No relevant resource is found in the selected language.

This site uses cookies. By continuing to browse the site you are agreeing to our use of cookies. Read our privacy policy>Search

Reminder

To have a better experience, please upgrade your IE browser.

upgrade

Configuration Guide - VPN

CloudEngine 12800 and 12800E V200R005C10

This document describes the configurations of VPN, including GRE, BGP/MPLS IP VPN, BGP/MPLS IPv6 VPN, VLL, PWE3, and VPLS.
Rate and give feedback :
Huawei uses machine translation combined with human proofreading to translate this document to different languages in order to help you better understand the content of this document. Note: Even the most advanced machine translation cannot match the quality of professional translators. Huawei shall not bear any responsibility for translation accuracy and it is recommended that you refer to the English document (a link for which has been provided).
Basic Networking

Basic Networking

Intranet VPN

In an intranet VPN, all the users in the VPN can transmit packets to each other. However, the users cannot communicate with users outside the VPN. The sites within an intranet VPN usually belong to the same organization.

In intranet VPN networking, each VPN is allocated a VPN target as the export target and import target. The VPN target of a VPN cannot be used by other VPNs.

Figure 2-9 Intranet VPN networking

As shown in Figure 2-9, PE devices allocate the VPN target 100:1 to VPN1 and the VPN target 200:1 to VPN2. The two sites in the same VPN can communicate with each other, whereas sites in different VPNs cannot communicate.

Extranet VPN

If users in a VPN need to access sites of another VPN, extranet VPN can be used.

In extranet networking, if a VPN needs to access a shared site, its export target must be included in the import target of the VPN instance covering the shared site, and its import target must be included in the export target of the VPN instance covering the shared site.

Figure 2-10 Extranet VPN networking

As shown in Figure 2-10, VPN1 and VPN2 can access Site3 of VPN1.

  • PE3 can receive VPN-IPv4 routes advertised by PE1 and PE2.

  • PE1 and PE2 can receive VPN-IPv4 routes advertised by PE3.

Site1 and Site3 of VPN1 can communicate with each other. Site2 of VPN2 and Site3 of VPN1 can communicate with each other.

PE3 does not advertise the VPN-IPv4 routes learned from PE1 to PE2 and does not advertise the VPN-IPv4 routes learned from PE2 to PE1. Therefore, Site1 of VPN1 and Site2 of VPN2 cannot communicate with each other.

Hub and Spoke

The Hub and Spoke networking can be used to control communication between VPN users through a central access control device. The site where the access control device is deployed is the Hub site, and other sites are Spoke sites. The following devices are used in Hub and Spoke networking:
  • Hub-CE: is deployed in the Hub site and connected to the VPN backbone network.
  • Spoke-CE: is deployed in a Spoke site and connected to the VPN backbone network.
  • Hub-PE: is deployed on the VPN backbone network and connected to the Hub site.
  • Spoke-PE: is deployed on the VPN backbone network and connected to a Spoke site.

A Spoke site advertises routes to the Hub site, and the Hub site then advertises the routes to other Spoke sites. Spoke sites do not advertise routes to each other. The Hub site controls communication between all Spoke sites.

In Hub and Spoke networking, two VPN targets are configured: one to represent the Hub and one to represent the Spoke. Figure 2-11 shows the Hub and Spoke networking.
Figure 2-11 Hub and Spoke networking

The VPN targets of a PE device must comply with the following rules:

  • The export target and import target of a Spoke-PE device are Spoke and Hub respectively. The import target of any Spoke-PE device must be different from the export target of any other Spoke-PE device.

  • A Hub-PE device requires two interfaces or layer 3 sub-interfaces.

    • One interface or layer 3 sub-interface receives routes from Spoke-PE devices. The import target of the VPN instance attached to the interface or layer 3 sub-interface is Spoke.

    • The other interface or layer 3 sub-interface advertises routes to Spoke-PE devices. The export target of the VPN instance attached to the interface or layer 3 sub-interface is Hub.

As shown in Figure 2-11, the Hub site controls communication between Spoke sites. The arrows show the process of advertising a route from Site2 to Site1:

  • The Hub-PE device can receive VPN-IPv4 routes advertised by all the Spoke-PE devices.

  • All the Spoke-PE devices can receive VPN-IPv4 routes advertised by the Hub-PE.

  • The Hub-PE device advertises the routes learned from Spoke-PE devices to the Hub-CE device, and advertises the routes learned from the Hub-CE device to all the Spoke-PE devices. By advertising these routes, the Hub-PE enables the Spoke sites to access each other through the Hub site.

  • The import target of any Spoke-PE device is different from the export targets of other Spoke-PE devices. Therefore, any two Spoke-PE devices do not directly advertise VPN-IPv4 routes to each other. The Spoke sites cannot directly communicate with each other.

Translation
Download
Updated: 2019-04-03

Document ID: EDOC1100075353

Views: 14215

Downloads: 25

Average rating:
This Document Applies to these Products
Related Documents
Related Version
Share
Previous Next