No relevant resource is found in the selected language.

This site uses cookies. By continuing to browse the site you are agreeing to our use of cookies. Read our privacy policy>Search

Reminder

To have a better experience, please upgrade your IE browser.

upgrade

Configuration Guide - VPN

S1720, S2700, S5700, and S6720 V200R010C00

This document describes the VPN configuration procedures and provides configuration examples.
Rate and give feedback:
Huawei uses machine translation combined with human proofreading to translate this document to different languages in order to help you better understand the content of this document. Note: Even the most advanced machine translation cannot match the quality of professional translators. Huawei shall not bear any responsibility for translation accuracy and it is recommended that you refer to the English document (a link for which has been provided).
Configuring a VPN Instance on a PE Device

Configuring a VPN Instance on a PE Device

Context

In BGP/MPLS IP VPN application, each VPN has an instance to maintain forwarding information of the local VPN. Such an instance is called a VPN instance or VPN routing and forwarding table (VRF).

VPN instances isolate VPN routes from routes on the public network and isolate the routes of different VPN instances. VPN instances must be configured in all types of BGP/MPLS IP VPN networking.

Perform the following steps on each PE device.

Procedure

  1. Run:

    system-view

    The system view is displayed.

  2. Run:

    ip vpn-instance vpn-instance-name

    A VPN instance is created, and its view is displayed.

    NOTE:

    A VPN instance name is case sensitive. For example, "vpn1" and "VPN1" are different VPN instances.

  3. (Optional) Run:

    description description-information

    The description is configured for the VPN instance.

  4. (Optional) Run:

    service-id service-id

    A service ID is created for the VPN instance.

    A service ID is unique on a device. It distinguishes a VPN service from other VPN services on the network.

  5. Run:

    ipv4-family

    The IPv4 address family is enabled for the VPN instance, and the VPN instance IPv4 address family view is displayed.

    VPN instances support both the IPv4 and IPv6 address families. Configurations in a VPN instance can be performed only after an address family is enabled for the VPN instance based on the advertised route and forwarding data type.

  6. Run:

    route-distinguisher route-distinguisher

    An RD is configured for the VPN instance IPv4 address family.

    A VPN instance IPv4 address family takes effect only after being configured with an RD. The RDs of different VPN instances on a PE must be different.

    NOTE:
    • An RD can be modified or deleted only after the VPN instance is deleted or the VPN instance IPv4 address family is disabled.

    • If you configure an RD for the VPN instance IPv4 address family in the created VPN instance view, the VPN instance IPv4 address family is enabled and the VPN instance IPv4 address family is displayed.

  7. Run:

    vpn-target vpn-target &<1-8> [ both | export-extcommunity | import-extcommunity ]

    A VPN target is configured for the VPN instance IPv4 address family.

    A VPN target is a BGP extended community attribute. It is used to control the receiving and advertisement of VPN routing information. A maximum of eight VPN targets can be configured using a vpn-target command.

    Skip this step when the device functions as the MCE only.

  8. (Optional) Restrict the number of routes in a VRF.

    The configuration restricts the number of routes or route prefixes imported from the attached CE devices and peer PE devices into a VPN instance on a PE device. It is recommended that you use only one of the following commands.

    By default, the number of routes in a VRF is not limited as long as the total number of routes does not exceed the maximum number of unicast routes supported by the PE device.

    • To set the maximum number of routes in the VPN instance IPv4 address family, run routing-table limit number { alert-percent | simply-alert }.
      NOTE:

      The routing-table limit command enables the system to display a message when the number of routes added to the routing table of VPN instance IPv4 address family exceeds the limit. If you run the routing-table limit command to increase the maximum number of routes in the VPN instance IPv4 address family or run the undo routing-table limit command cancel the limit, the system adds newly received routes of various protocols to the private network IP routing table.

    • To set the maximum number of route prefixes in the VPN instance IPv4 address family, run prefix limit number { alert-percent [ route-unchanged ] | simply-alert }.
      NOTE:

      If the prefix limit command is run, the system gives a prompt when the number of route prefixes added to the routing table of the VPN instance IPv4 address family exceeds the limit. After the prefix limit command is run to increase the allowed maximum number of route prefixes in a VPN instance IPv4 address family or the undo prefix limit command is run to cancel the limit, the system adds newly received route prefixes of various protocols to the private network IP routing table.

      After the number of route prefixes exceeds the maximum limit, direct and static routes can still be added to the IPv4 address family routing table of VPN instances.

  9. (Optional) Run:

    limit-log-interval interval

    The interval for logging the event that the number of routes exceeds the threshold is set for the VPN instance IPv4 address family.

    If the routes or prefixes in the IPv4 address family of a VPN instance reach the maximum, the system will generate logs at intervals (defaulting to 5 seconds). To prevent logs from being displayed frequently, run this step to prolong the interval of log generation.

  10. (Optional) Configure a routing policy for the VPN instance.

    In addition to using VPN targets to control VPN route advertisement and reception, you can configure a routing policy for the VPN instance to better control VPN routes.
    • An import routing policy filters routes before they are imported into the VPN instance IPv4 address family.
    • An export routing policy filters routes before they are advertised to other PE devices.
    NOTE:

    Before applying a routing policy to a VPN instance, create the routing policy. For details about how to configure a routing policy, see Routing Policy Configuration in the S1720, S2700, S5700, and S6720 V200R010C00 Configuration Guide - IP Unicast Routing.

    Run the following command as required:
    • To configure an import routing policy for the VPN instance IPv4 address family, run import route-policy policy-name.
    • To configure an export routing policy for the VPN instance IPv4 address family, run export route-policy policy-name.

  11. (Optional) Run one of the following commands to configure the label allocation mode in the VPN instance IPv4 address family.

    • Run:

      apply-label per-instance

      MPLS label allocation based on the VPN instance IPv4 address family (known as label per instance) is configured. One label is assigned to all the routes of the VPN instance IPv4 address family.

      When a large number of VPN routes on the PE exhausts MPLS label resources, the label per instance mode saves label resources on the PE and lowers the requirement for the PE capacity.

    • Run:

      apply-label per-route

      MPLS label allocation based on each route (known as label per route) is configured. The VPN instance address family assigns a unique label to each route to be sent to the peer PE.

      When only a small number of VPN routes exists on the PE and MPLS label resources are sufficient, the label per route mode improves system security. In this way, downstream devices can load balance VPN traffic based on the inner labels of packets.

    By default, label per instance is used.

Translation
Download
Updated: 2019-08-21

Document ID: EDOC1000141944

Views: 110005

Downloads: 588

Average rating:
This Document Applies to these Products
Related Documents
Related Version
Share
Previous Next