Got it

VPN Instance and Its Simple Applications on switch

Latest reply: Jul 24, 2019 10:02:38 604 1 0 0

Hello, today we are gonna introduce the VPN instance and its simple applications on the USG firewall. In this post, we are focused on the traffic isolation on layer 3 switch.


On the network shown in the preceding figure, networks of the two sites are connected through a private line between the core switches. The context is as follows:

1. In site 1, two user VLANs (VLAN 10 and VLAN 20) exist on CoreSW-Site1. VLAN 10 is the service VLAN and VLAN 20 is the disaster recovery (DR) VLAN. The default gateways of the two VLANs reside on CoreSW-Site1.

2. CoreSW-Site1 is connected to FW1 and FW2 using static routes through VLAN 30. VRRP is deployed on the internal interfaces of the firewalls. The virtual IP address of VRRP is

3. CoreSW-Site1 is connected to CoreSW-Site2 through VLAN 1000. VLAN 20 in site 1 and VLAN 21 in site 2 need to communicate with each other.

4. For Site1, VLAN 10 and VLAN 20 need to be completely isolated.

5. After the configurations are completed, VLAN 10 can communicate with the firewalls, VLAN 20 can communicate with VLAN 21, and VLAN 10 is completely isolated from VLAN 20 and VLAN 21.


The gateways of VLAN 10 and VLAN 20 are deployed on CoreSW-Site1, which means that VLANIF 10 and VLANIF 20 are configured on CoreSW-Site1. Because the two Layer 3 interfaces have implemented route reachability by default, VLAN 10 and VLAN 20 can communicate with each other through CoreSW-Site1. This brings security risks and does not meet requirements. Deploying an ACL on CoreSW-Site1 can meet the traffic isolation requirement, but it is not necessarily the best solution with the highest scalability.

Another solution is to create a VPN instance on CoreSW-Site1 to completely isolate different traffic. VLAN 10 and VLAN 30 are kept on the root device, and VLAN 20 and VLAN 1000 are placed in the VPN instance. The root device and VPN instance are completely isolated.

A VPN instance, also called a virtual routing and forwarding (VRF) instance, is a concept similar to a virtual device. By default, all interfaces of a network device (such as a Layer 3 interface or sub-interface of a firewall or a VLANIF interface of a switch) belong to the same VPN instance, that is, the root instance of a device. When a VPN instance is created on the network device, specific interfaces can be added to the VPN instance, so that the interfaces are dedicated to the instance. The VPN instance here can be considered as a virtual device. Each VPN instance uses a data forwarding table independent of the root device, such as a routing table. VPN instances use different data forwarding planes. Therefore, the traffic received by an interface in a VPN instance is not forwarded to other VPN instances or root devices. In this case, absolute traffic isolation is achieved. This concept is key to MPLS VPN. This document describes only how to use VPN instances to implement data isolation.


The configuration roadmap is as follows:

1. Create VLANs 10, 20, 30, and 1000 on CoreSW-Site1.

2. Configure Layer 2 interfaces on CoreSW-Site1 and add the interfaces to specific VLANs.

3. Create a VPN instance named test on CoreSW-Site1.

4. On CoreSW-Site1, add VLANIF 20 and VLANIF 1000 to the VPN instance test. The two interfaces then are completely isolated from the root device.

5. Configure a default static route for the root device of CoreSW-Site1. The next hop of the route is the VRRP virtual IP address of the firewall.

6. Configure a static route to VLAN 21 for the VPN instance test on CoreSW-Site1. The next hop of the route is CoreSW-Site2.

7. Note: Return routes to need to be configured on FW1 and FW2.


The configuration of CoreSW-Site1 is as follows:

vlan batch 10 20 30 1000


interface GigabitEthernet0/0/11

   port link-type access

   port default vlan 30

   description Connect-to-FW1

interface GigabitEthernet0/0/12

   port link-type access

   port default vlan 30

   description Connect-to-FW2

interface GigabitEthernet0/0/15

   port link-type trunk

   port trunk allow-pass vlan 1000

   undo port trunk allow-pass vlan 1

   description Connect-to-CoreSwitchSite2

interface eth-trunk1

   port link-type trunk

   port trunk allow-pass vlan 10

   undo port trunk allow-pass vlan 1

   description Connect-to-E9000-2X3X

interface eth-trunk2

   port link-type trunk

   port trunk allow-pass vlan 20

   undo port trunk allow-pass vlan 1

   description Connect-to-E9000-1E4E


# Create a VPN instance named test.


ip vpn-instance test

   route-distinguisher 100:1


#Configure VLANIF interfaces, and add VLANIF 20 and VLANIF 1000 into the VPN instance.

interface Vlanif10

  ip address

interface Vlanif20

  ip binding vpn-instance test

  ip address

interface Vlanif30

  ip address

interface Vlanif1000

  ip binding vpn-instance test

  ip address


#Configure static route, a default route for root device, and a static route destined for Site2-VLAN21 for VPN Instance test:


ip route-static 0

ip route-static vpn-instance test 24


Note that the display ip routing-table command output displays the routing table of the root device, and the display ip routing-table vpn-instance test command output displays the routing table of the VPN instance test. In addition, when the ping command is run on CoreSW-Site1, CoreSW-Site1 uses the interface of the root device as the source interface and searches for the route to the destination address in the routing table of the root device. To perform a ping operation in the VPN instance, for example, ping CoreSW-Site2's IP address from CoreSW-Site1, run the following command.

<S53>ping -vpn-instance test

  PING 56  data bytes, press CTRL_C to break

    Reply from bytes=56 Sequence=1 ttl=255 time=1 ms

    Reply from bytes=56 Sequence=2 ttl=255 time=1 ms

    Reply from bytes=56 Sequence=3 ttl=255 time=1 ms

    Reply from bytes=56 Sequence=4 ttl=255 time=1 ms

    Reply from bytes=56 Sequence=5 ttl=255 time=1 ms


  --- ping statistics ---

    5 packet(s) transmitted

    5 packet(s) received

    0.00% packet loss

    round-trip min/avg/max = 1/1/1 ms


 Hope you guys enjoy this post, if you have any suggestions or questions, you can reply in this post.

If you want to find more information, please visit our support website( click here ), or you can visit our KB( click here ) to learn more cases

  • x
  • convention:

Admin Created Jul 24, 2019 10:02:38 Helpful(0) Helpful(0)

View more
  • x
  • convention:


You need to log in to comment to the post Login | Register

Notice: To protect the legitimate rights and interests of you, the community, and third parties, do not release content that may bring legal risks to all parties, including but are not limited to the following:
  • Politically sensitive content
  • Content concerning pornography, gambling, and drug abuse
  • Content that may disclose or infringe upon others ' commercial secrets, intellectual properties, including trade marks, copyrights, and patents, and personal privacy
Do not share your account and password with others. All operations performed using your account will be regarded as your own actions and all consequences arising therefrom will be borne by you. For details, see " Privacy."

My Followers

Login and enjoy all the member benefits


Huawei Enterprise Support Community
Huawei Enterprise Support Community
Are you sure to block this user?
Users on your blacklist cannot comment on your post,cannot mention you, cannot send you private messages.
Please bind your phone number to obtain invitation bonus.