Configuring Nested VPN

For a network with many VPNs, if you want to classify different levels of management privilidges (access privilidges for VPNs) and to conceal the deployment of internal VPNs, nested VPN is a good solution. By using nested VPN, you can implement layered management of internal VPNs easily with a low cost and simple management operation.

Configuration Prerequisites

Before configuring nested VPN, perform this task:

•  Configuring basic MPLS L3VPN capability

Configuring Nested VPN

Follow these steps to configure nested VPN:

Note:

•  The address ranges for sub-VPNs of a user VPN cannot overlap.
• It is not recommended to give nested VPN peers addresses that public network peers use.
• Before specifying a nested VPN peer or peer group, be sure to configure the corresponding BGP peer or peer group in BGP VPN instance view.
• At present, nested VPN does not support multi-hop EBGP networking. Therefore, a service provider PE and its peer must use the addresses of the directly connected interfaces to establish neighbor relationship.
• On some devices, if a CE of a sub-VPN is directly connected to a service provider’s PE, policy routing must be configured on the PE to allow mutual access between the sub-VPN and the VPN on the backbone.