1. Virtual System → Services and routes can be isolated.
A virtual system (VS)in Huawei firewalls is afully isolated security instancewithin a single physical firewall.
Each virtual system hasseparate services, routing tables, policies, and security rules, ensuring full isolation between different users or tenants.
2. VPN Instance → Only route isolation can be implemented.
AVPN instance (VRF - Virtual Routing and Forwarding)providesroute isolationfor different customer networks butdoes not isolate services or security policies.
This is typically used inMPLS VPN deploymentswhere different customers share the same physical device but need isolated routing tables.
3. VPN Instance → VPN instances are automatically generated.
In someMPLS VPNorSDN-managed networks, VPN instances can beautomatically createdwhen customer configurations are pushed via controllers.
Dynamic routing protocols (e.g., BGP/MPLS VPN) can automatically generateVRF instancesbased on network policies.
4. Virtual System → An instance needs to be manually created.
Unlike VPN instances,virtual systems must be manually createdby an administrator on the firewall.
Each virtual system functions as acompletely independent firewall, requiring manual configuration ofinterfaces, policies, and routing settings.
