No relevant resource is found in the selected language.

This site uses cookies. By continuing to browse the site you are agreeing to our use of cookies. Read our privacy policy>Search

Reminder

To have a better experience, please upgrade your IE browser.

upgrade

Configuration Guide - VPN

CloudEngine 12800 and 12800E V200R005C10

This document describes the configurations of VPN, including GRE, BGP/MPLS IP VPN, BGP/MPLS IPv6 VPN, VLL, PWE3, and VPLS.
Rate and give feedback :
Huawei uses machine translation combined with human proofreading to translate this document to different languages in order to help you better understand the content of this document. Note: Even the most advanced machine translation cannot match the quality of professional translators. Huawei shall not bear any responsibility for translation accuracy and it is recommended that you refer to the English document (a link for which has been provided).
Interconnection Between VPNs and the Internet

Interconnection Between VPNs and the Internet

Generally, users within a VPN can communicate only with other users in the same VPN. They cannot communicate with users on the Internet or connect to the Internet. However, VPN sites may need to access the Internet. To implement interconnection between a VPN and the Internet, the following conditions must be met:

  • The devices in the VPN that need to access the Internet must have reachable routes to the Internet.

  • Routes must be available from the Internet to the devices in the VPN.

  • Similar to interconnection between non-VPN users and the Internet, security mechanisms such as firewalls must be used.

Interconnection between a VPN and the Internet can be implemented in the following ways:

  • Interconnection implemented on a PE device: PE devices of the backbone network identify data streams destined for the VPN and those destined for the Internet, and then forward the data to the Internet and the VPN respectively. PE devices provide the firewall function between the VPN and the Internet.

  • Interconnection implemented on an Internet gateway: Internet gateways are carrier devices connected to the Internet. They must support VPN route management. For example, a PE device that has no VPN user attached can function as an Internet gateway.

  • Interconnection implemented on a CE device: CE devices of the private network identify data streams destined for the VPN and those destined for the Internet, and then direct the data to two areas. One area connects to the VPN through a PE device, and the other area connects to the Internet through an ISP router that does not belong to the VPN. The CE devices provide the firewall function.

Interconnection Implemented on a PE Device

Generally, default static routes are used.

  • The PE device sends a default route destined for the Internet to the CE device.

  • The PE device adds a default route destined for the Internet gateway to the VPN routing table.

  • To ensure that a route is available from the Internet to the VPN, the PE device must have a static route to the CE in the public routing table and advertise this route to the Internet. The static route is manually added to the public routing table of the PE device. In the static route, the destination address is the address of the VPN user, and the outbound interface is the PE interface that connects to the CE device. The PE device uses an IGP protocol to advertise the route to the Internet.

Figure 2-32 Interconnection implemented on a PE device

Interconnection Implemented on an Internet Gateway

An instance is configured for each VPN on the Internet gateway. Each VPN uses a separate interface to access the Internet, and the interface is bound to the VPN instance.

Figure 2-33 Interconnection implemented on an Internet gateway

Interconnection Implemented on a CE Device

Interconnection between a VPN and the Internet can be implemented on a CE device in the following ways:

  • The CE device directly connects to the Internet, as shown in Figure 2-34.

    A direct connection with the Internet can be achieved in the following modes:

    • One of the sites (for example, a central site) connects to the Internet. The CE device in the central site has a default route to the Internet. This route is advertised to other sites through the backbone network. The firewall is deployed only in the central site. In this mode, all the traffic destined to the Internet passes through the VPN backbone network (except the traffic of the central site). This mode is typically used for connections between the Internet and Hub sites in Hub and Spoke networking.

    • Each site connects to the Internet. Each CE device has a default route to the Internet and is configured with the firewall function. None of traffic destined to the Internet passes through the VPN backbone network.

    Figure 2-34 Directly connecting a CE device to the Internet

  • A single CE interface or layer 3 sub-interface connects to a PE device. The PE device injects routes of the CE device into the public routing table and advertises the routes to the Internet. Subsequently, the PE device advertises the default route or the Internet routes to the CE device. The interface that connects to the PE device does not belong to any VPN and is not associated with any VPN instance. That is, the interface can act as a VPN user and a non-VPN user to connect to the PE device, as shown in Figure 2-35.

    It is recommended that a tunnel be set up between the VPN backbone device connected to the Internet and the PE device connected to the CE device. Internet routes are transmitted through the tunnel, and P devices do not accept the Internet routes.

    Figure 2-35 Connecting to the Internet through a PE device using a separate interface

Comparison Between the Three Solutions

Interconnection implemented on a PE device can conserve interface resources and allow different VPNs to share one public IP address. However, the configuration on the PE device is complex, and security cannot be guaranteed. Denial of Service (DoS) attacks from the Internet may occur on the PE device. If such an attack occurs, attack traffic consumes bandwidth resources on the link between the PE and CE devices, preventing the link from transmitting valid VPN packets.

Interconnection implemented on an Internet gateway provides higher security than that on a PE device. An Internet gateway, however, must be configured with multiple VPN instances, which may overburden the gateway. In addition, an Internet gateway has multiple interfaces connected to the Internet, and each interface has a public network IP address. Each VPN uses an interface on the gateway and one public network IP address.

Interconnection implemented on a CE device is simple to deploy. This solution has high security and reliability because public routes are separated from VPN routes. However, this solution consumes interface resources and each VPN needs a public network address.

Table 2-1 Comparison between three solutions

Solution

Security

Used Interface and Public IP Address

Easiness of Deployment

Interconnection implemented on a PE device

Low

The PE device reserves only one interface for both VPN access and Internet access. This solution conserves interface resources.

Multiple VPNs on the PE device share a public IP address.

Difficult

Interconnection implemented on an Internet gateway

High

The Internet gateway must reserve an interface for each VPN to access the Internet. This solution consumes interface resources of the gateway.

Each VPN uses a public IP address.

Difficult

Interconnection implemented on a CE

High

The CE device must reserve an interface for each VPN to access the Internet. This solution consumes interface resources of the CE.

Each VPN uses a public IP address.

Easy

Translation
Download
Updated: 2019-04-03

Document ID: EDOC1100075353

Views: 13997

Downloads: 25

Average rating:
This Document Applies to these Products
Related Documents
Related Version
Share
Previous Next