[c-nsp] MPLS Overlapping VPN problem (lab simulation)

Oliver Boehmer (oboehmer) oboehmer at cisco.com
Sat Jan 17 03:19:05 EST 2009


Marco <> wrote on Friday, January 16, 2009 20:53:

> HI,
> I'm studyng for MPLS exam and I wanted to create a small lab to
> recreate a scenario with overlapping MPLS-VPN to make some practice. 
> I took this example from the e-course I'm studying(Knowledgenet), but
> I'm not able to recreate it. 
> 
> [...]
> 
> Notes:
> -Customer A should see all network of customer B and viceversa
> -Each customer site cannot communicate directly with the other
> customers sites. This means that all traffic between customers must
> pass through Central sites(A and B) for security reason.  
> -There are no restrictions for the intranet traffic.
> 
> To accomplish those requirements, I created these VRFs on Pe1
> (configuration on Pe2 is specular): 
> 
> ip vrf A
> rd 1:1
> route-target export 1:1
> route-target import 1:1
> !
> ip vrf AC                 !ip vrf BC (on Pe2)
> rd 1:123                  ! rd 2:123 (on Pe2)
> route-target export 1:1   ! 2:2 on Pe2
> route-target export 3:100 ! same on Pe2
> route-target import 1:1   ! 2:2 on Pe2
> route-target import 3:100 ! same on Pe2
> !
> ip vrf B
> rd 2:2
> route-target export 2:2
> route-target import 2:2
> 
> I expected that both PE's VRF (AC and BC) were able to reach every
> network of the other customer but probably something is missing in
> the configuration.  
> The problem is that VRF B on Pe2 exports his routes to VRF BC and B1,
> but VRF BC does not export (with RT 3:100) the received routes to VRF
> AC and viceversa.  

this is expected. routes imported into a VRF x are not exported by this
VRF to other VRFs, so a bit like BGP's rule where routes received from
an iBGP speaker are not advertised to other iBGP speakers. So you cannot
"loop back" the traffic on the PE itself.

Not sure if you can implement this with RT import/export on the PE
alone, you could multihome the CE devices for AC/BC and create a second
VRF linking the two hub sites, and force the traffic via the CE devices
(you could play tricks with loopback cables on the PE as well, but you
want to insert a FW/security device somewhere, for example on the CE)


  CE-AC === PE1 .... PE2 == CE-BC

PE1:

ip vrf A
 route-target both 1:1
!
ip vrf B
 route-target both 2:2
!
ip vrf AC-BC
 route-target both 3:3
!
int eth0/0
 description To AC hub site
int ethernet0/0.10
 ip vrf forwarding A
int eth0/0.20
 ip vrf forwarding AC-BC

and you create a routing setup on the CE where CE-AC will advertise the
routes received from one sub-interface to the other one and vice versa,
so it's the CE creating the interconnect.

Not sure if there are other options and I haven't had enough coffee to
see those :)

	oli


More information about the cisco-nsp mailing list