Gary, you mentioned in your last email that:
> IMHO Saying sites are in more than one VPN builds the wrong mental
> picture unless they are physicall connected as above.
So can I then say :
1. A Site being a member of more than one VPN
2. Extranet
are two distinct things ? If so, is it common that case 1 happens in
Intranet scenarios ?
Also I assume that case 1 can be implemented using JunOS even if the Site
has only ONE CE Router, is that right ?
TIA for your time ! EOM.
/bala
> >>Thanx for the response Gary. I have some questions along the
> >>same lines.
> >>
> >>Does Juniper's implementation then mandates that for every
> >>site that needs
> >>to be in more than one VPN it must have its routes in a
> >>separate VRF routing
> >>instance ?
> >
> >No this is not the case.
>
> I meant to explain:) -
>
> For a Site to belong to VPN at least one of the CE's of this Site, must
> be connected to at least one PE-VRF that is associated with that VPN.
>
> (Note CEs from the same site do not have to be connected to the Same PE,
> and can be connected physically to different VPN's on the same PE or
> different PE's).
>
> Valid Physical configurations:
>
> SITE 1
>
> CE1---- VRF VPNA (PE1)
> |
> CE2---- VRF VPNA (PE2)
>
> SITE 1
>
> CE1---- VRF VPNA (PE1)
> `---- VRF VPNA (PE2)
>
> SITE 1
>
> CE1---- VRF VPNA (PE1)
> |
> CE2---- VRF VPNB (PE2)
>
> SITE 1
>
> CE1---- VRF VPNA (PE1)
> `---- VRF VPNB (PE1)
>
>
> IMHO Saying sites are in more than one VPN builds the wrong mental
> picture unless they are physicall connected as above.
>
> For extranets (IMHO) It is better to state a case like Sites from VPN-A
> need access to Sites in VPN-B and VPN-C. Sites in VPN-B and VPN-C do
> not need to have access to each other.
>
> in this example Route targets would be used to import routes into VRFs
> for sites on different PEs e.g.
>
> VRF for VPN A would import routes from sites in VPN-A (Target:VPN:A),
> from Sites in VPN-B (Target:VPN:B) and Sites in VPN-C (Target:VPN:C)
> which are connected to other PE's.
>
> VRF for VPN B Would import routes from Sites in VPN-B (Target:VPN:B) and
> from Sites in VPN-A (Target:VPN:A), which are connected to other PE's.
>
> VRF for VPN C Would import routes from Sites in VPN-C (Target:VPN:C) and
> from Sites in VPN-A (Target:VPN:A), which are connected to other PE's.
>
> So A and B can communicate
> A and C can communicate
> B and C cannot
>
> The RIB-groups perform the same functionality as Route Targets for
> importing routes *between* Sites of different VPN's (VRFs), connected to
> the *same* PE, which need to communicate with each other.
>
> I hope this is clear.
>
> >
> >>For eg., if
> >>
> >>VPN A has sites Site1, Site2 and Site3
> >>VPN B has Site1 and Site2
> >>
> >>(assumption: Site1, Site2 & Site3 are attached to the same PE
> >>router. Each has its own CE Router in its site pointing to the PE.)
> >>
> >>then, it means Site1 & Site2 routes will be in a VRF routing instance
> >>("S1-S2") and Site3 routes will be in another VRF routing
> >>instance ("S3").
> >
> >Yes this is correct.
> >
> >>If Site1 again, becomes a part of some other VPN C, then a VRF routing
> >>instance is created for Site1 ("S1"). Also "S1-S2" routing instance is
> >>edited such that it contains only routes from Site2. VRF
> >>routing instance "S3" will still contain routes from Site3.
> >
> >Yes this is esentially correct, if a site moves from one VPN
> >to another
> >then its configuration must be moved to the correct VRF.
> >
> >>And if there is a Site4 also having memberships to VPN A and
> >>VPN B, then its
> >>routes are in "S1-S2" VRF routing instance ??
> >
> >Correct.
> >
> >>> >P.S. A comment on the doc. Calling the sites as "VPNA", "VPNB"
> >>> >and "VPNAB"
> >>> >is confusing. Perhaps you can choose a better name that
> >>describes the
> >>> >scenario ?
> >>>
> >>> I will send this on the appropriate people internally. Do
> >>you have any
> >>> suggestions for names?
> >>
> >>Just call them Site A, Site B and Site AB. (BTW, I assume your
> >>"VPNAB" is a
> >>whole another site and does not mean that either Site A or
> >>Site B CE Router
> >>has an additional interface now on the PE...is that right ?)
> >
> >This is correct and now I see the confusion. I will pass this
> >on to the
> >author.
> >
> >>
> >>EOM.
> >>
> >>/bala
This archive was generated by hypermail 2b29 : Mon Aug 05 2002 - 10:42:37 EDT