Course Objectives

After completing this course, you will be able to:

Understand the basics of VPN instances.
Understand the main application scenario for VPN instances.
Perform basic configurations of VPN instances on Huawei switches.
Contents

VPN Instance Overview

Basic VPN Instance Configurations

Configuration Examples

FAQs
Enterprise Requirements

Production Management
network network

 SW1 is a service switch and connects to service devices. SW2

CoreSwitch
is a network management switch and connects to
management devices. The CoreSwitch is a core switch.
 The CoreSwitch is the gateway of the service and
SW1 SW2 management networks.
 VLAN10 and VLAN200 implement IP interworking on the
VLAN10 VLAN200
CoreSwitch. The service network and management network
can exchange data through the CoreSwitch.
 For the sake of security, the service network should be
PC NMS isolated from the management network.
Solutions for network isolation

Production Management Production Management

network network network network

CoreSwitch

CoreSwitch1 CoreSwitch2

SW1 SW2 SW1 SW2

VLAN10 VLAN200 VLAN10 VLAN200

NMS
PC NMS PCs NMS

Solution: Deploy an ACL. Solution: Add a CoreSwitch to physically isolate each network.
Problem: Expansibility Problem: Hardware costs
Simple Application of VPN Instances

Production Management
network network

VLAN11 VLAN201
 A VPN instance dedicated to traffic management is created on
CoreSwitch
the CoreSwitch. For the root device, the VPN instance is a
virtual device.
 VLAN200 and VLAN201 are associated with the VPN instance.
SW1 SW2
 The VPN instance uses a routing table that is independent from
VLAN10 VLAN200 the root device. The routing table of the VPN instance is
completely isolated from that of the root device, without
increasing the hardware cost.

PC NMS

Root device VPN instance

VRF Overview

 Virtual Routing and Forwarding (VRF) is a key technology of the MPLS VPN
architecture. It is similar to a virtual device.
 VRF helps logically divide a physical device, such as a router, switch, or firewall, into
multiple virtual devices called VRF instances. Each virtual device works like an
independent device, and has an independent routing table, independent route selection
processes, and independent interfaces.
 VRP helps thoroughly isolate data or services. In MPLS VPN, VRP enables ISPs to
provide VPN access services for multiple customers on the same Provider Edge (PE).
The routes and data of the customers are completed isolated. Even though these
customers use the same IP address space, no IP address conflict occurs.
 VRF can be used independently of MPLS VPN. The instance virtualization feature of
VRF can be used for service or data isolation on network devices.
 On Huawei datacom devices, VRF is also called a VPN instance.
Application of VRF Instances

 By default, all interfaces of a network device, including the Layer 3 interfaces or sub-
interfaces of routers and firewalls and VLANIF interfaces of switches, belong to the
same forwarding instance, namely, the root instance of the device.
 If you create a VPN instance on a network device, the network device has a virtual
device. You can add a specific interface to the VPN instance, and this interface will be
dedicated to the VPN instance.
 Each VPN instance has a data forwarding table independent of the root device. The
VPN instances use different data forwarding planes. In this way, the traffic received by a
specific VPN instance (interface) will not be sent to other VPN instances or to the root
device.
 VPN instances can be deployed on switches, routers, and firewalls as long as these
devices support related features.
 VPN instances are crucial to MPLS VPN. On an enterprise network, VPN instances can
work independently of MPLS VPN. They are widely used to implement data or service
isolation and to solve the issue of overlapping IP address space.
Example: Before Deployment of the VPN Instances

1.1.1.0/24 2.2.2.0/24
Routing table of the CoreSwitch

Destination Outbound Next-hop

Protocol
Network/Mask Interface Address
GE0/0/0 GE0/0/0 192.168.1.0/24 Direct Vlanif10 192.168.1.254
192.168.100.2 172.16.100.2
172.16.1.0/24 Direct Vlanif200 172.16.1.254
CoreSwitch 192.168.100.0/24 Direct Vlanif11 192.168.100.1
Vlanif11 Vlanif201 172.16.100.0/24 Direct Vlanif201 172.16.100.1
192.168.100.1 172.16.100.1
1.1.1.0/24 Static Vlanif11 192.168.100.2
Vlanif10 Vlanif200 2.2.2.0/24 Static Vlanif201 172.16.100.2
192.168.1.254 172.16.1.254

All routes to directly connected interfaces and routes

discovered by the device and destined to the remote network
are stored in the routing table, called the global routing table, of
PC1 192.168.1.1 PC2 172.16.1.1 the device. The service and management networks are
Gateway 192.168.1.254 Gateway 172.16.1.254 interconnected through the CoreSwitch, which is a security risk.
Example: Deployment of the VPN Instance

1.1.1.0/24 2.2.2.0/24
Global routing table of the CoreSwitch
(routing table of the root device)
Destination Outbound Next-hop
Protocol
GE0/0/0 GE0/0/0 Network/Mask Interface Address
192.168.100.2 172.16.100.2 192.168.1.0/24 Direct Vlanif10 192.168.1.254

CoreSwitch 192.168.100.0/24 Direct Vlanif11 192.168.100.1

1.1.1.0/24 Static Vlanif11 192.168.100.2
Vlanif11 Vlanif201
192.168.100.1 172.16.100.1
VPN instance-specific routing table of the CoreSwitch
Vlanif10 Vlanif200
192.168.1.254 172.16.1.254 Destination Outbound Next-hop
Protocol
Network/Mask Interface Address
172.16.1.0/24 Direct Vlanif200 172.16.1.254
172.16.100.0/24 Direct Vlanif201 172.16.100.1
2.2.2.0/24 Static Vlanif201 172.16.100.2
PC1 192.168.1.1 PC2 172.16.1.1
Gateway 192.168.1.254 Gateway 172.16.1.254
Example: Deployment of the VPN Instance

Global routing table of the CoreSwitch

(routing table of the root device)
1.1.1.0/24 2.2.2.0/24
Destination Outbound Next-hop
Protocol
Network/Mask Interface Address
192.168.1.0/24 Direct Vlanif10 192.168.1.254
192.168.100.0/24 Direct Vlanif11 192.168.100.1
1.1.1.0/24 OSPF Vlanif11 192.168.100.2
OSPF OSPF VPN instance-specific routing table of the CoreSwitch
process 1 process 2
Vlanif11 Vlanif201 Destination Outbound Next-hop
Protocol
192.168.100.1 172.16.100.1 Network/Mask Interface Address
172.16.1.0/24 Direct Vlanif200 172.16.1.254
Vlanif10 Vlanif200
172.16.100.0/24 Direct Vlanif201 172.16.100.1
192.168.1.254 172.16.1.254
2.2.2.0/24 OSPF Vlanif201 172.16.100.2
CoreSwitch
Multiple routing protocols or multiple processes of the same dynamic routing
protocol can be run on the device. The process of a dynamic routing protocol
PC1 192.168.1.1 PC2 172.16.1.1 associated with a VPN instance is dedicated to the VPN instance. The routes
Gateway 192.168.1.254 Gateway 172.16.1.254
learned by the process of the dynamic routing protocol are imported to the
routing table of the VPN instance.
Contents

VPN Instance Overview

Basic VPN Instance Configurations

Configuration Examples

FAQs
Basic VPN Instance Configurations

[Huawei] ip vpn-instance vpnname

[Huawei-vpn-instance-vpnname]
Create a VPN instance named vpnname on the device and access the view of the VPN instance.

[Huawei-vpn-instance-vpnname] route-distinguisher 100:1

In the VPN instance view, set an RD. RDs play a critical role in MPLS VPN and must be planned properly. If MPLS
VPN is not involved in the actual scenario and only VPN instances are used for service isolation, user-defined RDs
can be used.

This command can be used to create a VPN instance on firewalls, routers, and
switches. The created VPN instance is not bound to any interface by default.
Therefore, you need to bind interfaces to the VPN instance.
Binding an Interface to a VPN Instance

[Huawei] interface Vlanif 10

[Huawei-Vlanif10] ip binding vpn-instance vpnname

Bind a VLANIF interface to a VPN instance.

[Huawei] interface GigabitEthernet 0/0/1

[Huawei-GigabitEthernet0/0/1] ip binding vpn-instance vpnname

Bind physical interface GE 0/0/1 to a VPN instance.

[Huawei] interface GigabitEthernet 0/0/2.10

[Huawei-GigabitEthernet0/0/2.10] ip binding vpn-instance vpnname

Bind Ethernet sub-interface GE 0/0/2.10 to a VPN instance.

Maintaining the Routing Table of a VPN Instance

[Huawei] ip route-static vpn-instance vpnname 2.2.2.0 24 172.16.100.2

Add a static route to the routing table of a VPN instance.

[Huawei] display ip routing-table vpn-instance vpnname

Check the routing table of a VPN instance. If the command does not have the vpn-instance keyword, the global routing
table of the root device is displayed.
<Huawei> ping -vpn-instance vpnname 2.2.2.2

Perform the ping operation in the VPN instance. If the command does not have the vpn-instance keyword, the ping
operation is performed on the root device by default, and ICMP packets are forwarded based on the global routing table.

<Huawei> tracert -vpn-instance vpnname 2.2.2.2

Perform the tracert operation in the VPN instance.

Creating an OSPF Process in a VPN Instance

[Huawei] ospf 2 vpn-instance vpnname

[Huawei-ospf-2]

Create OSPF process 2 and bind it to a specific VPN instance. The routes learned by the device from the OSPF process
are imported to the routing table of the VPN instance.

A device can have multiple OSPF processes that are distinguished by their IDs. If you do not set vpn-instance or
related parameters when creating an OSPF process, the OSPF process exists on the root device. The routes learned
from the process are imported to the global routing table of the root device.
Contents

VPN Instance Overview

Basic VPN Instance Configurations

Configuration Examples

FAQs
 Real-world Application of VPN Instances

Customer 1. Site 1 has two VLANs: VLAN10 and VLAN20. The two VLANs share
Network
the same gateway, CoreSW-Site1.
2. For the sake of security, VLAN 10 needs to be completely isolated
from VLAN 20.
FW1 FW2 3. Nodes in VLAN 10 need to access the customer network through the
firewall. VLAN 20 is a backup plane. The nodes in VLAN 20
192.168.30.1 communicate with devices at site 2 through the switch.
30
VL

N 4. The devices at site 2 are disabled from accessing nodes in VLAN 10.
12 LA
AN

/
E0
E0

V
30

/1

G
1

GE0/0/15 VLAN 1000

CoreSW-Site1
GE0/0/15 VRRP
CoreSW-Site2 Virtual-IP
Eth-trunk1 Eth-trunk2
VLAN21 VLAN IP Gateway Zone
X2/X3 1E/4E 10 192.168.10.0/24 192.168.10.1 Trust
20 192.168.20.0/24 192.168.20.1
VLAN 10 VLAN20
Server 30 192.168.30.0/24 192.168.30.1 Trust
Site 1 Site 2 21 192.168.21.0/24 192.168.21.1
E9000 1000 192.168.255.0/30 / /
Logical Layer Perspective of the Implementation of VPN Instances on a Switch

FW1 FW2

192.168.30.1

GE0/0/11 GE0/0/12 GE0/0/15 GE0/0/15

Trunk (VLAN30) Trunk (VLAN30) Trunk (VLAN1000) Trunk (VLAN1000)

Vlanif10 Vlanif30 Vlanif20 Vlanif1000

Vlanif1000
192.168.10.1/24 192.168.30.4/24 192.168.20.1/24 192.168.255.1/30
192.168.255.2/30
On RootDevice On RootDevice On VPN-Instance xxx On VPN-Instance xxx

Vlanif21
Eth-trunk1 Eth-trunk2 192.168.21.1/24
Trunk (VLAN10) Trunk (VLAN20)

CoreSW-Site1 CoreSW-Site2

Eth-trunk1 Eth-trunk2
Trunk (VLAN10) Trunk (VLAN20)
2X/3X 1E/4E Root Instance VPN Instance
Server
E9000
Configuration Review

1. Create VLANs 10, 20, 30, and 1000 on CoreSW-Site1.

2. Configure a specific Layer 2 interface on CoreSW-Site1 and bind the interface to a VPN
instance.
3. Create a VPN instance named test on CoreSW-Site1.
4. On CoreSW-Site1, bind VLANIF 20 and VLANIF 1000 to VPN instance test to thoroughly
isolate the two interfaces from the root device.
5. Configure a static default route on the root device on CoreSW-Site1 and set the next-hop
address of the route to VRRP virtual IP address 192.168.30.1.
6. Configure a static route to VLAN 21 for VPN instance test on CoreSW-Site1 and set the
next-hop address of the route to CoreSW-Site2.
7. Note: The return route destined for 192.168.10.0/24 must be configured on FW1/FW2.