Sunday , March 25 2018
Home / VPN


basic QinQ configuration on Huawei switches

In traditional 802.1Q protocol, service provider should assign different VLAN IDs to users of different VLANs. The numer of VLANs is limited to 4094 IDs. In addition, different users cannot use the same VLAN ID.

A simple method to solve this is to implement QinQ. The QinQ technology improves the utilization of VLANs by adding another 802.1Q tag to a packet with an 802.1Q tag. In this manner, services from the private VLAN can be transparently transmitted through the public network. The ISP network only provides one VLAN ID for different VLANs from the same user network. This saves VLAN IDs of an ISP. Meanwhile, the QinQ provides a simple Layer 2 VPN solution to a small MAN or a local area networks.

QinQ tunneling on Huawei switches

Let’s assume that we have two enteprise networks. Each enterprise has two branch offices, located in different cities. As an ISP, we cannot force these enterprises to use different VLAN planning. In our case, both use VLAN 10 and our task is to transparently transmitt traffic, through ISP network, between remote offices.

What we want to achieve is to ensure communication between remote offices of each enterprise and to block communication between Enterprise_1 and Enterprise_2. We can use basic QinQ tunneling in this case. It adds the same outer VLAN tag to all the frames entering a Layer 2 port.

Read More »

VPN FRR on Huawei routers

Last time IP FRR on Huawei routers was introduced. Let’s go on with VPN FRR today.

VPN FRR topology

  1. Configure IP addresses based on the topology (omitted)
  2. Configure ISIS on PE1, PE2 and PE3.
  3. Configure MPLS function on all PE routers and enable MPLS LDP to set up an LSP.
  4. Configure VPN instance on all PE devices.
  5. Configure MP-IBGP between PE routers.
  6. Configure EBGP between CE and PE2/PE3 routers.
  7. Configure VPN FRR policy on PE1.
  8. Configure BFD session between PE1 and PE2.

Read More »

L2TP LAC-auto-initiated tunnel mode

 Layer 2 tunneling protocol (L2TP) connection can be established in the following tree modes:

  • NAS-initializated
  • Client-initializated
  • LAC-auto-initializated.

This is not my job to tell you about the theory. You can find plenty of information about L2TP on the internet. Let’s focus today on the third mode.

In most cases, an L2TP user directly dials up to a LAC, and only connection is established between the user and LAC. Unlike NAS and Client-initializated modes, in LAC-auto-initializated mode users can connect to the LAC by sending IP packets. At the same time LAC needs to have a PPP user created and a tunnel with the LNS established. The two ends of an L2TP tunnel reside on LAC and LNS respectively. As you can see from the topology below, in LAC-auto-initiated mode, LAN can be directly connected to LAC.

L2TP topology

Let’s look how to configure L2TP on Huawei routers.

Read More »

hub&spoke in BGP/MPLS VPN

Some time ago we talked about a basic configuration of BGP/MPLS VPNs. Let’s go on with hub&spoke networking today. Such solution can be adopted to control the mutual access of users, when an access control device is set. In this case no direct route exists between spoke sites. A spoke site advertises routes to a hub site and then the hub site advertises the routes to other spoke sites. Thus, communication between spoke sites is controlled by hub site.

Let’s look at our topology:

MPLS L3VPN hub and spoke topology

Read More »

MPLS L3VPN on Huawei routers

  1. CE1 and CE5 are in VPN labnario_1
  2. CE2 and CE8 are in VPN labnario_2
  3. ISIS level -2 as IGP
  4. Connections CE1—PE3 and CE5—PE4 – static routes
  5. Connection CE2—PE3 – OSPF
  6. Connection CE8—PE4 – EBGP
  7. Users in different VPNs cannot access each other.

A BGP/MPLS IP VPN uses the Border Gateway Protocol (BGP) to advertise VPN routes and the Multiprotocol Label Switching (MPLS) to forward VPN packets on backbone networks.

Read More »