommended. As shown in Figure 3-13, R1 can be used as a CE device so no GRE tunnel is required.

Figure 3-13  GRE tunnel over a private network

Translation
Download
Updated: 2019-08-07

Document ID: EDOC1100033725

Views: 142317

Downloads: 357

Average rating:
This Document Applies to these Products
Related Documents
Related Version
Share
Previous Next