MUX-VPN

What Is MUX-VPN?

As digitalization technologies advance, global digitization is accelerating. Driven by national strategies and digital transformation trends, more enterprises are migrating their services to the cloud. However, carriers' traditional 2B private lines fall short in meeting the requirements for flexible control and security amid the digital transformation of various industries. To address these shortcomings, Huawei proposes the innovative MUX-VPN solution. This solution enables fast multi-network access, on-demand and controllable site-to-site connectivity, and flexible orchestration of value-added service function chains (SFCs), thus accelerating service innovation and advancing towards application-aware networking (APN).

Why Do We Need MUX-VPN?

As cloud-network services proliferate, driven by national strategies and digital transformation trends, an increasing number of enterprises are migrating their services to the cloud. However, the deployment of these services poses challenges for carriers' existing 2B private lines, which struggle to meet the demands for flexible control and security assurance.

Firstly, in a carrier's live network, various types of private lines—such as Optical Transport Network (OTN), Multi-Service Transport Platform (MSTP), Slicing Packet Network (SPN), and IP Radio Access Network (RAN)—coexist. Selling each type separately fails to cater to the needs of enterprises with multiple access points and diverse access conditions. When communication between different types of private lines is necessary, complex service configurations must be executed on the backbone network.

Secondly, traditional solutions for private line interworking entail complex deployments, requiring devices to acquire VPN routes and conduct multi-field classification based on predefined traffic policies. Moreover, modifications to the Route Target (RT) plan for existing sites are necessary whenever a new site is added. This deployment process is intricate and lacks flexibility, often falling short of meeting service requirements.

Furthermore, carriers encounter numerous challenges in network security construction, including fragmented efforts, redundant investments, a lack of unified resource allocation, and uneven load distribution. Similar issues persist in cloud security construction, such as fragmented efforts, inconsistent security protection capabilities across departments, and a dearth of unified construction plans. Given that most cloud pools still rely on physical devices and some security equipment is outdated, achieving unified resource allocation is unfeasible. To deliver value-added services to enterprise tenants, carriers must allocate distinct VLAN sub-interfaces to each tenant between security and network devices. These security devices then map VLAN sub-interfaces to vSYS resources for security service processing. However, configuring numerous sub-interfaces in this manner proves complex and challenging to automate.

The Application of MUX-VPN

The following diagram presents an overview of MUX-VPN.

• Network access aspect: The HoVPN model is implemented on the PEs within the cloud backbone network to ensure compatibility with various access tunnel types.

• Network provider edge (PE) aspect: CPEs at diverse access points are organized to enable policy-driven flexible communication management.

• Provisioning of value-added services: SRv6 and APN6 are utilized to assist carriers in establishing security resource pools and offering value-added security services to enterprise users.

The Key Features of MUX-VPN

MUX-VPN boasts three essential characteristics: versatile access, adaptable communication management based on policies, and pervasive service security. Below are detailed descriptions of these attributes.

• 1. Access in Any Scenario

In previous iterations of intelligent cloud-network solutions, achieving end-to-end (E2E) VPN implementation necessitated upgrades to E2E network devices to support SRv6, which proved inadequate for accommodating diverse access scenarios. MUX-VPN, however, addresses this challenge by deploying the HoVPN service model on the PEs within the cloud backbone network. This model enables both CPEs and network PEs to offer multiple access modes, including Option A, GRE tunnel, MPLS, and SRv6.

The following diagram illustrates how MUX-VPN transforms various private lines into SRv6 access private lines. Upon receiving service packets from different types of access private lines, the network PE converts these packets into SRv6 packets, facilitating access across wired, wireless, and Internet scenarios. This approach eliminates the need for comprehensive upgrades of E2E network devices to support SRv6, thereby significantly streamlining deployment processes.

• 2. Policy-based Flexible Communication Control

In MUX-VPN, application-aware IPv6 networking (APN6) is employed to organize CPEs across different access points, while network PEs handle grouping policies for flexible communication control, as illustrated in the diagram.

Initially, each CPE is configured with an APN group ID corresponding to VPN services. Upon adding an SRv6 tunnel header to a service packet, the CPE appends the DOH extension header containing APN ID information. Subsequently, the CPE forwards the packet to the network PE. Upon reception, the network PE extracts the APN ID, establishes the source group ID based on this APN ID, and identifies the destination CPE and destination group ID by referencing the local VPN routing table. The network PE then compares the source and destination group IDs against the group policy for communication control. Finally, the network PE embeds the source APN ID into the packet header for the subsequent tunnel segment and transmits the packet to the egress. At the egress, the APN ID and SRv6 tunnel header are removed from the packet before forwarding it. This process enables MUX-VPN to achieve policy-based flexible communication control.

• 3. Ubiquitous Service Security

MUX-VPN leverages SRv6 and APN6 to assist carriers in constructing security resource pools and delivering value-added security services for enterprise users. This not only caters to the specific needs of enterprises but also enhances revenue opportunities.

In the depicted network, MUX-VPN utilizes a network controller to coordinate E2E SRv6 TE Policies and incorporate SIDs from the security resource pool into service function chains (SFCs). The ingress node attaches APN IDs containing user IDs to service packets. Subsequently, the security resource pool identifies tenants based on their user IDs and applies security services accordingly. This obviates the necessity to configure numerous sub-interfaces between network and security devices, streamlining deployment processes while facilitating ubiquitous service security and automated deployment.