vpn-instance-traffic (IKE user view)
Function
The vpn-instance-traffic command configures a VPN instance corresponding to user traffic of the IKE user table.
The undo vpn-instance-traffic command deletes a VPN instance corresponding to user traffic of the IKE user table.
By default, the VPN instance corresponding to user traffic of the IKE user table is not configured.
Parameters
Parameter |
Description |
Value |
|---|---|---|
public |
Indicates that user traffic of the IKE user table is public network traffic. |
- |
name vpn-instance-name |
Specifies the name of a VPN instance. |
The value must be an existing VPN instance name. |
Usage Guidelines
Usage Scenario
In a scenario where multiple branches connect to the headquarters, you can run the sa binding vpn-instance command to specify the VPN instance that IPSec tunnel traffic belongs to, thereby isolating traffic of different branches. When the device functions as the headquarters gateway and an IPSec policy is created using an IPSec policy template, the headquarters gateway cannot distinguish VPNs of different branches. You can run the vpn-instance-traffic command to specify VPNs for different branches.
Prerequisites
A VPN instance has been created using the ip vpn-instance command.
An RD has been configured using the route-distinguisher command.
Precautions
After an IKE user table is referenced by an IKE peer, the VPN instance configured by this command takes precedence over the VPN instance configured by the sa binding vpn-instance command.
IPSec IPv6 does not support IPSec VPN Multi-instance.
Example
# Configure a VPN instance named vrf1 corresponding to user traffic of the IKE user table.
<sysname> system-view [sysname] ip vpn-instance vrf1 [sysname-vpn-instance-vrf1] route-distinguisher 22:1 [sysname-vpn-instance-vrf1-af-ipv4] quit [sysname-vpn-instance-vrf1] quit [sysname] ike user-table 10 [sysname-ike-user-table-10] user user1 [sysname-ike-user-table-10-user1] vpn-instance-traffic name vrf1