RE: [j-nsp] Extranet in MPLS VPNs

From: Gary Tate (gtate@juniper.net)
Date: Tue Oct 16 2001 - 07:36:48 EDT


Sorry Bala, Made an omission in the first reply see below:

>-----Original Message-----
>From: Gary Tate
>Sent: 16 October 2001 09:46
>To: Bala Subrahmanyam Venkata
>Cc: juniper-nsp@puck.nether.net
>Subject: RE: [j-nsp] Extranet in MPLS VPNs
>
>
>
>
>>-----Original Message-----
>>From: Bala Subrahmanyam Venkata [mailto:bsubrahm@doradosoftware.com]
>>Sent: 15 October 2001 21:19
>>To: Gary Tate
>>Cc: juniper-nsp@puck.nether.net
>>Subject: RE: [j-nsp] Extranet in MPLS VPNs
>>
>>
>>Thanx for the response Gary. I have some questions along the
>>same lines.
>>
>>Does Juniper's implementation then mandates that for every
>>site that needs
>>to be in more than one VPN it must have its routes in a
>>separate VRF routing
>>instance ?
>
>No this is not the case.

I meant to explain:) -

For a Site to belong to VPN at least one of the CE's of this Site, must
be connected to at least one PE-VRF that is associated with that VPN.

(Note CEs from the same site do not have to be connected to the Same PE,
and can be connected physically to different VPN's on the same PE or
different PE's).

Valid Physical configurations:

SITE 1

CE1---- VRF VPNA (PE1)
 |
CE2---- VRF VPNA (PE2)

SITE 1

CE1---- VRF VPNA (PE1)
 `---- VRF VPNA (PE2)

SITE 1

CE1---- VRF VPNA (PE1)
 |
CE2---- VRF VPNB (PE2)

SITE 1

CE1---- VRF VPNA (PE1)
 `---- VRF VPNB (PE1)

IMHO Saying sites are in more than one VPN builds the wrong mental
picture unless they are physicall connected as above.

For extranets (IMHO) It is better to state a case like Sites from VPN-A
need access to Sites in VPN-B and VPN-C. Sites in VPN-B and VPN-C do
not need to have access to each other.

in this example Route targets would be used to import routes into VRFs
for sites on different PEs e.g.

VRF for VPN A would import routes from sites in VPN-A (Target:VPN:A),
from Sites in VPN-B (Target:VPN:B) and Sites in VPN-C (Target:VPN:C)
which are connected to other PE's.

VRF for VPN B Would import routes from Sites in VPN-B (Target:VPN:B) and
from Sites in VPN-A (Target:VPN:A), which are connected to other PE's.

VRF for VPN C Would import routes from Sites in VPN-C (Target:VPN:C) and
from Sites in VPN-A (Target:VPN:A), which are connected to other PE's.

So A and B can communicate
   A and C can communicate
   B and C cannot

The RIB-groups perform the same functionality as Route Targets for
importing routes *between* Sites of different VPN's (VRFs), connected to
the *same* PE, which need to communicate with each other.

I hope this is clear.

>
>>For eg., if
>>
>>VPN A has sites Site1, Site2 and Site3
>>VPN B has Site1 and Site2
>>
>>(assumption: Site1, Site2 & Site3 are attached to the same PE
>>router. Each has its own CE Router in its site pointing to the PE.)
>>
>>then, it means Site1 & Site2 routes will be in a VRF routing instance
>>("S1-S2") and Site3 routes will be in another VRF routing
>>instance ("S3").
>
>Yes this is correct.
>
>>If Site1 again, becomes a part of some other VPN C, then a VRF routing
>>instance is created for Site1 ("S1"). Also "S1-S2" routing instance is
>>edited such that it contains only routes from Site2. VRF
>>routing instance "S3" will still contain routes from Site3.
>
>Yes this is esentially correct, if a site moves from one VPN
>to another
>then its configuration must be moved to the correct VRF.
>
>>And if there is a Site4 also having memberships to VPN A and
>>VPN B, then its
>>routes are in "S1-S2" VRF routing instance ??
>
>Correct.
>
>>> >P.S. A comment on the doc. Calling the sites as "VPNA", "VPNB"
>>> >and "VPNAB"
>>> >is confusing. Perhaps you can choose a better name that
>>describes the
>>> >scenario ?
>>>
>>> I will send this on the appropriate people internally. Do
>>you have any
>>> suggestions for names?
>>
>>Just call them Site A, Site B and Site AB. (BTW, I assume your
>>"VPNAB" is a
>>whole another site and does not mean that either Site A or
>>Site B CE Router
>>has an additional interface now on the PE...is that right ?)
>
>This is correct and now I see the confusion. I will pass this
>on to the
>author.
>
>>
>>EOM.
>>
>>/bala
>>
>>
>>
>>
>>
>>> >
>>> >1. Per your doc the CE2 Router is in VPN A and VPN B. What
>>if there is
>>> >another CE Router (say 'CE6' Router) that is directly
>>> >connected to the same
>>> >PE Router (PE1 in your case) and it(CE6) is also part of VPN A
>>> >and B ? Will
>>> >its VRF be similar to that of VPNAB ?
>>>
>>> I believe in this case I would simply add the interface for
>>CE6 into the
>>> VRF, VPNAB and add the additional routes required for this new site.
>>>
>>> >2. On the same lines, what if CE6 instead is part of VPN A and
>>> >some other VPN C ? How will this affect the configuration ?
>>> >
>>>
>>> In this case you would have to create another VRF for
>VPN-AC with the
>>> appropriate RIB-Groups.
>>>
>>> >Before you could research further, are these two cases
>>'real world' ?
>>> >
>>>
>>> With extranets I believe anything could be asked for.
>>>
>>> >
>>> >TIA
>>> >
>>> >bala
>>> >
>>> >
>>>
>>
>>
>
>



This archive was generated by hypermail 2b29 : Mon Aug 05 2002 - 10:42:37 EDT