[j-nsp] Hub and Spoke VPN
Joe Lin
jlin at doradosoftware.com
Fri Nov 7 19:17:15 EST 2003
In 6.0+ can you shed some light regarding to the use of logical router
or other hackeries to loop routes around?
-joe
-----Original Message-----
From: juniper-nsp-bounces at puck.nether.net
[mailto:juniper-nsp-bounces at puck.nether.net] On Behalf Of Pedro Roque
Marques
Sent: Friday, November 07, 2003 2:32 PM
To: Krzysztof Maj
Cc: juniper-nsp at puck.nether.net
Subject: Re: [j-nsp] Hub and Spoke VPN
mkrzych at post.pl (Krzysztof Maj) writes:
> Hi,
> I have a question about a VPN Hub and Spoke topology, but a quite bit
> diffrent then a normal Juniper configuration. As everybody can read in
> docs I have for example 2 CE's connected to diffrent PE's (Spokes) and
> one PE with HUB CE router.
> To achieve this topology I must to configure two VRF: one for spokes
> and one for Hub routes.
You need 2 route targets. You may or may not need two VRFs in a given
PE.
> I must to have two interfaces to hub CE router
> in diffrent VRFs too. Is it true?
Not is most cases. The recomendation for 2 interfaces comes from
scenarios where it is required to advertised routes received from
remote spokes back into other spokes. Given that there is no loop
prevention mechanism for that scenario, one must pass those through
and external peering session that tags an AS# to it...
Still, w/ 6.0+ i would probably recomend that you use a logical router
inside the box, or some other hackery, to loop routes around.
>
> Now imagine that I have 3 CE routers in one PE location and one CE
> router in other PE location where the hub is connected. All 4 CE
> routers are in the same VPN!
If you have spoke + hub in same PE these must be in separate VRFs. A
VRF is essentially a routing view and these guys need a different view
of the universe.
> I like to all traffic from particular CE's (Spokes) send via Hub CE,
> but not between CE's directly.
> Remember that all routers are in the same VPN (I have one VRF).
Not sure i can parse this statement. A typical hub & spoke scenario is
where spokes are not allowed to talk to each other directly.
The simplest configuration for this is:
routing-instances {
spoke {
instance-type vrf;
vrf-target import target:10458:1; /* hub RT */
vrf-target export target:10458:2; /* spoke RT */
interface ;
}
hub {
instance-type vrf;
vrf-target export target:10458:1; /* hub RT */
vrf-target import target:10458:2; /* spoke RT */
interface <if-hub>;
routing-options {
static {
x.y/z { /* aggregate of spoke
prefixes */
next-hop <if-hub>;
}
}
}
}
}
This is if you have mpls switching downstream on the hub instance. If
you want to enable IP switching there it is a tad bit more complex in
terms of policy.
>
> The question is how I can do it?
In way too many ways :-)
Not sure i understand the full contrains of your problem.
Pedro.
_______________________________________________
juniper-nsp mailing list juniper-nsp at puck.nether.net
http://puck.nether.net/mailman/listinfo/juniper-nsp
More information about the juniper-nsp
mailing list