No relevant resource is found in the selected language.

This site uses cookies. By continuing to browse the site you are agreeing to our use of cookies. Read our privacy policy>Search


To have a better experience, please upgrade your IE browser.


CLI-based Configuration Guide - VPN

AR100, AR120, AR150, AR160, AR200, AR1200, AR2200, AR3200, and AR3600 V200R010

This document describes VPN features on the device and provides configuration procedures and configuration examples.
Rate and give feedback:
Huawei uses machine translation combined with human proofreading to translate this document to different languages in order to help you better understand the content of this document. Note: Even the most advanced machine translation cannot match the quality of professional translators. Huawei shall not bear any responsibility for translation accuracy and it is recommended that you refer to the English document (a link for which has been provided).



The site is frequently mentioned in VPN technology. The following describes a site from different aspects:

  • A site is a group of IP systems with IP connectivity, which can be achieved independent of SP networks.

    Figure 7-2 shows an example of sites. On the networks on the left side in Figure 7-2, the headquarters of company X in city A is a site, and the branch of company X in city B is another site. IP devices can communicate within each site without using the carrier network.

    Figure 7-2  Sites

  • Sites are configured based on topologies between devices but not their geographic locations, although devices in a site are geographically adjacent to each other in most cases. Two geographically separated IP systems can also compose a site if they are connected through leased lines and can communicate without the use of the carrier network.

    On the right of Figure 7-2, the branch network in city B connects to the headquarters network in city A through leased lines but not a carrier network. The branch network and the headquarters network compose a site.

  • The devices in a site may belong to multiple VPNs. That is, a site may belong to more than multiple VPNs.

    As shown in Figure 7-3, the decision-making department of company X in city A (Site A) is allowed to communicate with the R&D department in city B (Site B) and the financial department in city C (Site C). Site B and Site C are not allowed to communicate with each other. In this case, two VPNs, VPN1 and VPN2, can be established. Site A and Site B belong to VPN1; Site A and Site C belong to VPN2. Site A belongs to two VPNs.

    Figure 7-3  One site belonging to multiple VPNs

  • A site connects to a carrier network through CE devices. A site may have more than one CE device, but a CE device belongs to only one site.

    CE devices are selected according to sites:

    If a site is a host, the host is the CE device of the site.

    If a site is a subnet, switches are used as CE devices.

    If a site has multiple subnets, routers are used as CE devices.

    Sites connected to the same carrier network can be grouped into different sets using policies. Only sites that belong to the same set can communicate with each other through the carrier network. Such a set is a VPN.

Address Space Overlapping

As a private network, each VPN manages an address space. Address spaces of different VPNs may overlap. For example, if both VPN1 and VPN2 use addresses on the network segment, their address spaces overlap.

VPNs can use overlapping address spaces in the following situations:

  • Two VPNs do not cover the same site.

  • Two VPNs cover the same site, but devices in the site do not need to communicate with devices using overlapping address spaces in the VPNs.

VPN Instance

In BGP/MPLS IP VPN implementation, routes of different VPNs are isolated by VPN instances.

A PE device establishes and maintains a VPN instance for each directly connected site. A VPN instance contains VPN member interfaces and routes of the corresponding site. Specifically, information in a VPN instance includes the IP routing table, label forwarding table, interface bound to the VPN instance, and VPN instance management information. VPN instance management information includes the route distinguisher (RD), route filtering policy, and member interface list of the VPN instance.

The relationships between VPNs, sites, and VPN instances are as follows:
  • A VPN consists of multiple sites. A site may belong to multiple VPNs.
  • A site is associated with a VPN instance on a PE device. A VPN instance integrates VPN members and routing policies of associated sites. Multiple sites compose a VPN based on rules of the VPN instance.
  • VPN instances are not mapped to VPNs on a one-to-one basis, whereas VPN instances are mapped to sites on a one-to-one basis.

A VPN instance is also called a VPN routing and forwarding table (VRF). A PE device has multiple routing and forwarding tables, including a public routing and forwarding table and one or more VRFs. Figure 7-4 shows VPN instances.

Figure 7-4  VPN instances

A public routing and forwarding table and a VRF differ in the following aspects:

  • A public routing table contains IPv4 routes of all the PE and P devices. The routes are static routes or dynamic routes generated by routing protocols on the backbone network.

  • A VPN routing table contains routes of all sites that belong to a VPN instance. The routes are obtained through the exchange of VPN routing information between PE devices or between CE and PE devices.

  • Information in a public forwarding table is extracted from the public routing table according to route management policies, whereas information in a VPN forwarding table is extracted from the corresponding VPN routing table.

    VPN instances on a PE device are independent of each other and maintain a VRF independent of the public routing and forwarding table.

    Each VPN instance can be considered as a virtual device, which maintains an independent address space and connects to VPNs through interfaces.

RD and VPN-IPv4 Address

Traditional BGP cannot process VPN routes with overlapping address spaces. For example, VPN1 and VPN2 use addresses on the network segment, and they each advertise a route to this network segment. The local PE device can identify routes based on VPN instances. However, when the routes are advertised to the remote PE device, BGP selects only one of the two routes because load balancing is not performed between routes of different VPNs. The other route is lost.

To address the preceding problem, PE devices use Multiprotocol Extensions for BGP-4 (MP-BGP) to advertise VPN routes and use the VPN-IPv4 address.

A VPN-IPv4 address has 12 bytes. The first eight bytes represent the RD, and the last four bytes represent the IPv4 address prefix, as shown in Figure 7-5.

Figure 7-5  VPN-IPv4 address

RDs distinguish IPv4 prefixes with the same address space. IPv4 addresses with RDs are VPN-IPv4 addresses (VPNv4 addresses). After receiving IPv4 routes from a CE device, a PE device converts the routes into globally unique VPN-IPv4 routes and advertises the routes on the public network.

SPs can allocate RDs independently because of the RD format. When CE devices are dual-homed to PE devices, the RD must be globally unique to ensure correct routing. As shown in Figure 7-6, a CE device is dual-homed to PE1 and PE2. PE1 also functions as a route reflector (RR).

Figure 7-6  Networking diagram of CE dual-homing

PE1 is an edge device of the backbone network and advertises a VPN-IPv4 route with the IPv4 prefix to PE3. PE1 also functions as an RR and reflects a VPN-IPv4 route with the IPv4 prefix from PE2 to PE3.
  • If the VPN has the same RD on PE1 and PE2, the two VPN-IPv4 routes to have the same destination address. Therefore, PE3 receives only one VPN-IPv4 route (CE -> PE1 -> PE3) to from PE1. When the direct link between PE1 and CE becomes faulty, PE3 deletes the VPN-IPv4 route to As a result, VPN data destined for cannot be forwarded to the destination. Actually, PE3 has another route to, PE3 -> PE1 -> PE2 -> CE.
  • If the VPN has the same RD on PE1 and PE2, the two VPN-IPv4 routes to have different destination addresses. Therefore, PE3 receives two VPN-IPv4 route to from PE1. When any link between PE1 and CE becomes faulty, PE3 deletes the corresponding route and reserves the other one. Data destined for can still be correctly forwarded.

VPN Target

A VPN target, also called the route target (RT), is a BGP extension community attribute. BGP/MPLS IP VPN uses VPN targets to control VPN routes advertisement.

A VPN instance is associated with one or more VPN target attributes. VPN target attributes are classified into the following types:

  • Export target: After a PE device learns IPv4 routes from directly connected sites, it converts the routes to VPN-IPv4 routes and sets the export target attribute for those routes. The export target attribute is advertised with the routes as a BGP extended community attribute.

  • Import target: After a PE device receives VPN-IPv4 routes from other PE devices, it checks the export target attribute of the routes. If the export target is the same as the import target of a VPN instance on the local PE device, the local PE device adds the route to the VPN routing table.

BGP/MPLS IP VPN uses VPN targets to control advertisement and receiving of VPN routes between sites. VPN export targets are independent of import targets. An export target and an import target can be configured with multiple values to implement flexible VPN access control and VPN networking.

For example, if the import target of a VPN instance contains 100:1, 200:1, and 300:1, any route with the export target of 100:1, 200:1, or 300:1 is added to the routing table of the VPN instance.

Updated: 2019-08-07

Document ID: EDOC1100033725

Views: 151846

Downloads: 367

Average rating:
This Document Applies to these Products
Related Version
Related Documents
Previous Next