Configuring a VPN Instance

Procedure

1. Run system-view

   The system view is displayed.

2. Run ip vpn-instance vpn-instance-name

   A VPN instance is created, and its view is displayed.

   

   The name of a VPN instance is case sensitive. For example, vpn1 and VPN1 are considered different VPN instances.

   PEs do not have default VPN instances. Multiple VPN instances can be created on a PE.

3. (Optional) Run description description-information

   A description is configured for the VPN instance.

   Similar to a host name or an interface description, the VPN instance description helps users memorize the VPN instance.

4. (Optional) Run service-id id

   A service ID is created for the VPN instance.

   A service ID is unique on a device. It distinguishes a VPN service from other VPN services on the network.

5. (Optional) Run vpn-id vpn-id

   A VPN ID is configured.

   You can run this command to create a globally unique ID for a VPN instance based on the plan. In a CU separation scenario, you can run this command to set the same VPN ID for the control plane and forwarding plane, preventing VPN ID inconsistency.

6. Run ipv4-family

   A VPN instance IPv4 address family is configured, and its view is displayed.

   The VPN instance configuration can be performed only after an address family is configured based on the types of routes to be advertised and data to be forwarded.

7. Run route-distinguisher route-distinguisher

   An RD is set for the VPN instance IPv4 address family.

   A VPN instance IPv4 address family takes effect only after being assigned an RD. The RDs of different VPN instance IPv4 address families on a PE must be different.

   

   • If you set an RD for the VPN instance IPv4 address family directly after you create a VPN instance and enter its view, the VPN instance IPv4 address family is automatically enabled and its view is displayed.

   • If a large number of VPN instances need to be created and a large number of RDs need to be planned, run the route route-distinguisher auto rd-ip command in the system view to enable automatic RD allocation and set the rd-ip parameter to an IPv4 address. Then the device can assign RDs in the format of X.X.X.X:index to all VPN instances that are not assigned RDs. The value of index is a 2-byte value automatically assigned in a range of 1 to 65535.

8. Run vpn-target vpn-target &<1-8> [ both | export-extcommunity | import-extcommunity ]

   VPN targets are configured for the VPN instance IPv4 address family.

   A VPN target is a BGP extended community attribute. It is used to control the advertisement or acceptance of VPNv4 routes. A maximum of eight VPN targets can be configured using the vpn-target command. If you want to configure more VPN targets in the VPN instance IPv4 address family view, repeatedly run the vpn-target command.

9. (Optional) Run prefix limit number { alert-percent [ route-unchanged ] | simply-alert }

   The maximum number of route prefixes supported by the VPN instance IPv4 address family is configured.

   The configuration restricts the number of route prefixes imported from the CEs and peer PEs into a VPN instance IPv4 address family on a local PE, preventing the local PE from receiving too many route prefixes.

   

   In the scenario where the number of route prefixes exceeds a specified maximum number, after the prefix limit command is run to increase the allowed maximum number of route prefixes in a VPN instance IPv4 address family or the undo prefix limit command is run to delete the maximum number, the device adds excess route prefixes of various protocols to the VRP routing table.

   After the number of route prefixes exceeds the maximum number, direct and static routes can still be added to the routing table of the VPN instance IPv4 address family.

10. (Optional) Run import route-policy policy-name

    An import route-policy is applied to the VPN instance IPv4 address family.

    In addition to using a VPN target to control the advertisement or acceptance of VPN routes, you can use an import route-policy to better control the acceptance of VPN routes. The import route-policy filters the routes to be imported to the VPN instance IPv4 address family or modify route attributes.

11. (Optional) Run export route-policy policy-name [ add-ert-first ]

    An export route-policy is applied to the VPN instance IPv4 address family.

    In addition to using a VPN target to control the advertisement or acceptance of VPN routes, you can use an export route-policy to better control the advertisement of VPN routes. The export route-policy filters routes to be advertised to other PEs or modify route attributes.

    By default, export VPN targets are added to VPN routes after these routes match an export route-policy. If the export route-policy contains VPN target-related filtering rules, the route-policy cannot apply to these routes. To prevent such rule-induced failures, configure the add-ert-first parameter to instruct the device to add export VPN targets to VPN routes before these routes are matched against the export route-policy.

12. (Optional) Run import route-filter route-filter-name

    An import route-filter is applied to the VPN instance IPv4 address family.

    In addition to using a VPN target to control the advertisement or acceptance of VPN routes, you can use an import route-filter to better control the acceptance of VPN routes. It filters the routes to be imported to the VPN instance IPv4 address family or modify route attributes.

13. (Optional) Run export route-filter route-filter-name [ add-ert-first ]

    An export route-filter is applied to the VPN instance IPv4 address family.

    In addition to using a VPN target to control the advertisement or acceptance of VPN routes, you can use an export route-filter to better control the advertisement of VPN routes. It filters routes to be advertised to other PEs or modify route attributes.

    By default, export VPN targets are added to VPN routes after these routes match an export route-filter. If the export route-filter contains VPN target-related filtering rules, the route-filter cannot apply to these routes. To prevent such rule-induced failures, configure the add-ert-first parameter to instruct the device to add export VPN targets to VPN routes before these routes are matched against the export route-filter.

14. (Optional) Run tnl-policy policy-name

    A tunnel policy is applied to the VPN instance IPv4 address family.

    A tunnel can be specified for VPNv4 data forwarding using a tunnel policy that is applied to a VPN instance IPv4 address family.

15. (Optional) Configure a label distribution mode for the VPN instance IPv4 address family.
    • To configure the VPN instance IPv4 address family to assign a label to each route or routes with the same next hop before the routes are sent to a peer PE, run the apply-label { per-nexthop | per-route } pop-go command. After receiving a data packet with the label, the peer PE removes the label, searches the ILM table for an outbound interface, and forwards the packet through the outbound interface.
    • To configure a label distribution mode for the VPN instance IPv4 address family, run the apply-label { per-instance | per-nexthop | per-route } command.

    The apply-label { per-nexthop | per-route } pop-go command is mutually exclusive with the apply-label { per-instance | per-nexthop | per-route } command. If you run both commands, the later configuration overrides the previous one.

16. Run commit

    The configuration is committed.