No relevant resource is found in the selected language.

This site uses cookies. By continuing to browse the site you are agreeing to our use of cookies. Read our privacy policy>Search


To have a better experience, please upgrade your IE browser.


CLI-based Configuration Guide - VPN

AR100, AR120, AR150, AR160, AR200, AR1200, AR2200, AR3200, and AR3600 V200R010

This document describes VPN features on the device and provides configuration procedures and configuration examples.
Rate and give feedback:
Huawei uses machine translation combined with human proofreading to translate this document to different languages in order to help you better understand the content of this document. Note: Even the most advanced machine translation cannot match the quality of professional translators. Huawei shall not bear any responsibility for translation accuracy and it is recommended that you refer to the English document (a link for which has been provided).
VPN Tunnel Policy

VPN Tunnel Policy

Introduction to VPN Tunnels

VPN data is transmitted over tunnels, including LSP tunnels, GRE tunnels, and Traffic Engineering (TE) tunnels. TE tunnels are constraint-based routed label switched path (CR-LSP) tunnels.
  • GRE tunnel

    If PE devices support MPLS functions but P devices on the backbone network provide only IP functions, LSPs cannot serve as tunnels. In this situation, GRE tunnels can be used as the tunnels of the VPN backbone network.

    For details about GRE, see GRE Configuration in the Huawei AR Series Access Routers Configuration Guide - VPN.

  • LSP

    An LSP forwards packets through label switching and is often used in BGP/MPLS IP VPN. If LSPs are used as public network tunnels, only PE devices need to analyze IP packet headers, and other devices that VPN packets pass do not need to analyze IP packet headers. This reduces VPN packet processing time and packet transmission delay. In addition, MPLS labels are supported by all link layers. An LSP is similar to an ATM virtual circuit (VC) or FR VC in functions and security. If all the devices on the backbone network support MPLS, it is recommended that LSP tunnels or MPLS TE tunnels be used as public network tunnels.

    For details about LSPs, see MPLS LDP Configuration in the Huawei AR Series Access Routers Configuration Guide - MPLS.

  • MPLS TE tunnel

    As a combination of MPLS and TE technologies, MPLS TE can balance network traffic by setting up LSPs along specified nodes and steering traffic away from congested nodes. LSPs in MPLS TE are called MPLS TE tunnels, which are also widely used in BGP/MPLS IP VPN.

    Besides advantages of LSP, MPLS TE tunnels is capable of handling network congestion. Using MPLS TE tunnels, SPs can fully utilize existing network resources to provide diversified services. MPLS TE tunnels also allow SPs to optimize network resources and manage resources.

    Usually, carriers are required to provide VPN users with end-to-end QoS for various services, such as voice, video, key-data services, and Internet access. MPLS TE tunnels can offer users with QoS guarantee.

    Using MPLS TE tunnels, carriers can also provide required QoS guaranteed services for different VPN users based on policies.

    For details about MPLS TE, see MPLS TE Configuration in the Huawei AR Series Access Routers Configuration Guide - MPLS.

Tunnel Policy

VPN services are transmitted over tunnels. By default, LSPs are preferred in VPN service transmission, and only one LSP serves one VPN service.

When VPN services need to be transmitted over a specified TE tunnel or when load balancing needs to be performed among multiple tunnels to fully use network resources, tunnel policies need to be applied to VPNs. Tunnel policies are classified into two types, which cannot be configured simultaneously:

  • Tunnel type prioritization policy: specifies the sequence in which each type of tunnel is selected and the number of tunnels participating in load balancing. Tunnels defined in a tunnel type prioritization policy are selected in sequence: The tunnels of the type specified first are selected as long as the tunnels are in Up state, regardless of whether they are in use. The tunnels of the type specified later are not selected unless load balancing is required or the tunnels of the type specified first are all Down.
    For example, a tunnel policy defines the following rules: Both CR-LSPs and LSPs can be used, CR-LSPs are prior to LSPs, and the number of tunnels participating in load balancing is 3. Tunnels are selected as follows:
    • CR-LSPs in Up state are preferred. If three or more CR-LSPs are in Up state, the three CR-LSPs listed earlier are selected.
    • If there are less than three CR-LSPs in Up state, LSPs are selected. For example, if only one CR-LSP is in Up state, two LSP tunnels can be selected. If only one LSP or none is in Up state, the existing tunnels in Up state are used. If more than two LSPs are in Up state, only the first two LSPs are selected.

    If a TE tunnel is reserved for tunnel binding, the TE tunnel cannot be selected.

    The tunnel type prioritization policy cannot specify the desired tunnels to use when multiple tunnels of the same type are available.

  • Tunnel binding policy: specifies TE tunnels for carrying services of a VPN. You can specify multiple TE tunnels to the same destination for load balancing. You can also determine whether to use other tunnels to prevent traffic interruption when the specified tunnels are all unavailable. The rules for tunnel selection are as follows:
    • Specified TE tunnels in Up state are selected to perform load balancing.
    • If all the specified TE tunnels are unavailable, no other tunnel is selected by default. If you enable a PE device to select other tunnels in this situation, the PE device selects an available tunnel in the order of LSP and CR-LSP.

    A tunnel binding policy can specify accurate TE tunnels over which VPN services are transmitted. TE tunnels have high reliability and guaranteed bandwidth, so tunnel binding policies can be used for VPN services requiring QoS guarantee. As shown in Figure 7-28, two MPLS TE tunnels, Tunnel1 and Tunnel2, are set up between PE1 and PE3.

    Figure 7-28  Networking diagram of VPN tunnel binding

    If you bind VPN A to Tunnel1 and VPN B to Tunnel2, VPN A and VPN B use different TE tunnels. Tunnel1 serves only VPN A, and Tunnel2 serves only VPN B. In this manner, services of VPN A and VPN B are isolated from each other and also from other services. The bandwidth for VPN A and VPN B is ensured. This facilitates subsequent QoS deployment.

Tunnel Selector

In HoVPN or inter-AS VPN Option B, SPE devices or ASBRs accept VPNv4 routes from all the UPE or PE devices. Currently, PE devices iterate LSP tunnels for VPNv4 routes. Sometimes, TE tunnels need to be iterated for VPNv4 routes to provide guaranteed bandwidth; the PE devices cannot provide this function by default.

In inter-AS VPN Option C, PE devices select LSP tunnels for BGP-IPv4 labeled routes. To provide guaranteed bandwidth, TE tunnels need to be iterated for VPNv4 routes, which cannot be implemented on the PE devices by default.

Tunnel selector addresses this issue.

The tunnel selector can filter VPNv4 routes or BGP-IPv4 labeled routes and apply a tunnel policy to the routes that pass the filtering criteria. In this way, expected tunnels can be selected based on the tunnel policy.

Updated: 2019-08-07

Document ID: EDOC1100033725

Views: 145234

Downloads: 361

Average rating:
This Document Applies to these Products
Related Version
Related Documents
Previous Next