1-5An import routing policy can further filter the routes that can be advertised to a VPN instance by usingthe VPN target attribute of import target attribute. It can reject the routes selected by the communities inthe import target attribute. An export routing policy can reject the routes selected by the communities inthe export target attribute.After a VPN instance is created, you can configure import and/or export routing policies as needed.Tunneling policyA tunneling policy is used to select the tunnel for the packets of a specific VPN instance to use.After a VPN instance is created, you can optionally configure a tunneling policy. By default, LSPs areused as tunnels and no load balancing occurs (in other words, the number of tunnels for load balancingis 1). In addition, a tunneling policy takes effect only within the local AS.MPLS L3VPN Packet ForwardingFor basic MPLS L3VPN applications in a single AS, VPN packets are forwarded with two layers oflabels:z Layer 1 labels: Outer labels, used for label switching inside the backbone. They indicate LSPs fromthe local PEs to the remote PEs. Based on layer 1 labels, VPN packets can be label switched alongthe LSPs to the remote PEs.z Layer 2 labels: Inner labels, used for forwarding packets from the remote PEs to the CEs. An innerlabel indicates to which site, or more precisely, to which CE the packet should be sent. A PE findsthe interface for forwarding a packet according to the inner label.If two sites (CEs) belong to the same VPN and are connected to the same PE, each of them only needsto know how to reach the remote CE.The following takes Figure 1-3 as an example to illustrate the VPN packet forwarding procedure.Figure 1-3 VPN packet forwarding1) Site 1 sends an IP packet with the destination address of 1.1.1.2. CE 1 transmits the packet to PE1.2) PE 1 searches VPN instance entries based on the inbound interface and destination address of thepacket. Once finding a matching entry, PE 1 labels the packet with both inner and outer labels andforwards the packet out.3) The MPLS backbone transmits the packet to PE 2 by outer label. Note that the outer label isremoved from the packet at the penultimate hop.4) PE 2 searches VPN instance entries according to the inner label and destination address of thepacket to determine the outbound interface and then forwards the packet out the interface to CE 2.