Specify source IP addresses to VPN instances on S series switches

21

Run the hwtacacs-server authentication ip-address vpn-instance vpn-instance-name command on an S series switch (except the S1700 switch) running V100R006 or a later version to specify a VPN instance.

Other related questions:
How to ping the IP address of a VPN instance from a CE series switch
When performing a ping operation, specify -vpn-instance vpn-instance-name.
# Ping the IPv4 address of a VPN instance.
ping -vpn-instance vpna 10.1.1.2 # Ping the IPv6 address of a VPN instance.
ping ipv6 vpn-instance vpna FC00::1

RD value of a VPN instance on S series switches
Traditional BGP cannot process the VPN routes that have overlapping address spaces. Assume that both VPN1 and VPN2 use addresses on the network segment 10.110.10.0/24, and each of them advertises a route destined for this network segment. The local PE identifies the two VPN routes based on VPN instances and sends them to the remote PE. Because routes from different VPNs cannot work in load-balancing mode, the remote PE adds only one of the two routes based on BGP route selection rules. As a result, the route to the other VPN is lost. To ensure that VPN routes of VPNs with overlapping address spaces are correctly processed, PE devices use MP-BGP to advertise VPN routes and use the VPN-IPv4 address family to identify the routes. RDs distinguish the IPv4 prefixes with the same address space. IPv4 addresses with RDs are VPN-IPv4 addresses (VPNv4 addresses). After receiving IPv4 routes from a CE, a PE converts the routes to globally unique VPN-IPv4 routes and advertises the routes on the public network. The following is a configuration example: # ip vpn-instance vpna ipv4-family route-distinguisher 200:1 vpn-target 111:1 export-extcommunity vpn-target 111:1 import-extcommunity #

VPN instance configuration on S series switch
For the configuration of BGP/MPLS IP VPN: On the S12700, see Example for Configuring BGP/MPLS IP VPN in the S12700 Typical Configuration Examples. On the S1720&S2700&S3700&S5700&S6700&S7700&S9700, see Example for Configuring BGP/MPLS IP VPN in the S1720&S2700&S3700&S5700&S6700&S7700&S9700 Typical Configuration Examples. On the S9300, see Example for Configuring BGP/MPLS IP VPN in the Sx300 Series Switches Typical Configuration Examples.

How is the source IP address of ping packets specified
The -a parameter specifies the source IP address of ping packets. If -a is not specified, the system searches for the outbound interface mapping the destination IP address in the routing table and uses the outbound interface's IP address as the source IP address of ping packets. If there are equal-cost routes to the destination IP address, the system performs the hash algorithm based on the destination IP address, protocol number, ICMP type, and ICMP mode and selects the outbound interface's IP address as the source IP address of ping packets.

ACL based on source MAC addresses and destination IP addresses on S series switches
S series switches (except S1700 switches) do not support ACL based on source MAC addresses and destination IP addresses. If only the source MAC address and destination MAC address need to be specified, you can configure a Layer 2 ACL whose number ranges from 4000 to 4999. If only the source IP address and destination IP address need to be specified, you can configure an advanced ACL whose number ranges from 3000 to 3999.

If you have more questions, you can seek help from following ways:
To iKnow To Live Chat
Scroll to top