No relevant resource is found in the selected language.

This site uses cookies. By continuing to browse the site you are agreeing to our use of cookies. Read our privacy policy>Search


To have a better experience, please upgrade your IE browser.


Configuration Guide - VPN

CloudEngine 12800 and 12800E V200R005C10

This document describes the configurations of VPN, including GRE, BGP/MPLS IP VPN, BGP/MPLS IPv6 VPN, VLL, PWE3, and VPLS.
Rate and give feedback:
Huawei uses machine translation combined with human proofreading to translate this document to different languages in order to help you better understand the content of this document. Note: Even the most advanced machine translation cannot match the quality of professional translators. Huawei shall not bear any responsibility for translation accuracy and it is recommended that you refer to the English document (a link for which has been provided).



A multi-VPN-instance CE (MCE) device can function as a CE device for multiple VPN instances in BGP/MPLS IP VPN networking. The MCE function reduces investment on network devices.


BGP/MPLS IP VPN uses tunnels to transmit data of private networks on a public network. In the traditional BGP/MPLS IP VPN architecture, each VPN instance must use a CE device to connect to a PE device, as shown in Figure 2-22.
Figure 2-22 Networking without an MCE device

In many cases, a private network must be divided into multiple VPNs to implement fine-grained service management and enhance security. Services of users in different VPNs must be completely isolated. Deploying a CE device for each VPN increases the costs of device procurement and maintenance. If multiple VPNs share one CE device, data security cannot be ensured because all the VPNs use the same routing and forwarding table.

The MCE function ensures data security between different VPNs while reducing network construction and maintenance costs. Figure 2-23 shows MCE networking.

Figure 2-23 Networking with an MCE device

An MCE device provides certain PE functions. By attaching each VPN instance to a separate interface, an MCE device creates and maintains an independent VRF for each VPN. This scenario is called multi-VRF application. The MCE device isolates forwarding paths of different VPNs on a private network and advertises routes of each VPN to the opposing PE device, ensuring that VPN packets are correctly transmitted on the public network.


An MCE device maintains a VRF for each VPN and binds each VPN instance to an interface. Upon receiving a route, the MCE device checks the receiving interface to determine the origin of the route. The device then adds the route to the VRF of the VPN instance bound to the interface.

The PE interfaces connected to the MCE device must also be bound to the VPN instances. The bindings between interfaces and VPN instances on the PE device must be the same as those on the MCE device. Upon receiving a packet, the PE device checks the receiving interface to determine to which VPN the packet belongs. The device then transmits the packet through the corresponding tunnel.

In Figure 2-23:
  • The MCE device saves routes learned from VPN1 in VRF1.
  • The PE device saves routes of VPN1 learned from the MCE device in VRF1.
  • Routes of VPN2 and VPN3 are isolated from routes of VPN1, and are not saved in VRF1.
The MCE device exchanges routes with VPN sites and PE device in the following ways:
  • Route exchange with VPN sites

    Route Exchange Method


    Static routes

    Static routes are bound to VPN instances on the MCE device. Static routes of different VPNs are isolated even if VPNs use overlapping address spaces.

    Routing Information Protocol (RIP)

    Each VPN instance is bound to a RIP process on the MCE device so that routes of different VPNs are exchanged between the MCE device and VPN sites using different RIP processes. This isolates routes of different VPNs and ensures security of VPN routes.

    Open Shortest Path First (OSPF)

    Each VPN instance is bound to an OSPF process on the MCE device to isolate routes of different VPNs.

    Intermediate System to Intermediate System (IS-IS)

    Each VPN instance is bound to an IS-IS process on the MCE device to isolate routes of different VPNs.

    Border Gateway Protocol (BGP)

    Each VPN instance is configured with a BGP peer on the MCE device. The MCE imports IGP routes of each VPN to the BGP routing table of the VPN.

  • Route exchange with the PE device

    Routes of different VPN instances are isolated on the MCE device. The MCE and PE devices identify packets of different VPN instances according to bindings between interfaces and VPN instances. An administrator only needs to perform basic routing configurations on the MCE and PE devices, and to import the VPN routes of the MCE device to the routing protocol running between the MCE and PE devices.

    The MCE and PE devices can use static routes, RIP, OSPF, IS-IS, or BGP to exchange routes.

Updated: 2019-04-03

Document ID: EDOC1100075353

Views: 16474

Downloads: 26

Average rating:
This Document Applies to these Products
Related Documents
Related Version
Previous Next