< Home

VPN Tunnel Policy

Introduction to VPN Tunnels

VPN data is transmitted over tunnels, including LSP tunnels and Traffic Engineering (TE) tunnels. TE tunnels are constraint-based routed label switched path (CR-LSP) tunnels. The following describes VPN tunnels:

  • LSP

    An LSP forwards packets through label switching and is often used in BGP/MPLS IP VPN. If LSPs are used as public network tunnels, only PE devices need to analyze IP packet headers. This reduces VPN packet processing time and packet transmission delay. MPLS labels are also supported by all link layers. An LSP is similar to an ATM virtual circuit (VC) or FR VC in terms of functions and security. If devices on the backbone network support MPLS, it is recommended that LSP tunnels or MPLS TE tunnels be used as public network tunnels.

    For details about LSPs, see MPLS LDP Configuration in the S2720, S5700, and S6700 V200R019C10 Configuration Guide - MPLS.

  • MPLS TE tunnel

    MPLS TE tunnels combine MPLS and TE technologies. MPLS TE balances network traffic by establishing LSPs along specified nodes and steering traffic away from congested nodes. LSPs in MPLS TE are called MPLS TE tunnels, which are also widely used in BGP/MPLS IP VPN.

    MPLS TE tunnels are also capable of handling network congestion. MPLS TE tunnels, allow SPs to fully utilize existing network resources to provide diversified services. MPLS TE tunnels also allow SPs to optimize and manage network resources.

    Carriers are usually required to provide VPN users with end-to-end QoS for various services, such as voice, video, key-data services, and Internet access. MPLS TE tunnels offer users QoS guarantees.

    MPLS TE tunnels allow carriers to also provide the required QoS service guarantees for different VPN users based on policies.

    For details about MPLS TE, see MPLS TE Configuration in the S2720, S5700, and S6700 V200R019C10 Configuration Guide - MPLS.

Tunnel Policy

VPN services are transmitted over tunnels. LSPs are preferred in VPN service transmission by default, and only one LSP serves one VPN service.

When VPN services need to be transmitted over a specified TE tunnel or when load balancing needs to be performed among multiple tunnels to fully use network resources, tunnel policies need to be applied. Tunnel policies are classified into two types, tunnel type prioritization policy and tunnel binding policy. Both policies cannot be configured simultaneously. The following describes the two types of tunnel policies.

  • Tunnel type prioritization policy:

    Specifies the sequence in which each type of tunnel is selected and the number of tunnels participating in load balancing. Tunnels defined in a tunnel type prioritization policy are selected in sequence. The tunnels selected first are those listed earlier and in the Up state regardless of whether the tunnels are in use. Tunnels listed later are not selected unless load balancing is required or the tunnels specified first are all Down.

    For example, a tunnel policy defines the following rules:

    • Both CR-LSPs and LSPs can be used
    • CR-LSPs are prior to LSPs
    • Three tunnels participate in load balancing

    Tunnels are selected according to the following:

    • CR-LSPs in Up state are preferred.
    • If three or more CR-LSPs are Up, the three CR-LSPs listed earlier are selected.
    • If fewer than three CR-LSPs are Up, LSPs are selected. For example, if only one CR-LSP is Up, two LSP tunnels can be selected.
    • If only one LSP or none are Up, the existing tunnels in Up state are used. If more than two LSPs are Up, only the first two LSPs are selected.
    • If a protection group is configured for a TE tunnel (CR-LSP), the protection tunnel cannot be selected.
    • If a TE tunnel is reserved for tunnel binding, the TE tunnel cannot be selected.

    The tunnel type prioritization policy cannot specify the desired tunnels to use when multiple tunnels of the same type are available.

  • Tunnel binding policy:

    Specifies TE tunnels for carrying VPN services. Multiple TE tunnels to the same destination can be specified for load balancing. You can also determine whether to use other tunnels to prevent traffic interruption when all specified tunnels are unavailable.

    The rules for tunnel selection are as follows:
    • Specified TE tunnels in the Up state are selected to perform load balancing.
    • If all the specified TE tunnels are unavailable, no other tunnel is selected by default. An available tunnel LSP or CR-LSP if no LSP is available can be selected based on actual needs.

    A tunnel binding policy specifies accurate TE tunnels over which VPN services are transmitted. TE tunnels have high reliability and guaranteed bandwidth so tunnel binding policies can be used for VPN services requiring QoS guarantee.

    Figure 1 shows an example of typical VPN tunnel binding.

    Figure 1 VPN tunnel binding

    In Figure 1, the network has two MPLS TE tunnels and Tunnel1 and Tunnel2, are established between PE1 and PE3.

    If VPN A binds to Tunnel1 and VPN B binds to Tunnel2, VPN A and VPN B use different TE tunnels. Tunnel1 only serves VPN A, and Tunnel2 only serves VPN B. VPN A and VPN B services are isolated from each other and also from other services. VPN A and VPN B bandwidths are ensured, facilitating subsequent QoS deployment.

Tunnel Selector

In HVPN, SPE devices accept VPNv4 routes from all the UPE devices. Currently, PE devices iterate LSP tunnels for VPNv4 routes. Sometimes, TE tunnels need to be iterated for VPNv4 routes to provide guaranteed bandwidth; the PE devices cannot provide this function by default.

Tunnel selector addresses this issue.

The tunnel selector can filter VPNv4 routes or BGP-IPv4 labeled routes and apply a tunnel policy to the routes that pass the filtering criteria. In this way, expected tunnels can be selected based on the tunnel policy.

Parent Topic: Understanding BGP/MPLS IP VPN
Copyright © Huawei Technologies Co., Ltd.
Copyright © Huawei Technologies Co., Ltd.
< Previous topic