Vpn instance, Vpn target attributes, Routing policy – H3C Technologies H3C SecPath F1000-E User Manual
Page 66: L3vpn networking schemes, Basic vpn networking scheme
3
The address spaces of VPNs may overlap. For example, if both VPN 1 and VPN 2 use the addresses on
network segment 10.110.10.0/24, address space overlapping occurs.
VPN instance
Routes of different VPNs are identified by VPN instance.
A PE creates and maintains a separate VPN instance for each VPN at a directly connected site. Each
VPN instance contains the VPN membership and routing rules of the corresponding site. If a user at a site
belongs to multiple VPNs at the same time, the VPN instance of the site contains information about all the
VPNs.
For independency and security of VPN data, each VPN instance on a PE maintains a relatively
independent routing table and a separate label forwarding information base (LFIB). VPN instance
information contains these items: the LFIB, IP routing table, interfaces bound to the VPN instance, and
administration information of the VPN instance. The administration information of the VPN instance
includes the route distinguisher (RD), route filtering policy, and member interface list.
VPN target attributes
L3VPN uses the BGP extended community attributes called VPN target attributes, or route target
attributes, to control the advertisement of VPN routing information.
A VPN instance on a PE supports two types of VPN target attributes:
•
Export target attribute: A local PE sets this type of VPN target attribute for VPN-IPv4 routes learnt
from directly connected sites before advertising them to other PEs.
•
Import target attribute: A PE checks the export target attribute of VPN-IPv4 routes advertised by
other PEs. If the export target attribute matches the import target attribute of the VPN instance, the
PE adds the routes to the VPN routing table.
In other words, VPN target attributes define which sites can receive VPN-IPv4 routes, and from which sites
that a PE can receive routes.
Like RDs, VPN target attributes can be of two formats:
•
16-bit AS number:32-bit user-defined number. For example, 100:1.
•
32-bit IPv4 address:16-bit user-defined number. For example, 172.1.1.1:1.
Routing policy
In addition to the import and export extended communities for controlling VPN route advertisement, you
can also configure import and export routing policies to control the injection and advertisement of VPN
routes more precisely.
An import routing policy can further filter the routes that can be advertised to a VPN instance by using
the VPN target attribute of import target attribute. It can reject the routes selected by the communities in
the import target attribute. An export routing policy can reject the routes selected by the communities in
the export target attribute.
After a VPN instance is created, you can configure import and/or export routing policies as needed.
L3VPN Networking Schemes
In VPNs, VPN target attributes are used to control the advertisement and reception of VPN routes
between sites. They work independently and can be configured with multiple values to support flexible
VPN access control and implement multiple types of VPN networking schemes.
Basic VPN networking scheme