Free Mobility Deployment in VPN Access Scenarios

VPN access applies to large enterprises that have multiple branches. As shown in Figure 1, an enterprise has two branches located in Shenzhen and Beijing. Each branch has two VPN networks: the green area and the yellow area. Users in the green area can access the network from fixed and mobile terminals, while users in the yellow area can only access the network from fixed terminals. The aggregation switches (usually PE devices on the MPLS VPN network) function as the authentication control points.

Figure 1 Free mobility deployment in VPN access scenarios

In a VPN access scenario, plan security groups in a unified manner and configure different policies for different VPNs. One user may have different network access rights when the user moves from one VPN to another. Apart from unified policies for the entire network, you can also configure policies on a specific device separately.

The controller uses global policies and local policies to deploy universal policies on network-wide devices and special policies on specific devices.

• Global policy: takes effect on network-wide devices or devices in a specified device group. In a VPN access scenario, you can deploy global policies on devices in the green area and yellow area separately.
• Local policy: takes effect on a specific device only. You need to configure local policies when the inherited global policies do not meet service requirements.