No relevant resource is found in the selected language.

This site uses cookies. By continuing to browse the site you are agreeing to our use of cookies. Read our privacy policy>Search


To have a better experience, please upgrade your IE browser.


Configuration Guide - VPN

CloudEngine 12800 and 12800E V200R005C10

This document describes the configurations of VPN, including GRE, BGP/MPLS IP VPN, BGP/MPLS IPv6 VPN, VLL, PWE3, and VPLS.
Rate and give feedback:
Huawei uses machine translation combined with human proofreading to translate this document to different languages in order to help you better understand the content of this document. Note: Even the most advanced machine translation cannot match the quality of professional translators. Huawei shall not bear any responsibility for translation accuracy and it is recommended that you refer to the English document (a link for which has been provided).
VPN Tunnel Policy

VPN Tunnel Policy

Overview of VPN Tunnels

VPN data is transmitted over tunnels, including LSP tunnels and Traffic Engineering (TE) tunnels. TE tunnels are constraint-based routed label switched path (CR-LSP) tunnels.
  • LSP tunnel

    An LSP forwards packets through label switching and is often used in BGP/MPLS IP VPN. If LSPs are used as public network tunnels, only PE devices need to analyze IP packet headers. Other devices through which VPN packets pass do not need to analyze IP packet headers. This reduces the processing time and packet transmission delay of VPN packets. In addition, MPLS labels are supported by all link layers. An LSP is similar to an ATM virtual circuit (VC) or FR VC in functionality and security. If all the devices on the backbone network support MPLS, it is recommended that LSP tunnels or MPLS TE tunnels be used as public network tunnels.

    For details about LSPs, see MPLS LDP Configuration in the CloudEngine 12800 and 12800E Series Switches Configuration Guide - MPLS.

  • MPLS TE tunnel

    As a combination of MPLS and TE technologies, MPLS TE can balance network traffic by setting up LSPs along specified nodes and steering traffic away from congested nodes. LSPs in MPLS TE are called MPLS TE tunnels, which are also widely used in BGP/MPLS IP VPN.

    In addition to the advantages of LSP, MPLS TE tunnels can handle network congestion. Using MPLS TE tunnels, SPs can fully utilize existing network resources to provide diversified services. MPLS TE tunnels also allow SPs to optimize and manage network resources.

    Usually, carriers are required to provide VPN users with end-to-end QoS for various services, such as voice, video, data, and Internet access. Carriers can use MPLS TE tunnels to provide their users with QoS guarantees.

    Using MPLS TE tunnels, carriers can also provide QoS-guaranteed services for different VPN users based on policies.

    For details about MPLS TE, see MPLS TE Configuration in the CloudEngine 12800 and 12800E Series Switches Configuration Guide - MPLS.

Tunnel Policy

VPN services are transmitted over tunnels. By default, LSPs are preferred in VPN service transmission, and only one LSP can be selected for VPN services.

When VPN services need to be transmitted over a specified TE tunnel or when load balancing needs to be performed among multiple tunnels, tunnel policies need to be applied to VPNs. There are two types of tunnel policies: tunnel type prioritization policy and tunnel binding policy. The two types of policies cannot be configured simultaneously.

  • Tunnel type prioritization policy: specifies the sequence in which each type of tunnel is selected and the number of tunnels participating in load balancing. Tunnels defined in this type of policy are selected in sequence: The tunnels of the type specified first are selected as long as they are in Up state, regardless of whether they are in use. The tunnels of the type specified subsequently are not selected unless load balancing is required or the tunnels of the type specified first are all Down.
    For example, a tunnel policy defines the following rules: Both CR-LSPs and LSPs can be used, CR-LSPs are specified prior to LSPs, and the number of tunnels participating in load balancing is 3. Tunnels are selected as follows:
    • CR-LSPs in Up state are preferred. If three or more CR-LSPs are in Up state, the three CR-LSPs specified first are selected.
    • If there are fewer than three CR-LSPs in Up state, LSPs are selected. For example, if only one CR-LSP is in Up state, two LSP tunnels can be selected. If only one LSP or no LSP is in Up state, the existing tunnels in Up state are used. If more than two LSPs are in Up state, only the first two LSPs are selected.

    If a TE tunnel is reserved for tunnel binding, the TE tunnel cannot be selected.

    The tunnel type prioritization policy does not support specifying the desired tunnels to use when multiple tunnels of the same type are available.

  • Tunnel binding policy: specifies TE tunnels for carrying services of a VPN. You can specify multiple TE tunnels to the same destination for load balancing. You can also determine whether to use other tunnels to prevent traffic interruption when the specified tunnels are all unavailable. The rules for tunnel selection are as follows:
    • Specified TE tunnels in Up state are selected to perform load balancing.
    • If all the specified TE tunnels are unavailable, no other tunnel is selected by default. If you enable a PE device to select other tunnels in this situation, the PE device selects an available tunnel, preferring LSPs and then CR-LSPs.

    A tunnel binding policy can specify accurate TE tunnels over which VPN services are transmitted. Because TE tunnels have high reliability and guaranteed bandwidth, tunnel binding policies can be used for VPN services requiring QoS guarantee. As shown in Figure 2-25, two MPLS TE tunnels, Tunnel1 and Tunnel2, are set up between PE1 and PE3.

    Figure 2-25 VPN tunnel binding

    If you bind VPN A to Tunnel1, and bind VPN B to Tunnel2, VPN A and VPN B use different TE tunnels. Tunnel1 serves only VPN A, and Tunnel2 serves only VPN B. In this manner, services of VPN A and VPN B are isolated from each other. These services are also isolated from other services. This ensures the desired bandwidth for VPN A and VPN B, and facilitates subsequent QoS deployment.

Updated: 2019-04-03

Document ID: EDOC1100075353

Views: 16448

Downloads: 26

Average rating:
This Document Applies to these Products
Related Documents
Related Version
Previous Next