[c-nsp] Central Services Topology - Design question

Harivishnu Abhilash Harivishnu.Abhilash at mannai.com.qa
Sun Jan 12 20:44:53 EST 2020


Classification:Public

Hi Team,

Have a basic question on Traditional Central Services Topology in MPLS VPN Network in SP.. We want all the traffic  between to be filtered by firewall hooked to HUB PE.
Basically thought to go ahead with below (Basic and standard !) import-export policy.


*         Client sites will reach server sites. Importing routes with Server_RT into client VRFs will achieve this goal.


*         Server sites will reach client sites. All client routes will be exported with a common route target (let's call it Client_RT) and will be imported into server VRFs based on this route target.


*         Client sites will not communicate. Routes exported with Client_RT will not be imported into client VRFs.
                                    HUB-PE
                                  |                |
                                  |                |
                             SPOKE PE1     SPOKE PE2

Question:  Have also seen comments in forum like. The best practice for this Hub and Spoke is to use TWO VRF in Hub site - "From-Spoke" and "To-Spoke"

Any benefit we can get from this 2 VRF in HUB. Hope the design I proposed also will not cause the traffic between spoke to be hair pinned from the HUB VRF as the traffic will be switched using per-prefix label
In last hop of HUB PE (we are not using per-vrf-table label ofcouse !). Running ASR9K's.

Any thoughts would be great.

Thanks !



This email is classified as Public by Harivishnu Abhilash
Disclaimer: This electronic message and all contents contain information from Mannai Corporation which may be privileged, confidential or otherwise protected from discloser. The information is intended to be for the addressee only. If you are not addressee, any disclosure, copy, distribution or use of the contents of this message is prohibited. If you have received this electronic message in error please notify the sender immediately and destroy the original and all copies.


More information about the cisco-nsp mailing list