What Is MUX-VPN?
Multiplex VPN (MUX-VPN) is an innovative intelligent cloud-network solution that uses multiplexing technology for efficient data traffic transmission, thereby minimizing network latency while also improving network throughput. As digitalization technologies continue to advance, global digitalization is picking up pace. Fueled by national strategies and digital transformation trends, an increasing number of enterprises are migrating their services to the cloud. However, carriers' existing 2B private lines cannot meet the requirements for flexible control and security guarantee amid the digital transformation of numerous industries. To address the shortcomings of carriers' traditional 2B private line solutions, Huawei innovatively proposes MUX-VPN. This solution allows for fast multi-network access, on-demand and controllable site-to-site access, and flexible orchestration of value-added service function chains (SFCs), accelerating service innovation. It represents a solid step toward application-aware networking (APN).
Why Do We Need MUX-VPN?
A cloud-network is a network that connects and enables clouds. Fueled by national strategies and digital transformation trends, an increasing number of enterprises are migrating their services to the cloud. However, as cloud-network service deployment ramps up, carriers' existing 2B private lines cannot meet the requirements for flexible control and security guarantee.
First, various types of private lines — such as optical transport network (OTN), multi-service transport platform (MSTP), Slicing Packet Network (SPN), and IP radio access network (RAN) — coexist on a carrier's live network. Selling each type separately cannot meet the requirements of enterprises that have multiple access points and different access conditions. If communication between different types of private lines is required, complex service configurations need to be performed on the backbone network.
Second, in traditional solutions, private line interworking involves complex deployment, requiring devices to learn VPN routes and perform multi-field classification based on planned traffic policies. Furthermore, the route target (RT) plan for existing sites needs to be modified each time a site is added. The deployment is difficult and inflexible, failing to meet service requirements.
In addition, carriers face a number of problems in terms of network security construction, such as fragmented efforts, repetitive investments, lack of unified resource scheduling, and uneven load distribution. Problems also exist in terms of cloud security construction, such as fragmented efforts, inconsistent security protection capabilities across departments, and lack of a unified plan for such construction. Because most cloud pools are still deployed on physical devices, and some security devices are outdated, it is impossible to schedule resources in a unified manner. To provide value-added services for enterprise tenants, carriers need to allocate different VLAN sub-interfaces to each tenant between security devices and network devices. Security devices map VLAN sub-interfaces to vSYS resources for security service processing. In this case, many sub-interfaces need to be configured, which is complex and difficult to automate.
To address the preceding shortcomings of carriers' traditional 2B private line solutions, Huawei innovatively proposes MUX-VPN. This solution allows for fast multi-network access, on-demand and controllable site-to-site access, and flexible orchestration of value-added SFCs, accelerating service innovation. It represents a solid step toward APN.
Where Is MUX-VPN Used?
The following figure provides an overview of MUX-VPN.
MUX-VPN overview
- Network access side: The HoVPN model is deployed on PEs on the cloud backbone network to provide compatibility with multiple types of access tunnels.
- Network provider edge (PE) side: The CPEs for different access points are grouped for policy-based flexible communication control.
- Value-added service provisioning: SRv6 and APN6 are used to help carriers build security resource pools and provide value-added security services for enterprise users.
What Are the Key Features of MUX-VPN?
MUX-VPN has three key features: access in any scenario, policy-based flexible communication control, and ubiquitous service security. The following describes these features in detail.
- Access in Any Scenario
The E2E VPN implementation in earlier intelligent cloud-network solution requires E2E network devices to be upgraded to support SRv6, failing to meet the requirements of different access scenarios. In MUX-VPN, the HoVPN service model is deployed on the PEs of the cloud backbone network. This service model allows CPEs and network PEs to provide multiple access modes, including Option A, GRE tunnel, MPLS, and SRv6.
The following figure shows an example of how MUX-VPN converts diverse private lines into SRv6 access private lines. Specifically, upon receipt of service packets over different types of access private lines, the network PE converts these packets into SRv6 packets, enabling access in wired, wireless, and Internet scenarios. This implementation does not require E2E network devices to be upgraded to support SRv6, significantly simplifying deployment.
MUX-VPN converts diverse private lines into SRv6 access private lines. - Policy-based flexible communication control
In MUX-VPN, application-aware IPv6 networking (APN6) is used to group CPEs at different access points, and network PEs process grouping policies for flexible communication control, as shown in the figure.
First, an APN group ID is configured on each CPE based on VPN services. After adding an SRv6 tunnel header to a service packet, a CPE also adds the DOH extension header with APN ID information to this packet. The CPE then sends the packet to the network PE. Upon receipt, this PE identifies the APN ID, determines the source group ID according to the APN ID, determines the destination CPE and destination group ID by searching the local VPN routing table. Then, the network PE matches the source and destination group IDs against the group policy for communication control. Finally, the network PE copies the source APN ID, encapsulates it into the packet header for the next tunnel segment, and sends the packet to the egress. The egress strips the APN ID along with the SRv6 tunnel header before sending the packet. In this way, MUX-VPN implements policy-based flexible communication control.
Group policy-based flexible communication control - Ubiquitous service security
MUX-VPN uses SRv6 and APN6 to help carriers build security resource pools and provide value-added security services for enterprise users. In addition to meeting enterprises' specific requirements, this also enables them to boost their revenues.
On the network shown in the figure, MUX-VPN uses a network controller to orchestrate E2E SRv6 TE Policies and add SIDs in the security resource pool to service function chains (SFCs). The ingress adds APN IDs that contain user IDs to service packets. The security resource pool identifies tenants based on their user IDs and processes security services accordingly. This eliminates the need to configure numerous sub-interfaces between network and security devices, significantly simplifying deployment while also enabling ubiquitous service security and automated deployment.
Ubiquitous service security
- Author: Zhang Ruiyu
- Updated on: 2023-07-20
- Views: 1231
- Average rating:
