No relevant resource is found in the selected language.

This site uses cookies. By continuing to browse the site you are agreeing to our use of cookies. Read our privacy policy>Search


To have a better experience, please upgrade your IE browser.


CLI-based Configuration Guide - VPN

AR100, AR120, AR150, AR160, AR200, AR1200, AR2200, AR3200, and AR3600 V200R010

This document describes VPN features on the device and provides configuration procedures and configuration examples.
Rate and give feedback:
Huawei uses machine translation combined with human proofreading to translate this document to different languages in order to help you better understand the content of this document. Note: Even the most advanced machine translation cannot match the quality of professional translators. Huawei shall not bear any responsibility for translation accuracy and it is recommended that you refer to the English document (a link for which has been provided).
Summary of BGP/MPLS IP VPN Configuration Tasks

Summary of BGP/MPLS IP VPN Configuration Tasks

After basic BGP/MPLS IP VPN configurations are complete, a simple VPN network can be established using MPLS technology. To deploy special BGP/MPLS IP VPN networking, perform other configuration tasks according to the reference sections provided in the following table.

Table 7-2 lists the BGP/MPLS IP VPN configuration tasks.

Table 7-2  BGP/MPLS IP VPN configuration tasks




Configure basic BGP/MPLS IP VPN functions

This configuration establishes a simple BGP/MPLS IP L3VPN network with basic functions.

Configuring Basic BGP/MPLS IP VPN Functions

Configure BGP/MPLS IP VPN in various networking modes

You adjust the basic BGP/MPLS IP L3VPN configurations in different networking mode to implement flexible communication and isolation between VPNs:
  • Intranet VPN and extranet VPN networking: The configurations are same as the configurations in basic BGP/MPLS IP VPN networking except for the VPN target setting.
  • Hub and Spoke networking: configure the Hub and Spoke.

Configuring Basic BGP/MPLS IP VPN Functions

Configuring Hub and Spoke

Configure inter-AS VPN

Configure inter-AS VPN if the backbone network spans multiple ASs. Three inter-AS VPN solutions are available, applicable to different scenarios:
  • Inter-AS VPN Option A: Use this solution when only a few VPNs are configured on the PE devices. The ASBRs must support VPN instances.
  • Inter-AS VPN Option B: Use this solution when many VPNs are configured on the PE devices, and the ASBRs do not have enough interfaces to reserve an interface for each inter-AS VPN. The ASBRs must be able to maintain and advertise VPN-IPv4 routes.
  • Inter-AS VPN Option C: Use this solution when a large number of VPN routes need to be exchanged between ASs. This solution mitigates the loads on ASBRs so that they will not become the bottleneck on the network.

Configuring Inter-AS VPN Option A

Configuring Inter-AS VPN Option B

Configuring Inter-AS VPN Option C (Solution 1)

Configuring Inter-AS VPN Option C (Solution 2)

Configure an MCE device

An MCE device can connect to multiple VPNs. The MCE solution isolates services of different VPNs while reducing cost of CE devices.

Configuring an MCE Device

Configure HoVPN

HoVPN can reduce loads on PE devices. In an HoVPN networking, aggregation and access devices function as user-end provider edge (UPE) devices and work with the superstratum provider edge (SPE) devices on the backbone to provide PE functions.

Configuring HoVPN

Configure OSPF sham links

To ensure that VPN traffic is forwarded over the backbone network but not through backdoor routes, configure OSPF sham links between PE devices. Then routes on the MPLS VPN backbone network change into intra-area OSPF routes and can be preferred in VPN traffic forwarding.

Configuring an OSPF Sham Link

Configure BGP/MPLS IP VPN reliability

To improve VPN network reliability, you can deploy a VPN networking with full-mesh connections on the backbone network, nested PE devices on the MPLS network, and CE dual-homing (or multi-homing) on the access layer. In this networking, a BGP route reflector (RR) can be configured to reduce the number of MP-IBGP connections. This configuration mitigates loads on the network devices and facilitates device maintenance and management.

The following technologies can also be used to improve VPN network reliability:

  • IP fast reroute (IP FRR) for VPN routes: enables traffic to be quickly switched to another PE-CE link between when the primary route is unreachable. This technology reduces the IP service interruption time.
  • VPN fast reroute (VPN FRR): enables traffic to be quickly switched to another PE-PE link the primary link between them fails. This technology implements end-to-end fast convergence of VPN services.
  • VPN graceful restart (VPN GR): ensures uninterrupted VPN traffic forwarding during an active/standby switchover on a PE, P, or CE device. This technology minimizes the impact of PE or CE failures on VPN services. The AR3260 can function as both the GR restarter and GR helper, and other devices can only function as the GR helper.

Configuring Route Reflection to Optimize the VPN Backbone Layer

Configuring IP FRR for VPN Routes

Configuring VPN FRR

Configuring VPN GR

Configure VPN tunnel policies

When VPN services need to be transmitted over a specified traffic engineering (TE) tunnel or when load balancing needs to be performed among multiple tunnels to fully use network resources, configure VPN tunnel policies.

Configuring Tunnel Policies

Connect VPNs to the Internet

If users in a VPN need to connect to the Internet, configure interconnection between the VPN and the Internet.

Connecting a VPN to the Internet

Updated: 2019-08-07

Document ID: EDOC1100033725

Views: 153256

Downloads: 369

Average rating:
This Document Applies to these Products
Related Version
Related Documents
Previous Next