No relevant resource is found in the selected language.

This site uses cookies. By continuing to browse the site you are agreeing to our use of cookies. Read our privacy policy>Search

Reminder

To have a better experience, please upgrade your IE browser.

upgrade

NE40E V800R010C10SPC500 Feature Description - Security 01

This is NE40E V800R010C10SPC500 Feature Description - Security
Rate and give feedback:
Huawei uses machine translation combined with human proofreading to translate this document to different languages in order to help you better understand the content of this document. Note: Even the most advanced machine translation cannot match the quality of professional translators. Huawei shall not bear any responsibility for translation accuracy and it is recommended that you refer to the English document (a link for which has been provided).
Enterprise Scenario

Enterprise Scenario

Site-to-Site VPN

In the enterprise scenario, IPsec is mainly used to interconnect IPsec VPNs between enterprises or allow mobile office employees to remotely access an enterprise network. The typical applications are the site-to-site VPN and GRE over IPsec. IPsec networking modes in the enterprise scenario are diversified.

The site-to-site VPN is mainly used to establish IPsec tunnels between the HQ network and branch networks, thereby achieving interworking among local area networks (LANs). Figure 13-6 shows the typical networking.
Figure 13-6 Networking of the site-to-site VPN

GRE over IPsec

The GRE over IPsec mechanism is used to transmit broadcast and multicast service packets, for example, video conference or dynamic routing protocol messages, between the HQ network and the branch networks, as shown in Figure 13-7.
Figure 13-7 GRE over IPsec networking

IPsec over L2TP

The IPsec over L2TP mechanism encapsulates packets using IPsec and then L2TP. In this way, the IPsec over L2TP mechanism implements user authentication and address allocation based on L2TP, and ensures security using IPsec.

As shown in Figure 13-8, Device A, serving as an access server, initiates a PPP session in PPP dial-up mode to trigger the establishment of an L2TP tunnel. After the L2TP tunnel is established, the LNS generates a route to Device A. Device A obtains an IP address and initiates the IPsec tunnel creation.

Figure 13-8 Networking of IPsec over L2TP

Hub-Spoke VPN

In actual networking, the Hub-Spoke IPsec VPN is commonly used for the interworking between the HQ network and branch networks. Figure 13-9 shows the typical networking.
Figure 13-9 Hub-Spoke VPN networking

In this networking, you can configure IPsec, or GRE over IPsec based on actual requirements.

In this scenario, the network may have the following situations:
  • Branch networks do not communicate with each other.

    The IPsec VPN is deployed only between the HQ network and the branch networks. That is, service traffic is transmitted only between the HQ network and the branch networks, as shown in Figure 13-10.
    Figure 13-10 Hub-Spoke VPN networking (1)
  • Branch networks need to communicate with each other.

    Branch networks communicate with each other through the HQ network, as shown in Figure 13-11.
    Figure 13-11 Hub-Spoke VPN networking (2)

Internet Access Control for Branch Network Users

In the site-to-site or Hub-Spoke VPN networking, users of the branch networks can access the Internet in following modes:

  • The users of the branch networks access the Internet through the HQ network.

    To facilitate unified management and monitoring, the users of the branch networks are prohibited from accessing the Internet using own gateways, but need to access the HQ network through the VPN and then to the Internet. Generally, traffic from the branch networks to the Internet must experience NAT on the HQ network before reaching the Internet, as shown in Figure 13-12.
    Figure 13-12 Users of the branch networks accessing the Internet through the HQ network
  • The users of the branch networks access the Internet through own gateways.

    The Internet access traffic of the branch networks is not controlled, as shown in Figure 13-13.
    Figure 13-13 Users of the branch networks accessing the Internet through own gateways
Translation
Download
Updated: 2019-01-03

Document ID: EDOC1100055047

Views: 14166

Downloads: 34

Average rating:
This Document Applies to these Products
Related Documents
Related Version
Share
Previous Next