No relevant resource is found in the selected language.

This site uses cookies. By continuing to browse the site you are agreeing to our use of cookies. Read our privacy policy>Search

Reminder

To have a better experience, please upgrade your IE browser.

upgrade

Configuration Guide - VPN 01

NE05E and NE08E V300R003C10SPC500

This is NE05E and NE08E V300R003C10SPC500 Configuration Guide - VPN
Rate and give feedback :
Huawei uses machine translation combined with human proofreading to translate this document to different languages in order to help you better understand the content of this document. Note: Even the most advanced machine translation cannot match the quality of professional translators. Huawei shall not bear any responsibility for translation accuracy and it is recommended that you refer to the English document (a link for which has been provided).
Configuring a VPN Instance

Configuring a VPN Instance

A VPN instance can be configured on a PE to manage VPN routes.

Context

A VPN instance, also called a VPN routing and forwarding (VRF) table, is created to comprise the VPN forwarding information for each VPN. In relevant standards, a VPN instance is also called a per-site forwarding table. VPN instances must be created in all BGP/MPLS IP VPN solutions.

VPN instances isolate VPN routes from public network routes and isolate the routes of VPN instances from each other. Perform the following steps on each PE.

Procedure

  1. Run system-view

    The system view is displayed.

  2. Run ip vpn-instance vpn-instance-name

    A VPN instance is created, and its view is displayed.

    NOTE:

    A VPN instance name is case-sensitive. For example, "vpn1" and "VPN1" are different VPN instances.

    Multiple VPN instances can be created on a PE. By default, no VPN instance exists on a PE.

  3. (Optional) Run description description-information

    A description is configured for the VPN instance.

    Similar to a host name or an interface description, the VPN instance description helps users memorize the VPN instance.

  4. (Optional) Run vpn-id vpn-id

    A VPN ID is configured for the VPN instance.

    The vpn-id command creates a globally unique identifier for a VPN instance. In CU separation scenarios, to ensure that the same VPN instances on the control plane and forwarding plane have the same ID, run the vpn-id command to manually set the VPN instance ID.

  5. Run ipv4-family

    The IPv4 address family is enabled for the VPN instance, and the VPN instance IPv4 address family view is displayed.

    Configurations in a VPN instance can be performed only after an address family is enabled for the VPN instance based on the advertised route and forwarding data type.

  6. Run route-distinguisher route-distinguisher

    An RD is configured for the VPN instance IPv4 address family.

    A VPN instance IPv4 address family takes effect only after being configured with an RD. The RDs of different VPN instances on a PE must be different.

    NOTE:
    • RDs cannot be modified but can be deleted after being configured. After an RD is deleted, all configurations in the VPN instance IPv4 address family of the corresponding VPN instance will be deleted.

    • If you configure an RD for the VPN instance IPv4 address family in the created VPN instance view, the VPN instance IPv4 address family is enabled and the VPN instance IPv4 address family view is displayed.

  7. Run vpn-target vpn-target &<1-8> [ both | export-extcommunity | import-extcommunity ]

    A VPN target is configured for the VPN instance IPv4 address family.

    A VPN target is a BGP extended community attribute. It is used to control the receiving and advertisement of VPN routing information. A maximum of eight VPN targets can be configured using the vpn-target command. If you want to configure multiple VPN targets in the VPN instance IPv4 address family view, run the vpn-target command multiple times.

  8. (Optional) Run prefix limit number { alert-percent [ route-unchanged ] | simply-alert }

    The allowed maximum number of route prefixes is set for the VPN instance IPv4 address family.

    The configuration restricts the number of route prefixes imported from the CEs and other PEs into a VPN instance IPv4 address family on a PE, preventing the PE from receiving too many route prefixes.

    NOTE:

    After the prefix limit command is run to increase the allowed maximum number of route prefixes in a VPN instance IPv4 address family or the undo prefix limit command is run to cancel the limit, the system adds newly received route prefixes of various protocols to the private network IP routing table.

    After the number of route prefixes exceeds the maximum limit, direct and static routes can still be added to the IPv4 address family routing table of VPN instances.

  9. (Optional) Run import route-policy policy-name

    An import routing policy is configured for the VPN instance IPv4 address family.

    In addition to using VPN targets to control VPN route sending and receiving, an import routing policy can be used to filter routes imported to the VPN instance IPv4 address family or modify route attributes so that VPN route receiving can be better controlled.

  10. (Optional) Run export route-policy policy-name [ add-ert-first ]

    An export routing policy is configured for the VPN instance IPv4 address family.

    In addition to using VPN targets to control VPN route sending and receiving, an export routing policy can be used to filter routes to be advertised to other PEs or modify route attributes so that VPN route sending can be better controlled.

    By default, ERTs are added to VPN routes before these routes are matched against an export routing policy. If the export routing policy contains RT-related filtering rules, these rules cannot apply to these routes. If you want to apply the RT-related filtering rules defined in an export routing policy to VPN routes, run the add-ert-first command to configure the system to add ERTs to VPN routes before matching these routes against the export routing policy.

  11. (Optional) Run import route-filter route-filter-name

    An import route-filter is configured for the VPN instance IPv4 address family.

    In addition to using VPN targets to control VPN route sending and receiving, an import route-filter can be used to filter routes imported to the VPN instance IPv4 address family or modify route attributes so that VPN route receiving can be better controlled.

  12. (Optional) Run export route-filter route-filter-name [ add-ert-first ]

    An export route-filter is configured for the VPN instance IPv4 address family.

    In addition to using VPN targets to control VPN route sending and receiving, an export route-filter can be used to filter routes to be advertised to other PEs or modify route attributes so that VPN route sending can be better controlled.

    By default, ERTs are added to VPN routes before these routes are matched against an export route-filter. If the export route-filter contains RT-related filtering rules, these rules cannot apply to these routes. If you want to apply the RT-related filtering rules defined in an export route-filter to VPN routes, run the add-ert-first command to configure the system to add ERTs to VPN routes before matching these routes against the export route-filter.

  13. (Optional) Run tnl-policy policy-name

    A tunnel policy is applied to the VPN instance IPv4 address family.

    A tunnel is specified for IPv4 VPN data forwarding when a tunnel policy is applied to a VPN instance IPv4 address family.

  14. (Optional) Run apply-label per-route pop-go

    The device is configured to assign a unique label to each VPNv4 route sent to its BGP VPNv4 peer and forward the data packets received from its BGP VPNv4 peer through outbound interfaces found in the local ILM.

    By default, the local device assigns a unique label to each VPNv4 route sent to its BGP VPNv4 peer. After the local device receives a labeled data packet from its BGP VPNv4 peer, the local device removes the label, searches the IP forwarding table for a forwarding entry according to the longest-match principle, and sends the packet based on the found forwarding entry.

    After the apply-label per-route pop-go command is configured, the local device records in the ILM the mapping between the label assigned to each VPNv4 route and the outbound interface of the route. Then, after the local device receives a labeled data packet from its BGP VPNv4 peer, the local device directly searches the ILM for an outbound interface based on label information carried in the packet and forwards the packet through the found outbound interface after removing its label. This implementation significantly accelerates packet forwarding.

    The apply-label per-route pop-go command is mutually exclusive to the apply-label per-instance command. If the two commands are both configured, the later configured one prevails.

  15. (Optional) Run apply-label per-instance

    MPLS label distribution based on the VPN instance IPv4 address family (known as one label per instance) is configured. One label is assigned to all the routes of the VPN instance IPv4 address family.

    Generally, one label is assigned per route. If the number of routes is rather large, label resources will be greatly consumed.

    The NE supports one label per instance. All the routes of a VPN instance IPv4 address family are assigned the same label. This feature reduces the number of MPLS labels maintained by the PE, if there are many VPN routes.

  16. Run commit

    The configuration is committed.

Translation
Download
Updated: 2019-01-14

Document ID: EDOC1100058925

Views: 27723

Downloads: 53

Average rating:
This Document Applies to these Products
Related Documents
Related Version
Share
Previous Next