< Home

Basic Networking

Intranet VPN

In an intranet VPN, all users in the VPN transmit packets to each other, but cannot communicate with users outside the VPN. Sites within an intranet VPN usually belong to the same organization.

In intranet VPN networking, each VPN is allocated a VPN target as the export target and import target. The VPN target of a VPN cannot be used by other VPNs.

Figure 1 shows an example of Intranet VPN networking.

Figure 1 Intranet VPN networking

In Figure 1, PE devices allocate the VPN target 100:1 to VPN1 and the target 200:1 to VPN2. Two sites in the same VPN communicate with each other, but sites in different VPNs do not.

Extranet VPN

Extranet networking can be used if users in a VPN need to access sites of another VPN.

In extranet networking, if a VPN needs to access a shared site, its export target must be included in the import target of the VPN instance covering the shared site, and its import target must be included in the export target of the VPN instance covering the shared site.

Figure 2 shows an example of extranet VPN networking.

Figure 2 Extranet VPN networking

In Figure 2, VPN1 and VPN2 can access Site3 of VPN1.

  • PE3 receives VPN-IPv4 routes advertised by PE1 and PE2.

  • PE1 and PE2 receive VPN-IPv4 routes advertised by PE3.

Site1 and Site3 of VPN1 as well as Site2 of VPN2 and Site3 of VPN1 communicate with each other.

PE3 does not advertise the VPN-IPv4 routes learned from PE1 to PE2 and does not advertise VPN-IPv4 routes learned from PE2 to PE1. Therefore, Site1 of VPN1 and Site2 of VPN2 cannot communicate with each other.

Hub and Spoke

If a central access control device needs to be deployed to control communication between VPN users, the Hub and Spoke networking can be used. The site with the access control device deployed is the Hub site, and other sites are Spoke sites. The following devices are used in Hub and Spoke networking:
  • Hub-CE: is deployed in the Hub site and connected to the VPN backbone network.
  • Spoke-CE: is deployed in a Spoke site and connected to the VPN backbone network.
  • Hub-PE: is deployed on the VPN backbone network and connected to the Hub site.
  • Spoke-PE: is deployed on the VPN backbone network and connected to a Spoke site.

A Spoke site advertises routes to the Hub site, and then the Hub site advertises the routes to other Spoke sites. Spoke sites do not advertise routes to each other. The Hub site controls communication between all Spoke sites.

Figure 3 shows an example of Hub and Spoke networking.
Figure 3 Hub and Spoke networking

In Figure 3, two VPN targets are configured to represent Hub and Spoke networking. The Hub site controls communication between Spoke sites. Arrows show the advertising process of a route from Site2 to Site1:

  • The Hub-PE device receives VPN-IPv4 routes advertised by all the Spoke-PE devices.

  • All the Spoke-PE devices can receive VPN-IPv4 routes advertised by the Hub-PE.

  • The Hub-PE device advertises the routes learned from Spoke-PE devices to the Hub-CE device, and advertises the routes learned from the Hub-CE device to all the Spoke-PE devices. By doing this, the Spoke sites access each other through the Hub site.

  • The import target of any Spoke-PE device differs from the export targets of other Spoke-PE devices. Any two Spoke-PE devices do not directly advertise VPN-IPv4 routes to each other. Spoke sites cannot directly communicate with each other.

The VPN targets of a PE device must comply with the following rules:

  • The export target and import target of a Spoke-PE device are Spoke and Hub respectively. The import target of any Spoke-PE device must be different from the export target of any other Spoke-PE device.

  • A Hub-PE device requires two interfaces or sub-interfaces.

    • One interface or sub-interface receives routes from Spoke-PE devices. The import target of the VPN instance on the interface is Spoke.

    • The other interface or sub-interface advertises routes to Spoke-PE devices. The export target of the VPN instance on the interface is Hub.

Mutual Access Between Local VPNs

Mutual access between local VPNs can be used to implement data communication between different VPN sites connected to the same PE device.

This service requirement is implemented using the VPN targets to control the advertisement of VPN routing information between sites. Each VPN has its own VPN target. On the network shown as follows, the import and export targets of VPNA are 100:1, while the import and export targets of VPNB are 200:1. To enable mutual access between users in VPNA and VPNB, mutual access between local VPNs can be configured by adding import targets 200:1 and 100:1 to VPNA and VPNB, respectively.

If the server function (for example, the FTP or DHCP server) is deployed on the PE device to provide services for VPNA users, the PE device can also provide server services for other mutual access VPN users.

Figure 4 Mutual access between local VPNs

Parent Topic: Understanding BGP/MPLS IP VPN
Copyright © Huawei Technologies Co., Ltd.
Copyright © Huawei Technologies Co., Ltd.
< Previous topic Next topic >