Application-aware networking (APN) is a new network architecture that enables the network devices to provide application-aware network services. The edge devices in an APN network encapsulate application attributes (APN ID and APN parameters) in packets. These encapsulated packets are then tunneled across the APN network.

The transit nodes (APN-Midpoint nodes) on an APN network provide application-aware services based on the application attributes in packets. The data plane for tunneling application workloads can be based on IPv6 or MPLS. APN6 uses IPv6 in the data plane to provide application-aware services. It offers greater scalability and better suits the development trend of future SDN networks than MPLS-based APN.

To configure the device for APN, you must first execute the apn command to enter APN view.

Examples

# Enable APN and enter APN view.

<Sysname> system-view

[Sysname] apn

[Sysname-apn]

apn-field

Use apn-field to assign a value to an APP-Group-ID or User-Group-ID field in the APN ID template applied to an APN ID instance.

Use undo apn-field to delete the value for an APP-Group-ID or User-Group-ID field from the APN ID template applied to an APN ID instance.

Syntax

apn-field field-name field-value

undo apn-field field-name field-value

Default

No values are assigned to the APP-Group-ID or User-Group-ID fields in the APN ID template applied to an APN ID instance.

Views

APN ID instance view

Predefined user roles

network-admin

Parameters

field-name: Specifies the name of an APP-Group-ID or User-Group-ID field. It is a case-sensitive string of 1 to 31 characters.

field-value: Assigns a value to the specified APP-Group-ID or User-Group-ID field. The value range depends on the length set for the field.

Usage guidelines

Operating mechanism

To generate an APN ID for a service flow, you must apply an APN ID template to an APN ID instance, and then execute the apn-field command to assign values to the APP-Group-ID and User-Group-ID fields in the APN ID template.

Restrictions and guidelines

· To execute the apn-field command successfully, you must make sure the specified APP-Group-ID or User-Group-ID field name already exists in the APN ID template applied to the APN ID instance.

· The value assigned to the APP-Group-ID or User-Group-ID field cannot exceed the length specified for it in the APN ID template. For example, if you set the length of an APP-Group-ID field to 4, the maximum value you can assign to it will be 2 to the power of 4 minus 1, which is 15.

· If you do not assign a value to an APP-Group-ID or User-Group-ID field in the APN ID template, the value for that field will be set to 0.

Examples

# Apply APN ID template tmplt1 to APN ID instance ins1. Assign a value of 300 to the APP-Group-ID field named app-group1.

<Sysname> system-view

[Sysname] apn

[Sysname-apn] ipv6

[Sysname-apn-ipv6] apn-id template tmplt1 length 64 app-group 48 user-group 16

[Sysname-apn-ipv6-template-tmp1] app-group index 1 app-group1 length 32

[Sysname-apn-ipv6-template-tmp1] quit

[Sysname-apn-ipv6]apn-id instance ins1

[Sysname-apn-ipv6-instance-ins1] template tmplt1

[Sysname-apn-ipv6-instance-ins1] apn-field app-group1 300

Related commands

apn-id template

app-group index

user-group index

apn-id inherit

Use apn-id inherit to configure APN ID inheritance.

Use undo apn-id inherit to restore the default.

Syntax

apn-id inherit { enable | disable }

undo apn-id inherit

Default

By default, the device uses the following APN ID inheritance mechanism:

· When the device decapsulates an APN packet, it does not copy the APN ID to the new packet.

· When the device encapsulates an APN packet, it copies the APN ID from the inner packet header to the new outer header. For example, you can configure the device to take this action if it acts as the stitching node to connect SRv6 TE policies based on the BSID.

Views

APN6 view

Predefined user roles

network-admin

Parameters

enable: Specifies inheritance mode. In this mode, the device copies the APN ID from the inner packet header to the outer packet header when it encapsulates an APN packet. When it decapsulates an APN packet, the device copies the APN ID from the outer packet header to the inner packet header.

disable: Specifies non-inheritance mode. In this mode, the device does not copy the APN ID from the inner packet header to the outer packet header, or vice versa.

Usage guidelines

Enable inheritance mode on the APN-midpoint nodes on the APN6 network. This configuration ensures that the APN attribute can be transported to the APN-endpoint nodes for them to provide application-aware services.

Use non-inheritance mode on APN-edge and APN-endpoint nodes. The downstream devices attached to these nodes do not need the application attribute for identification of application requirements.

Examples

# Enable APN ID inheritance mode.

<Sysname> system-view

[Sysname] apn

[Sysname-apn] ipv6

[Sysname-apn-ipv6] apn-id inherit enable

apn-id instance

Use apn-id instance to create an APN ID instance and enter its view, or enter the view of an existing APN ID instance.

Use undo apn-id instance to delete an APN ID instance.

Syntax

apn-id instance instance-name

undo apn-id instance instance-name

Default

No APN ID instances exist.

Views

APN6 view

Predefined user roles

network-admin

Parameters

instance-name: Specifies an APN ID instance by its name, a case-sensitive string of 1 to 31 characters.

Usage guidelines

Operating mechanism

To generate an APN ID for an application workload, you must first create an API ID instance. Then, you perform the following tasks:
Execute the template command to apply an APN ID template to the APN ID instance.
Execute the apn-field command to assign values to the APP-Group-ID and User-Group-ID fields in the APN ID template.

Restrictions and guidelines

You cannot delete an APN ID instance if it has been specified in an APN isolation rule configured by using the index instance isolate-group behavior command. To delete that APN ID instance, you must first delete the APN isolation rule.

Examples

# Create APN ID instance ins1 and enter its view.

<Sysname> system-view

[Sysname] apn

[Sysname-apn] ipv6

[Sysname-apn-ipv6] apn-id instance ins1

Related commands

apn-field

template (APN ID instance view)

apn-id template

Use apn-id template to create an APN ID template and enter its view, or enter the view of an existing APN ID template.

Use undo apn-id template to delete an APN ID template.

Syntax

apn-id template template-name [ length total-length { app-group app-group-length | user-group user-group-length } * ]

undo apn-id template template-name

Default

No APN ID templates exist.

Views

APN IPv6 view

Predefined user roles

network-admin

Parameters

template-name: Specifies an APN ID template name, a case-sensitive string of 1 to 31 characters.

length total-length: Specifies the total length of the APN ID space, in bits. The value for the total-length argument is fixed at 64. You must specify the total length of the APN ID space when you create an APN ID template.

app-group app-group-length: Specifies the length of the APP-Group-ID space. The value range is 1 to 64. If you do not specify a length for the APP-Group-ID space, the APN ID space will not include the APP-Group-ID space.

user-group user-group-length: Specifies the length of the User-Group-ID space. The value range is 1 to 64. If you do not specify a length for the User-Group-ID space, the APN ID space will not include the User-Group-ID space.

Usage guidelines

Operating mechanism

As shown in Figure 1, use apn-id template to define a structured APN ID template.

An APN ID typically contains the following segments:

· APP-Group-ID—Variable-length identifier for an application group.

· User-Group-ID—Variable-length identifier for a user group.

· Reserved—Field reserved for future use. Its length equals the length of the APN ID space minus the lengths of the APP-Group-ID and User-Group-ID spaces.

The APP-Group-ID and User-Group-ID spaces can be subdivided into multiple variable-length fields, each uniquely identified by a field name in the APN ID template.

· A field in the APP-Group-ID space represents an application or service and is called an APP-Group-ID field. You can use one APN ID to identify a group of applications or services that have the same quality assurance requirements.

· A field in the User-Group-ID space represents a user and is called a User-Group-ID field.

Figure 1 Structured APN ID template

To generate a concrete APN ID, you must apply an APN ID template to an APN ID instance, and then assign values to the APP-Group-ID and User-Group-ID fields in the APN ID template.

Restrictions and guidelines

· The total APN ID length is fixed at 64 bits for APN ID templates on the device.

· In an APN ID template, the total length of the APP-Group-ID and User-Group-ID spaces cannot exceed the length of the APN ID space.

· You cannot add, modify, or delete the total length of the APP-Group-ID space in an APN ID template if you have created User-Group-ID fields by using the user-group index command in that template. To add, modify, or delete the total length of the APP-Group-ID space in this situation, you must first execute the undo user-group index command to delete all the User-Group-ID fields in the APN ID template.

· To successfully modify the total length of the APP-Group-ID or User-Group-ID space in an APN ID template, make sure the new length is higher than the combined length of all existing APP-Group-ID or User-Group-ID fields, respectively.

· You cannot delete an APN ID template if it has been applied to an APN ID instance. To delete that APN ID template, you must first remove the APN ID template from the APN ID instance.

Examples

# Create an APN ID template named aaa and enter its view. Set the total length of the APN ID space to 64 bits, the total length of the APP-Group-ID space to 24 bits, and the total length of the User-Group-ID space to 24 bits.

<Sysname> system-view

[Sysname] apn

[Sysname-apn] ipv6

[Sysname-apn-ipv6] apn-id template aaa length 64 app-group 24 user-group 24

Related commands

app-group index

user-group index

template (APN ID instance view)

apn-id isolate policy

Use apn-id isolate policy to create an APN isolation policy and enter its view, or enter the view of an existing APN isolation policy.

Use undo apn-id isolate policy to delete an APN isolation policy.

Syntax

apn-id isolate policy policy-name

undo apn-id isolate policy policy-name

Default

No APN isolation policies exist.

Views

APN6 view

Predefined user roles

network-admin

Parameters

policy-name: Specifies an APN isolation policy by its name, a case-sensitive string of 1 to 31 characters.

Usage guidelines

Application scenarios

In an APN6 network, a single VPN might transport multiple types of service flows between multiple branch sites. APN isolation policies enable you to block a service flow between two sites as needed for flexible service deployment.

Operating mechanisms

An APN isolation group identifies the outgoing interfaces or public tunnels from one set of branch sites to another set of branch sites within the same VPN instance. To block the service flow of an application from one site to another, you configure an APN isolation policy to associate the APN ID instance for the application with the APN isolation group.

To block the service flow identified by an APN ID between two sites within the same VPN, perform the following tasks after you create an APN isolation policy:

1. Execute the index instance isolate-group behavior command to configure an isolation rule in the APN isolation policy. In the rule, map the APN ID instance to the desired APN isolation group and set the action to take on the rule-matching traffic. Then, the device creates a two-tuple entry of the APN ID instance and APN isolation group. When it receives a service flow that matches the APN ID in the entry, the device does not forward it to the interfaces or public tunnels in the matching APN isolation group.

2. Create an APN isolation group and assign the public tunnel or the private network interface to the isolation group, as follows:

a. In APN isolation group and VPN mapping view, configure a mapping of the VPN instance, SRv6 locator on the remote PE, and the APN isolation group. This mapping enables the device to identify the public tunnel in the APN isolation group for the SRv6 locator when it searches the FIB to forward the service flow identified by the APN ID.

b. Assign the private network interface to the APN isolation group.

3. Apply the APN isolation policy to the VPN instance.

The following are the most common APN isolation policy use cases in a multi-site VPN deployment:

· Prevent the device from forwarding the service flow identified by a particular APN ID out of a private network interface bound to a VPN instance.

For example, a PE device uses VPN instance vpn1 to convey traffic from the sites attached to its site-facing interfaces named Interface 1, Interface 2, and Interface 3. When the PE device receives a packet from Interface 1 to Interface 3, the PE device performs the following operations:

¡ Obtains the APN ID from the packet and searches the FIB for the outgoing interface. If the outgoing interface is Interface 3, the PE device identifies the APN isolation group membership of the interface.

¡ If it is a member of an APN isolation group, the device searches the APN isolation policy applied to the VPN instance for a rule that contains both the APN ID and APN isolation group.

¡ If a matching isolation rule is found, the device does not forward the packet out of the outgoing interface. If no matching isolation rule is found, the device forwards the packet out of its outgoing private network interface.

· Prevent the device from forwarding the service flow identified by a particular APN ID out of an SRv6 tunnel. For example, CEs 1 and 2 connect to PEs 1 and 2, respectively. The two PEs establish an SRv6 tunnel to convey traffic between the CEs. PE 2 assigns an SRv6 SID from a local SRv6 locator to the VPN route destined for CE 2 and advertises the SID to PE 1. When PE 1 receives a packet from CE 1 to CE 2, PE 1 identifies that its outgoing interface is the SRv6 tunnel based on the SRv6 SID. Then, PE 1 obtains the APN ID for the packet and identifies the APN isolation group based on the VPN instance and the SRv6 locator received from PE 2 for reaching CE 2. Based on the APN ID and the APN isolation group, PE 1 searches the APN isolation policy for a matching isolation rule. If a match is found, PE 1 does not forward the packet out of the tunnel. If no match is found, PE 1 forwards the packet out of the tunnel.

Examples

# Create APN isolation policy p1 and enter its view.

<Sysname> system-view

[Sysname] apn

[Sysname-apn] ipv6

[Sysname-apn-ipv6] apn-id isolate policy p1

[Sysname-apn-ipv6-isolate-policy-p1]

apn-id-ipv6 isolate-group

Use apn-id-ipv6 isolate-group to assign an interface to an APN isolation group.

Use undo apn-id-ipv6 isolate-group to remove an interface from an APN isolation group.

Syntax

apn-id-ipv6 isolate-group group-name

undo apn-id-ipv6 isolate-group group-name

Default

An interface does not belong to any APN isolation groups.

Views

Interface view

Predefined user roles

network-admin

Parameters

group-name: Specifies an APN isolation group by its name, a case-sensitive string of 1 to 31 characters.

Usage guidelines

Operating mechanism

To prevent a PE device from sending the service flow identified by a particular APN ID out of a private network interface to its attached site in a VPN instance, you must perform the following tasks:

1. Assign that private network interface to an APN isolation group.

2. Configure a rule in an APN isolation policy to associate the APN isolation group with the VPN instance and set the action to take on the rule matching traffic.

3. Apply the APN isolation policy to the VPN instance.

The device will perform the following operations when it receives the service flow:

4. Identifies the APN isolation group for the service flow based on its APN ID and outgoing interface (the private network interface).

5. Searches the APN isolation policy applied to the VPN instance for a matching rule.

6. Executes the action defined in the matching rule.

Restrictions and guidelines

To prevent a service flow from reaching a private network interface, you must bind that interface to a VPN instance, in addition to assigning it to a VPN isolation group.

Examples

# Assign interface GigabitEthernet1/0/1 to isolation group group1.

<Sysname> system-view

[Sysname] interface gigabitethernet 1/0/1

[Sysname-GigabitEthernet1/0/1] apn-id-ipv6 isolate-group group1

Related commands

isolate-group name

apn-id-ipv6 isolate-policy (VPN instance view)

Use apn-id-ipv6 isolate-policy to apply an APN isolation policy to a VPN instance.

Use undo apn-id-ipv6 isolate-policy to remove an APN isolation policy from a VPN instance.

Syntax

apn-id-ipv6 isolate-policy policy-name direction

undo apn-id-ipv6 isolate-policy policy-name direction

Default

No APN isolation policies are applied to VPN instances.

Views

VPN instance view

Predefined user roles

network-admin

Parameters

policy-name: Specifies an APN isolation policy by its name, a case-sensitive string of 1 to 31 characters.

direction: Specifies the direction to which the APN isolation policy is applied. In this software version, you can only specify the inbound keyword to apply the policy to the private packets received in the inbound direction of the VPN instance.

Usage guidelines

To prevent PE devices (the edge devices of an APN6 network) from forwarding some service flows to a site in a VPN instance based on APN IDs, you must perform the following tasks:

1. Create an APN isolation policy and add isolation rules to the policy.

2. Associate the APN IDs with the APN isolation group.

3. Apply the APN isolation policy to the VPN instance.

Examples

# Apply APN isolation policy p1 to the inbound direction of VPN instance vpn1.

<Sysname> system-view

[Sysname] apn

[Sysname-apn] ipv6

[Sysname-apn-ipv6] apn-id isolate policy p1

[Sysname-apn-ipv6-isolate-polciy-p1] quit

[Sysname-apn-ipv6] quit

[Sysname-apn] quit

[Sysname] ip vpn-instance vpn1

[Sysname-vpn-instance-vpn1] apn-id-ipv6 isolate-policy p1 inbound

Related commands

apn-id isolate policy

app-group index

Use app-group index to configure an APP-Group-ID field in an APN ID template.

Use undo app-group index to delete an APP-Group-ID field from an APN ID template.

Syntax

app-group index index-value field-name length field-length

undo app-group index index-value

Default

An APN ID template does not contain APP-Group-ID fields.

Views

APN ID template view

Predefined user roles

network-admin

Parameters

index-value: Specifies an index value for an APP-Group-ID field. This index value represents the location of the APP-Group-ID field in the APP-Group-ID space. The value range is 1 to 4294967294.

field-name: Specifies a name to uniquely identify the APP-Group-ID field, a case-sensitive string with 1 to 31 characters.

length field-length: Sets the length of the APP-Group-ID field. The value range is 1 to 32.

Usage guidelines

Operating mechanism

The APP-Group-ID and User-Group-ID spaces in an APN ID template can be subdivided into multiple variable-length fields, each uniquely identified by a field name.

· A field in the User-Group-ID space represents a user and is called a User-Group-ID field.

When you use the app-group index command to create APP-Group-ID fields, assign each field an index to identify their order in the APP-Group-ID space, with the lowest index for the leftmost field. If user-defined APP-Group-ID fields do not use up the APP-Group-ID space, the idle bits in the space are set to 0.

Restrictions and guidelines

· You can specify the same APP-Group-ID field name in different APN ID templates.

· The total length of all APP-Group-ID fields must not exceed the total length of the APP-Group-ID space in the APN ID template.

· The combined number of APP-Group-ID and User-Group-ID fields in an APN ID template cannot exceed eight.

· The name of an APP-Group-ID or User-Group-ID field must be unique among all APP-Group-ID and User-Group-ID fields in the same APN ID template.

· The index for an APP-Group-ID field must be unique among all User-Group-ID fields in the same APN ID template.

· You cannot delete, rename, or change the length of an APP-Group-ID field in an APN ID template after you apply the template to an APN ID instance and assign a value to that field by using the apn-field command.

Examples

# Configure an 8-bit APP-Group-ID field in APN ID template tmplt1. Set its index value to 1 and field name to app-group1.

<Sysname> system-view

[Sysname] apn

[Sysname-apn] ipv6

[Sysname-apn-ipv6] apn-id template tmplt1 length 64 app-group 48

[Sysname-apn-ipv6-template-tmp1] app-group index 1 app-group1 length 8

Related commands

user-group index

apn-field

display apn-id-ipv6 brief

Use display apn-id-ipv6 brief to display the global configuration for APN.

Syntax

display apn-id-ipv6 brief

Views

Any view

Predefined user roles

network-admin

network-operator

Examples

Display the global APN configuration.

<Sysname> display apn-id-ipv6 brief

APN ID info:

Tunnel mode : IPv6

Inherit mode : Disabled

Statistic interval : 30 s

Table 1 Command output

Field	Description
APN ID info	APN global configuration.
Tunnel Mode	APN tunnel mode. Available options: · IPv6
Inherit mode	APN ID inheritance method.
Statistic interval	Statistic interval.

‌

Related commands

apn-id inherit

apn-id mode

ipv6 (APN view)

display apn-id-ipv6 instance

Use display apn-id-ipv6 instance to display information about APN ID instances.

Syntax

display apn-id-ipv6 instance [ name instance-name ]

Views

Any view

Predefined user roles

network-admin

network-operator

Parameters

name instance-name: Specifies an APN ID instance by its name, a case-sensitive string of 1 to 31 characters. If you do not specify an APN ID instance, this command displays information about all APN ID instances.

Examples

# Display information about all APN ID instances.

<Sysname> display apn-id-ipv6 instance

Instance name : aaa

Instance ID : 1 APN ID length : 64

APN ID : 0x01000000 0x00000000

APN mask : 0xff000000 0x00000000

Instance name : bbb

Instance ID : 2 APN ID length : 64

APN ID : 0x02000000 0x00000000

APN mask : 0xff000000 0x00000000

Instance name : ccc

Instance ID : 3 APN ID length : 64

APN ID : 0x03000000 0x00000000

APN mask : 0xff000000 0x00000000

Table 2 Command output

Field	Description
Instance name	Name of an APN ID instance.
Instance ID	Index automatically allocated by the system to the APN ID instance.
APN ID length	Length of the APN ID space. This space typically contains the APP-Group-ID and User-Group-ID spaces and a reserved space.
APN ID	The hexadecimal values for the APP-Group-ID and User-Group-ID spaces in the APN ID. The first value is for the APP-Group-ID space and the second value is for the User-Group-ID space.
APN mask	Masks for the APP-Group-ID and User-Group-ID spaces. The first value is the mask for the APP-Group-ID space, and the second value is the mask for the User-Group-ID space. For example, if the APP-Group-ID value is 0x02000000 with a mask of 0xff000000, it indicates that only the field that spans the highest 8 bits of the APP-Group-ID space is assigned a value, and that value is set to 2.

‌

Related commands

apn-id instance

display apn-id-ipv6 binding-list

Use display apn-id-ipv6 binding-list to displays the member interfaces in APN isolation groups.

Syntax

display apn-id-ipv6 binding-list isolate-group [ isolate-group-name ]

Views

Any view

Predefined user roles

network-admin

network-operator

Parameters

isolate-group-name: Specifies an APN isolation group by its name, a case-sensitive string of 1 to 31 characters.

Examples

# Display the members of APN isolation groups.

<Sysname> display apn-id-ipv6 binding-list isolate-group

Groupname Interface State

------------------------------------------------------------------------------

isog1(0) Ten-GigabitEthernet0/0/15 Active

isog2(1) Ten-GigabitEthernet0/0/16 Active

isog2(1) Ten-GigabitEthernet0/0/17 Active

Table 3 Command output

Field	Description
Groupname	APN isolation group name. The number in parentheses is the ID of the APN isolation group.
Interface	A private network interface in the APN isolation group.
State	APN isolation group's active state on the interface: · Active—APN isolation group takes effect on the interface. · Inactive—APN isolation group does not take effect on the interface.

‌

Related commands

apn-id-ipv6 isolate-group

display apn-id-ipv6 forwarding isolate-group

Use display apn-id-ipv6 forwarding isolate-group to display information about an APN isolation group.

Syntax

In standalone mode:‌

display apn-id-ipv6 forwarding isolate-group isolate-group-name [ slot slot-number ]

In IRF mode:

display apn-id-ipv6 forwarding isolate-group isolate-group-name [ chassis chassis-number slot slot-number ]

Views

Any view

Predefined user roles

network-admin

network-operator

Parameters

isolate- group-name: Specifies an APN isolation group by its name, a case-sensitive string of 1 to 31 characters.

chassis chassis-number slot slot-number: Specifies a card on an IRF member device. The chassis-number argument represents the member ID of the IRF member device. The slot-number argument represents the slot number of the card. On this device, the slot-number argument represents the entire device and its value is fixed. If you do not specify a card, the command applies to all member devices. (In IRF mode.) ‌

Examples

# (In standalone mode.) ‌Display information about APN isolation group group1.

<Sysname> display apn-id-ipv6 forwarding isolate-group group1

Isolate group : group1

Group ID : 1

Total reference : 2

Map type Map info

Interface XGE0/0/15

Interface XGE0/0/16

Table 4 Command output

Field	Description
Isolate group	APN isolation group name.
Group ID	APN isolation group ID.
Total reference	Total number of interfaces in the APN isolation group.
Map type	Type of the member in the APN isolation group. This value is fixed at Interface, indicating that the group member is an interface.
Map info	Name of the member interface already bound to a VPN instance.

‌

Related commands

isolate-group mapping-vpn

vpn-instance match isolate-group

apn-id-ipv6 isolate-group

display apn-id-ipv6 forwarding isolate-policy

Use display apn-id-ipv6 forwarding isolate-policy to display information about APN isolation policies.

Syntax

In standalone mode:‌

display apn-id-ipv6 forwarding isolate-policy isolate-policy-name [ reference ] [ slot slot-number ]

In IRF mode:

display apn-id-ipv6 forwarding isolate-policy isolate-policy-name [ reference ] [ chassis chassis-number slot slot-number ]

Views

Any view

Predefined user roles

network-admin

network-operator

Parameters

isolate- policy-name: Specifies an APN isolation policy by its name, a case-sensitive string of 1 to 31 characters.

reference: Displays the VPN instances that use the specified APN isolation policy. If this keyword is not specified, the command displays rules in the specified APN isolation policy.

slot slot-number: Specifies a card by its slot number. If you do not specify this option, the command applies to all cards. On this device, the slot-number argument represents the entire device and its value is fixed. This command applies to the entire device regardless of whether the slot-number argument is specified. (In standalone mode.)

Examples

# Display rules in APN isolation policy policy1.

<Sysname> display apn-id-ipv6 forwarding isolate-policy policy1

Isolate policy : policy1 ID: 0

Total rule : 4

Index APN ID Isolate group

1 0xc0000001 Group1

2 0xc0000002 0x4b400000 Group2

3 0xc0000003 0x4b400000 Group3

0xc0000000 0x4b400000

2 0xc0000004 0x4b400000 Group4

# Display the VPN instances that use APN isolation policy policy1.

<Sysname> display apn-id-ipv6 forwarding isolate-policy policy1 reference

Isolate policy : policy1 ID: 0

Total reference : 3

Referenced Direction

vpn1 Inbound

vpn2 Inbound

vpn3 Inbound

Table 5 Command output

Field	Description
Isolate policy	APN isolation policy name.
ID	APN isolation policy ID.
Total Rule	Number of APN isolation rules.
Total Reference	Number of VPN instances that use the APN isolation policy.
Index	Index of the APN isolation rule.
APN ID	APN ID in the APN isolation rule.
Isolate group	APN isolation group name in the APN isolation rule.
Referenced	VPN instances that use the APN isolation policy.
Direction	Direction in which the APN isolation policy is applied on the VPN instance.

‌

Related commands

index instance isolate-group behavior

apn-id-ipv6 isolate-policy

display apn-id-ipv6 isolate-policy

Use display apn-id-ipv6 isolate-policy to display the configuration of APN isolation policies.

Syntax

display apn-id-ipv6 isolate-policy [ policy policy-name ]

Views

Any view

Predefined user roles

network-admin

network-operator

Parameters

policy policy-name: Specifies an APN isolation policy by its name. The policy-name argument represents the policy name, a case-sensitive string of 1 to 31 characters.

Examples

# Display the configuration of APN isolation policies.

<Sysname> display apn-id-ipv6 isolate-policy

Total isolate policy number : 1

Total rules : 3

Isolate policy : isop1

Isolate policy ID : 1

Statistic state : Disabled

Isolate rules : 2

Index Instancename Groupname(ID) Behavior

1 inst1 group1(0) Deny

2 inst2 group2(1)

Table 6 Command output

Field	Description
Total isolate policy number	Total number of APN isolation policies.
Total rules	Total number of APN isolation rules.
Isolate policy	APN isolation policy name.
Isolate policy ID	APN isolation policy ID.
Statistic state	Whether traffic statistics is enabled for APN isolation policies.
Isolate rules	APN isolation rules.
Index	Index of the APN isolation rule.
Instancename	APN ID instance name.
Groupname(ID)	APN isolation group name.
Behavior	Action to take on the traffic that matches the APN isolation rule.

‌

Related commands

index instance isolate-group behavior

statistic enable

statistic interval

apn-id isolate policy

display apn-id-ipv6 isolate-policy statistics

Use display apn-id-ipv6 isolate-policy statistics to display the traffic statistics for APN isolation policies applied to VPN instances.

Syntax

display apn-id-ipv6 isolate-policy statistics [ policy policy-name ] [ vpn-instance vpn-instance-name ]

Views

Any view

Predefined user roles

network-admin

network-operator

Parameters

policy policy-name: Specifies an APN isolation policy by its name. The policy-name argument represents the policy name, a case-sensitive string of 1 to 31 characters. If you do not specify a policy, all APN isolation policies are specified.

vpn-instance vpn-instance-name: Specifies a VPN instance by its name. The vpn-instance-name argument represents the VPN instance name, a case-sensitive string of 1 to 31 characters. If you do not specify a VPN instance, all VPN instances are specified.

Examples

# Display the traffic statistics for APN isolation policy policy1 in VPN instance vpn1.

<Sysname> display apn-id-ipv6 isolate-policy statistics policy policy1 vpn-instance vpn1

VPN instance : vpn1

APN isolate policy : policy1

Item Packets Bytes

Matched 1 1

Last 300 seconds rate

Item PPS BPS

Matched 1 1

Table 7 Command output

Field	Description
VPN instance	VPN instance name.
APN isolate policy	APN isolation policy name.
Item	Statistic item.
Packets	Number of packets that matched the APN isolation rule in the statistic period.
Bytes	Number of bytes that matched the APN isolation rules in the statistic period.
Matched	APN isolation rule matching statistics.
Last 300 seconds rate	Recent 300-second rate
PPS	Traffic rate in packets per second (PPS) over the most recent 300 seconds.
BPS	Traffic rate in bytes per second (BPS) over the most recent 300 seconds.

‌

Related commands

statistics enable

reset apn-id-ipv6 isolate-policy statistics

display apn-id-ipv6 vpn-mapping

Use display apn-id-ipv6 vpn-mapping to display the mappings between VPN instances and APN isolation groups.

Syntax

display apn-id-ipv6 vpn-mapping [ vpn vpn-instance-name ]

Views

Any view

Predefined user roles

network-admin

network-operator

Parameters

vpn vpn-instance-name: Specifies a VPN instance by its name. The vpn-instance-name argument represents the VPN instance name, a case-sensitive string of 1 to 31 characters. If you do not specify a VPN instance, this command displays all VPN instance and APN isolation group mappings.

Examples

# Display VPN instance and APN isolation group mappings.

<Sysname> display apn-id-ipv6 vpn-mapping

VPN instance : vpn1

Peer locator : 100::0 Mask : 64

Isolate group : group1 Isolate group ID : 1

Peer locator : 110::0 Mask : 64

Isolate group : group2 Isolate group ID : 2

VPN instance : vpn2

Peer locator : 300::0 Mask : 64

Isolate group : group3 Isolate group ID : 3

Table 8 Command output

Field	Description
VPN instance	VPN instance name.
Peer locator	SRv6 locator that contains the SRv6 SID assigned by the remote PE device to the VPN route.
Mask	SRv6 locator address mask.
Isolate group	APN isolation group name.
Isolate group ID	APN isolation group ID.

‌

Related commands

vpn-instance match isolate-group

display bgp isolate-group mapping-vpn

Use display bgp isolate-group mapping-vpn to display the VPN instance and APN isolate group mappings obtained by a BGP instance.

Syntax

display bgp [ instance instance-name ] isolate-group mapping-vpn [ vpn-instance vpn-instance-name ]

Views

Any view

Predefined user roles

network-admin

network-operator

Parameters

instance instance-name: Specifies a BGP instance by its name, a case-sensitive string of 1 to 31 characters. If you do not specify this option, the command displays the mappings obtained by the default BGP instance.

Usage guidelines

The BGP module marks the routes for SRv6 locators with the APN isolation group attribute based on their VPN instance and APN isolation group mappings. After you execute the vpn-instance match isolate-group command to configure VPN instance and APN isolation group mappings, use the display bgp isolate-group mapping-vpn command to verify that the mappings have been issued to the BGP process of interest.

Examples

# Display the VPN instance and APN isolation group mappings obtained by the default BGP instance.

<Sysname> display bgp isolate-group mapping-vpn

VPN instance : vpn1

Peer locator : 100:: Mask : 64

Isolate group : group1 Isolate group ID : 1

Peer locator : 111:: Mask : 64

Isolate group : group2 Isolate group ID : 2

VPN instance : vpn2

Peer locator : 300:: Mask : 64

Isolate group : group3 Isolate group ID : 3

Table 9 Command output

Field	Description
VPN instance	VPN instance name.
Peer locator	SRv6 locator that contains the SRv6 SID assigned by the remote PE device to the VPN route.
Mask	SRv6 locator address mask.
Isolate group	APN isolation group name.
Isolate group ID	APN isolation group ID.

‌

index instance isolate-group behavior

Use index instance isolate-group behavior to configure an APN isolation rule.

Use undo index to delete an APN isolation rule.

Syntax

index index-value instance instance-name isolate-group group-name behavior deny

undo index index-value

Default

APN isolation policies do not contain APN isolation rules.

Views

APN isolation policy view

Predefined user roles

network-admin

Parameters

index-value: Specifies an index value for the APN isolation rule. The value range is 1 to 4294967294.

instance-name: Specifies an APN ID instance name, a case-sensitive string of 1 to 31 characters.

group-name: Specifies an APN isolation group name, a case-sensitive string of 1 to 31 characters.

deny: Prevents the traffic that matches the APN isolation rule from reaching an interface or tunnel. This software version supports only the deny action.

Usage guidelines

Operating mechanism

In an APN isolation rule, map an APN ID instance to the desired APN isolation group and set the action to take on the rule-matching traffic. Then, the device creates a two-tuple entry of the APN ID instance and APN isolation group. If an incoming service flow matches the APN ID in the entry, the device will not forward the flow to the interfaces or public tunnels in the matching APN isolation group.

Restrictions and guidelines

· You must create an APN ID instance before you can specify it in an APN isolation rule. In addition, make sure you have configured APP-Group-ID fields and User-Group-ID fields for the APN ID template applied to the APN ID instance by using the apn-field command.

· The APN isolation group used in an APN isolation rule must already exist.

· The combination of an APN ID instance name and APN isolation group name must be unique across all APN isolation rules in the same APN isolation policy.

· You cannot delete an APN ID instance if it has been specified in an APN isolation rule configured by using the index instance isolate-group behavior command. To delete that APN ID instance, you must first delete the APN isolation rule.

· If an APN ID instance has been specified in an APN isolation rule, you cannot execute the apn-field command to change the values of any APP-Group-ID or User-Group-ID fields in that instance.

· You can only specify the deny action in APN isolation rules to block traffic.

Examples

# Add an APN isolation rule to the APN isolation policy named p1. Assign an index of 6 to the rule. Configure the rule to prevent the traffic that matches APN ID instance inst1 and APN isolation group grp1 from reaching a private network interface or public tunnel.

<Sysname> system-view

[Sysname] apn

[Sysname-apn] ipv6

[Sysname-apn-ipv6] apn-id template tmp1 length 64 app-group 32

[Sysname-apn-ipv6-template-tmp1] app-group index 1 ap1 len 20

[Sysname-apn-ipv6-template-tmp1] quit

[Sysname-apn-ipv6] apn-id instance inst1

[Sysname-apn-ipv6-instance-inst1] template tmp1

[Sysname-apn-ipv6-instance-inst1] apn-field ap1 100

[Sysname-apn-ipv6-instance-inst1] quit

[Sysname-apn-ipv6] isolate-group name grp1

[Sysname-apn-ipv6] apn-id isolate policy p1

[Sysname-apn-ipv6-isolate-policy-p1] index 6 instance inst1 isolate-group grp1 behavior deny

Related commands

apn-id instance

isolate-group name

ipv6 (APN view)

Use ipv6 to enable APN6 and enter APN6 view.

Use undo ipv6 to disable APN6 and delete the configuration in APN6 view.

Syntax

ipv6

undo ipv6

Default

APN6 is disabled.

Views

APN view

Predefined user roles

network-admin

Usage guidelines

To configure APN6 for application-aware traffic service based on IPV6, you must first execute the ipv6 command in APN view to enable APN6 and enter APN6 view.

Examples

# Enable APN6 and enter APN6 view.

<Sysname> system-view

[Sysname] apn

[Sysname-apn] ipv6

[Sysname-apn-ipv6]

isolate-group mapping-vpn

Use isolate-group mapping-vpn to create an APN isolation group and VPN map and enter its view, or enter APN isolation group and VPN mapping view if the map has been created.

Use undo isolate-group mapping-vpn to delete an APN isolation group and VPN mapping and the configuration created in the mapping view.

Syntax

isolate-group mapping-vpn

undo isolate-group mapping-vpn

Default

The APN isolation group and VPN map does not exist.

Views

APN6 view

Predefined user roles

network-admin

Usage guidelines

You must create an APN isolation group and VPN map before you can use the vpn-instance match isolate-group command to add the mapping of a VPN instance, SRv6 locator advertised by a remote PE, and APN isolation group. This mapping enables the device to map the APN isolation group with the public tunnel found based on the VPN instance and SRv6 locator when the device searches the FIB to forward service flows identified by APN IDs.

Examples

# Create an APN isolation group and VPN mapping and enter the mapping view.

<Sysname> system-view

[Sysname] apn

[Sysname-apn] ipv6

[Sysname-apn-ipv6] isolate-group mapping-vpn

[Sysname-apn-ipv6-isolate-group-mapping-vpn]

Related commands

vpn-instance match isolate-group

isolate-group name

Use isolate-group name to create an APN isolation group.

Use undo isolate-group name to delete an APN isolation group.

Syntax

isolate-group name group-name

undo isolate-group name group-name

Default

No APN isolation groups exist.

Views

APN6 view

Predefined user roles

network-admin

Parameters

group-name: Specifies an APN isolation group by its name, a case-sensitive string of 1 to 31 characters.

Usage guidelines

In an APN6 network, a single VPN might transport multiple types of workloads and between multiple branch sites. APN isolation policies enable you to separate the workload for a particular service between two sites within the same VPN.

To fulfill the APN isolation feature, you must configure one or multiple APN isolation groups.

An APN isolation group identifies a set of outgoing interfaces or public tunnels for traffic from one branch site to another in the same VPN instance.

Examples

# Create an APN isolation group named group1.

<Sysname> system-view

[Sysname] apn

[Sysname-apn] ipv6

[Sysname-apn-ipv6] isolate-group name group1

Related commands

apn-id-ipv6 isolate-group group-name

index instance isolate-group behavior

reset apn-id-ipv6 isolate-policy statistics

Use reset apn-id-ipv6 isolate-policy statistics to clear the traffic statistics for an APN isolation policy.

Syntax

reset apn-id-ipv6 isolate-policy statistics [ policy policy-name ] [ vpn-instance vpn-instance-name ]

Views

User view

Predefined user roles

network-admin

Parameters

Examples

# Clear the traffic statistics for APN isolation policy policy1 in VPN instance vpn1.

<Sysname> reset apn-id-ipv6 isolate-policy statistics policy policy1 vpn-instance vpn1

Related commands

display apn-id-ipv6 isolate-policy statistics

statistics enable

statistics enable (APN isolation policy view)

Use statistics enable to enable traffic statistics for an APN isolation policy.

Use undo statistics enable to disable traffic statistics for an APN isolation policy.

Syntax

statistics enable

undo statistics enable

Default

Traffic statistics is disabled for APN isolation policies.

Views

APN isolation policy view

Predefined user roles

network-admin

Usage guidelines

After you enable traffic statistics for an APN isolation policy, the device collects statistics for flows that match a rule in the APN isolation policy at specified intervals. The statistics include the packet count, rate, byte count, traffic rate in packets per second (PPS) and bytes per second (BPS).

Examples

# Enable traffic statistics for APN isolation policy p1.

<Sysname> system-view

[Sysname] apn

[Sysname-apn] ipv6

[Sysname-apn-ipv6] apn-id isolate policy p1

[Sysname-apn-ipv6-isolate-policy-p1] statistics enable

Related commands

display apn-id-ipv6 isolate-policy statistics

reset apn-id-ipv6 isolate-policy statistics

statistics interval

statistics interval (APN isolation policy view)

Use statistics interval to set the traffic statistics collection interval for an APN isolation policy.

Use undo statistics interval to restore the default.

Syntax

statistics interval time

undo statistics interval

Default

The traffic statistics collection interval for APN isolation policies is 30 seconds.

Views

APN6 view

Predefined user roles

network-admin

Parameters

time: Specifies the interval (in seconds) for collecting traffic statistics for APN isolation policies. The value range is 5 to 65535.

Usage guidelines

If traffic statistics is enabled for an APN isolation policy, the device collects statistics for flows that match a rule in the APN isolation policy at specified intervals. The statistics include the packet count, rate, byte count, traffic rate in packets per second (PPS) and bytes per second (BPS).

If you execute this command multiple times, the most recent configuration takes effect.

Examples

# Set the traffic statistics collection interval for APN isolation policies to 100 seconds.

<Sysname> system-view

[Sysname] apn

[Sysname-apn] ipv6

[Sysname-apn-ipv6] statistics interval 100

Related commands

statistics enable

reset apn-id-ipv6 isolate-policy statistics

display apn-id-ipv6 isolate-policy statistics

template (APN ID instance view)

Use template to apply an APN ID template to an APN ID instance.

Use undo template to restore the default.

Syntax

template template-name

undo template template-name

Default

No APN ID template applies to an APN ID instance.

Views

APN ID instance view

Predefined user roles

network-admin

Parameters

template-name: Specifies an APN ID template name, a case-sensitive string of 1 to 31 characters.

Usage guidelines

Operating mechanism

An APN ID template define a structured APN ID format.

To generate an APN ID for a service flow, you must perform the following tasks:

1. Apply an APN ID template to an APN ID instance.

2. Execute the apn-field command in APN ID instance view to assign values to the APP-Group-ID and User-Group-ID fields in the APN ID template.

Restrictions and guidelines

· You must create an APN ID template first before you can apply it to an APN ID instance.

· You can apply only one APN ID template to an APN ID instance.

· You cannot delete the APN ID template applied to an APN ID instance if you have executed the apn-field command to assign a value to one of the APP-Group-ID or User-Group-ID fields defined in the template. To delete that template:
Execute the undo apn-fieldcommand to remove the APP-Group-ID or User-Group-ID fields from the APN ID instance.
Execute the undo template command to delete the APN ID template.

Examples

Apply APN ID template tmplt1 to APN ID instance ins1.

<Sysname> system-view

[Sysname] apn

[Sysname-apn] ipv6

[Sysname-apn-ipv6] apn-id template tmplt1 length 64 app-group 48

[Sysname-apn-ipv6-template-tmp1] app-group index 1 app-group1 len 32

[Sysname-apn-ipv6-template-tmp1] quit

[Sysname-apn-ipv6] apn-id instance ins1

[Sysname-apn-ipv6-instance-ins1] template tmplt1

Related commands

apn-field

apn-id template

user-group index

Use user-group index to configure a User-Group-ID field in the APN ID template.

Use undo user-group index to delete a User-Group-ID field from an APN ID template.

Syntax

user-group index index-value field-name length field-length

undo user-group index index-value

Default

An APN ID template does not contain User-Group-ID fields.

Views

APN ID template view

Predefined user roles

network-admin

Parameters

index-value: Specifies an index value for the User-Group-ID field. This index value represents the location of this field in the User-Group-ID space. The value range is 1 to 4294967294.

field-name: Specifies a name to uniquely identify the User-Group-ID field. The value is a case-sensitive string of 1 to 31 characters.

length field-length: Specifies the length of the User-Group-ID field. The value range is 1 to 32.

Usage guidelines

Operating mechanism

The APP-Group-ID and User-Group-ID spaces in an APN ID template can be subdivided into multiple variable-length fields, each uniquely identified by a field name.

· A field in the User-Group-ID space represents a user and is called a User-Group-ID field.

When you use the user-group index command to create User-Group-ID fields, assign each field an index to identify their order in the User-Group-ID space, with the lowest index for the leftmost field. If the user-defined User-Group-ID fields do not use up the User-Group-ID space, the idle bits in the space are set to 0.

Restrictions and guidelines

· You can specify the same User-Group-ID field name in different APN ID templates.

· The total length of all User-Group-ID fields must not exceed the total length of the User-Group-ID space in the APN ID template.

· The combined number of APP-Group-ID fields and User-Group-ID fields in an APN ID template cannot exceed eight.

· The name of an APP-Group-ID or User-Group-ID field must be unique among all APP-Group-ID and User-Group-ID fields in the same APN ID template.

· The index for a User-Group-ID field must be unique among all User-Group-ID fields in the same APN ID template.

· If an APN ID template has been applied to an APN ID instance, you cannot delete the User-Group-ID fields in the template or modify their names or lengths.

· You cannot delete, rename, or change the length of a User-Group-ID field in an APN ID template after you apply the template to an APN ID instance and assign a value to that field by using the apn-field command.

Examples

# Configure an 8-bit User-Group-ID field in APN ID template tmplt1. Set its index value to 1 and field name to user-group1.

<Sysname> system-view

[Sysname] apn

[Sysname-apn] ipv6

[Sysname-apn-ipv6] apn-id template tmplt1 length 64 app-group 16 user-group 16

[Sysname-apn-ipv6-template-tmp1] user-group index 1 user-group1 length 8

Related commands

user-group index

apn-field

vpn-instance match isolate-group

Use vpn-instance match isolate-group to configure a mapping of a VPN instance, remote PE's SRv6 locator, and APN isolation group.

Use undo vpn-instance match isolate-group to delete the mapping of a VPN instance, remote PE's SRv6 Locator, and APN isolation group.

Syntax

vpn-instance vpn-instance-name peer-locator peer-locator-value prefix-length match isolate-group group-name

undo vpn-instance vpn-instance-name peer-locator peer-locator-value prefix-length

Default

The system does not have mappings of VPN instances, SRv6 locators at a remote PE, and APN isolation groups.

Views

APN isolation group and VPN mapping view

Predefined user roles

network-admin

Parameters

vpn-instance-name: Specifies a VPN instance by its name, a case-sensitive string of 1 to 31 characters.

peer-locator peer-locator-value prefix-length: Specifies the SRv6 Locator of the remote PE device allocated for the VPN service flow. The peer-locator-value argument represents the next hop IPv6 address for the VPN workload. The prefix-length argument represents the prefix length for the IPv6 address, in the range of 32 to 120. The SRv6 Locator section is the result of the bitwise AND operation on the values for the peer-locator-value and prefix-length arguments.

group-name: Specifies an APN isolation group by its name, a case-sensitive string of 1 to 31 characters.

Usage guidelines

Operating mechanism

On an IP L3VPN over SRv6 or EVPN L3VPN over SRv6 network, PEs allocate SRv6 SIDs for VPN routes from their local SRv6 locators. For example, CEs 1 and 2 connect to PEs 1 and 2, respectively. The two PEs establish an SRv6 tunnel to convey traffic between the CEs. PE 2 assigns an SRv6 SID from a local SRv6 locator to the VPN route destined for CE 2 and advertises the SID to PE 1. When PE 1 receives a packet from CE 1 to CE 2, PE 1 identifies that its outgoing interface is the SRv6 tunnel based on the SRv6 SID. Then, PE 1 obtains the APN ID for the packet and identifies the APN isolation group based on the VPN instance and the SRv6 locator received from PE 2 for reaching CE 2. Based on the APN ID and the APN isolation group, PE 1 searches the APN isolation policy for a matching isolation rule. If a match is found, PE 1 does not forward the packet out of the tunnel. If no match is found, PE 1 forwards the packet out of the tunnel.

Restrictions and guidelines

· You can map a VPN instance to different SRv6 locators and APN isolation groups. In this situation, you must make sure the route prefixes calculated for SRv6 locators based on the specified peer-locator-value and prefix-length parameters are unique across all mappings and do not overlap.

· Make sure the VPN instance specified for this command already exists.

Examples

# Configure a mapping of VPN instance vpn1, SRv6 Locator 2001:db8::1/32 on the remote PE, and APN isolation group group1.

<Sysname> system-view

[Sysname] apn

[Sysname-apn] ipv6

[Sysname-apn-ipv6] isolate-group name group1

[Sysname-apn-ipv6] isolate-group mapping-vpn

[Sysname-apn-ipv6-isolate-group-mapping-vpn] vpn-instance vpn1 peer-locator 2001:db8::1 32 match isolate-group group1

Related commands

isolate-group mapping-vpn

isolate-group name

ip vpn-instance

22-Application-aware Networking Command Reference

Operating mechanism

Restrictions and guidelines

Operating mechanism

Restrictions and guidelines

Operating mechanism

Restrictions and guidelines

Application scenarios

Operating mechanisms

Operating mechanism

Restrictions and guidelines

Operating mechanism

Restrictions and guidelines

Operating mechanism

Restrictions and guidelines

statistics interval (APN isolation policy view)

Operating mechanism

Restrictions and guidelines

Operating mechanism

Restrictions and guidelines

Operating mechanism

Restrictions and guidelines

Intelligent Terminal Products

Product Support Services

Technical Service Solutions

Resource Center

Policy

Online Help

Become a Partner

Partner Policy & Program

Global Learning

Partner Sales Resources

Service Business

News & Events

Contact Us