< Home

Configuring a VPN Instance

A VPN instance can be configured on the PE to manage VPN routes.

Context

An instance is created to comprise the VPN forwarding information for each VPN in a BGP/MPLS IP VPN. This instance is called a VPN instance or a VPN routing and forwarding (VRF) table. It is also called a per-site forwarding table in RFC 4364. VPN instances must be created in all BGP/MPLS IP VPN solutions.

VPN instances isolate VPN routes from public network routes and isolate the routes of VPN instances from each other. Perform the following steps on the PE:

Procedure

  1. Access the system view. 

    system-view

  2. Create a VPN instance and access the VPN instance view.

    The firewall has two forms of VPN instances:
    • VPN instances manually created using the ip vpn-instance command
    • VPN instances automatically generated when virtual systems are created (The VPN instance has the same name as the created virtual system.)
    VPN instance names are case-sensitive. For example, vpn1 and VPN1 are considered different VPN instances.

    • Manually create a VPN instance.

      Run the ip vpn-instance vpn-instance-name command to create a VPN instance and access the VPN instance view.

    • A VPN instance is automatically generated when a virtual system is created.

      Run the vsys enable command to enable the virtual system function.

      Run the vsys name vsys-name command to create a virtual system. The VPN instance named vsys-name is automatically created.

      Run the ip vpn-instance vsys-name command to access the VPN instance view.

    PEs do not have default VPN instances. Multiple VPN instances can be created on a PE.

  3. (Optional) Configure description for the VPN instance. 

    description description-information

    Similar to a host name or an interface description, the VPN instance description helps users memorize the VPN instance.

  4. (Optional) Set a service ID for the VPN instance. 

    service-id service-id

    A service ID is unique on a device. It distinguishes a VPN service from other VPN services on the network.

  5. Enable the IPv4 address family for the VPN instance and access the VPN instance IPv4 address family view. 

    ipv4-family

    T

    VPN instances support both the IPv4 and IPv6 address families. Configurations in a VPN instance can be performed only after an address family is enabled for the VPN instance based on the advertised route and forwarding data type.

  6. Configure an RD for the VPN instance IPv4 address family. 

    route-distinguisher route-distinguisher

    A VPN instance IPv4 address family takes effect only after being configured with an RD. The RDs of different VPN instances on a PE must be different.

    • An RD can be modified or deleted only after the VPN instance is deleted or the VPN instance IPv4 address family is disabled.

    • If you configure an RD for the VPN instance IPv4 address family in the created VPN instance view, the VPN instance IPv4 address family is enabled and the VPN instance IPv4 address family view is displayed.

  7. Configure a VPN target for the VPN instance IPv4 address family. 

    vpn-target vpn-target &<1-8> [ both | export-extcommunity | import-extcommunity ]

    A VPN target is a BGP extended community attribute. It is used to control the receiving and advertisement of VPN routing information. A maximum of eight VPN targets can be configured using a vpn-target command.

  8. (Optional) Set the allowed maximum number of routes for the VPN instance IPv4 address family. 

    routing-table limit number { alert-percent | simply-alert }
    The configuration restricts the number of routes imported from the attached CEs and peer PEs into a VPN instance on a PE, preventing the PE from receiving too many routes.

    After the routing-table limit command is run to increase the allowed maximum number of routes in a VPN instance IPv4 address family or the undo routing-table limit command is run to cancel the limit, manually configure the static routes that are considered to be nonconforming previously.

  9. (Optional) Set the allowed maximum number of route prefixes for the VPN instance IPv4 address family. 

    prefix limit number { alert-percent [ route-unchanged ] | simply-alert }
    The configuration restricts the number of route prefixes imported from the CE and peer PE into a VPN instance IPv4 address family on a PE, preventing the PE from receiving excessive number of route prefixes.

    After the prefix limit command is run to increase the allowed maximum number of route prefixes in a VPN instance IPv4 address family or the undo prefix limit command is run to cancel the limit, the system adds newly received route prefixes of various protocols to the private network IP routing table.

    After the number of route prefixes exceeds the maximum limit, direct and static routes can still be added to the IPv4 address family routing table of VPN instances.

  10. (Optional) Set the interval for logging the event when the number of routes exceeds the threshold for the VPN instance IPv4 address family. 

    limit-log-interval interval

  11. (Optional) Configure an import routing policy for the VPN instance IPv4 address family. 

    import route-policy policy-name

    In addition to using a VPN target to control VPN route sending and receiving, an import routing policy can be configured to better control VPN route receiving. The routing policy filters routes before they are imported into the VPN instance IPv4 address family.

  12. (Optional) Configure an export routing policy for the VPN instance IPv4 address family. 

    export route-policy policy-name

    Besides using a VPN target to control VPN route sending and receiving, an export routing policy can be configured to better control VPN route sending. The export routing policy filters routes before they are advertised to other PEs.

  13. (Optional) Apply a tunnel policy to the VPN instance IPv4 address family. 

    tnl-policy policy-name

    A tunnel is specified for IPv4 VPN data forwarding when a tunnel policy is applied to a VPN instance IPv4 address family.

  14. (Optional) Configure MPLS label distribution based on the VPN instance IPv4 address family (known as one label per instance). 

    apply-label per-instance

    One label is assigned to all the routes of the VPN instance IPv4 address family.

    When a large number of VPN routes on the PE exhausts MPLS label resources, the label per instance mode saves label resources on the PE and lowers the requirement for the PE capacity.

  15. (Optional) Configure one-label-per-route as the label allocation mode for routes that the VPN instance IPv4 address family sends to the peer PE. 

    apply-label per-route

    By default, the VPN instance IPv4 address family assigns the same label to all routes to be sent to the peer PE.

    The apply-label per-instance and apply-label per-route commands are mutually exclusive. If both commands are run, the latest configuration overrides the previous one.

Parent Topic: Configuring Basic BGP/MPLS IP VPN
Copyright © Huawei Technologies Co., Ltd.
Copyright © Huawei Technologies Co., Ltd.
Next topic >