No relevant resource is found in the selected language.

This site uses cookies. By continuing to browse the site you are agreeing to our use of cookies. Read our privacy policy>Search


To have a better experience, please upgrade your IE browser.


Configuration Guide - VPN

CloudEngine 12800 and 12800E V200R005C10

This document describes the configurations of VPN, including GRE, BGP/MPLS IP VPN, BGP/MPLS IPv6 VPN, VLL, PWE3, and VPLS.
Rate and give feedback:
Huawei uses machine translation combined with human proofreading to translate this document to different languages in order to help you better understand the content of this document. Note: Even the most advanced machine translation cannot match the quality of professional translators. Huawei shall not bear any responsibility for translation accuracy and it is recommended that you refer to the English document (a link for which has been provided).
Binding a VPN Instance to an Interface

Binding a VPN Instance to an Interface


The configuration on the Hub-PE involves two interfaces or layer 3 sub-interfaces. One interface is bound to the VPN-in and receives the routes advertised by the Spoke-PE. The other interface is bound with the VPN-out and advertises the routes of the Hub and all the Spokes.

  • After configuring a VPN instance on a PE, bind the interface that belongs to the VPN to the VPN instance. If the interface belonging to the VPN is not bound to the VPN instance, the interface functions as a public network interface and cannot forward VPN data.
  • An interface becomes a private network interface after being bound to a VPN instance. You must configure an IP address for the interface so that the PE can exchange routing information with its connected CE.
  • After an interface is bound to a VPN instance, configuration of Layer 3 features (IPv4 and IPv6 features) including IP addresses and routing protocols is deleted from the interface.
  • When you disable an address family (IPv4 or IPv6 address family) in a VPN instance, the address family is deleted from the interface. If no address family is configured on the interface, the interface is unbound from the VPN instance.
  • A VPN instance is usually bound to a loopback interface to test whether two private networks can communicate. Before binding a VPN instance to a loopback interface, bind the instance to a VLANIF interface, a physical interface or a tunnel interface.
  • In actual service applications, a VPN instance must be bound to a VLANIF interface, a physical interface, or a tunnel interface.

Perform the following steps on the Hub-PE and all the Spoke-PEs.


  1. Run system-view

    The system view is displayed.

  2. Run interface interface-type interface-number

    The view of the interface to be bound to a VPN instance is displayed.

  3. On an Ethernet interface, run undo portswitch

    The interface is switched to Layer 3 mode.

    By default, an Ethernet interface works in Layer 2 mode.

    The mode switching function takes effect when the interface only has attribute configurations (for example, shutdown and description configurations). Alternatively, if configuration information supported by both Layer 2 and Layer 3 interfaces exists (for example, mode lacp and lacp system-id configurations), no configuration that is not supported after the working mode of the interface is switched can exist. If unsupported configurations exist on the interface, delete the configurations first and then run the undo portswitch command.


    If many Ethernet interfaces need to be switched to Layer 3 mode, run the undo portswitch batch interface-type { interface-number1 [ to interface-number2 ] } &<1-10> command in the system view to switch these interfaces to Layer 3 mode in batches.

  4. Run ip binding vpn-instance vpn-instance-name

    The interface is bound to the VPN instance.

  5. Run ipv6 enable

    IPv6 is enabled on the interface.

  6. Run ipv6 address { ipv6-address prefix-length | ipv6-address/prefix-length }

    An IPv6 address is configured for the interface.

    Some Layer 3 features such as route exchange between the PE and CE can be configured only after an IPv6 address is configured for the private network interface on the PE.

  7. Run commit

    The configuration is committed.

Updated: 2019-04-03

Document ID: EDOC1100075353

Views: 14426

Downloads: 25

Average rating:
This Document Applies to these Products
Related Documents
Related Version
Previous Next