Vpn instance, Vpn target attributes, Routing policy – H3C Technologies H3C SecPath F1000-E User Manual

3

The address spaces of VPNs may overlap. For example, if both VPN 1 and VPN 2 use the addresses on

network segment 10.110.10.0/24, address space overlapping occurs.

VPN instance

Routes of different VPNs are identified by VPN instance.
A PE creates and maintains a separate VPN instance for each VPN at a directly connected site. Each

VPN instance contains the VPN membership and routing rules of the corresponding site. If a user at a site

belongs to multiple VPNs at the same time, the VPN instance of the site contains information about all the

VPNs.
For independency and security of VPN data, each VPN instance on a PE maintains a relatively
independent routing table and a separate label forwarding information base (LFIB). VPN instance

information contains these items: the LFIB, IP routing table, interfaces bound to the VPN instance, and

administration information of the VPN instance. The administration information of the VPN instance

includes the route distinguisher (RD), route filtering policy, and member interface list.

VPN target attributes

L3VPN uses the BGP extended community attributes called VPN target attributes, or route target

attributes, to control the advertisement of VPN routing information.
A VPN instance on a PE supports two types of VPN target attributes:

•

Export target attribute: A local PE sets this type of VPN target attribute for VPN-IPv4 routes learnt
from directly connected sites before advertising them to other PEs.

•

Import target attribute: A PE checks the export target attribute of VPN-IPv4 routes advertised by
other PEs. If the export target attribute matches the import target attribute of the VPN instance, the

PE adds the routes to the VPN routing table.

In other words, VPN target attributes define which sites can receive VPN-IPv4 routes, and from which sites

that a PE can receive routes.
Like RDs, VPN target attributes can be of two formats:

•

16-bit AS number:32-bit user-defined number. For example, 100:1.

•

32-bit IPv4 address:16-bit user-defined number. For example, 172.1.1.1:1.

Routing policy

In addition to the import and export extended communities for controlling VPN route advertisement, you

can also configure import and export routing policies to control the injection and advertisement of VPN
routes more precisely.
An import routing policy can further filter the routes that can be advertised to a VPN instance by using

the VPN target attribute of import target attribute. It can reject the routes selected by the communities in

the import target attribute. An export routing policy can reject the routes selected by the communities in

the export target attribute.
After a VPN instance is created, you can configure import and/or export routing policies as needed.

L3VPN Networking Schemes

In VPNs, VPN target attributes are used to control the advertisement and reception of VPN routes

between sites. They work independently and can be configured with multiple values to support flexible

VPN access control and implement multiple types of VPN networking schemes.

Basic VPN networking scheme