Re: [j-nsp] Hub and Spoke VPN

Wed Nov 12 03:13:00 EST 2003

As I understood two ifaces in separate VRFs are required in scenario
when I want to send traffic via hub back to other spokes. Is it
possible to communicate groups of spokes in this way? (something like
full mesh topology)
My configs may be diffrent, hub and spokes in same PE or not, spokes
may talk to each other only via hub or in scenario when I have 3
spokes in same PE and one hub in diffrent PE I want to send traffic
only via hub back to other spokes. 

> mkrzych at post.pl (Krzysztof Maj) writes:
> 
> > Hi,
> > I have a question about a VPN Hub and Spoke topology, but a quite bit
> > diffrent then a normal Juniper configuration. As everybody can read in
> > docs I have for example 2 CE's connected to diffrent PE's (Spokes) and
> > one PE with HUB CE router.
> > To achieve this topology I must to configure two VRF: one for spokes
> > and one for Hub routes.
> 
> You need 2 route targets. You may or may not need two VRFs in a given PE.
> 
> > I must to have two interfaces to hub CE router
> > in diffrent VRFs too. Is it true?
> 
> Not is most cases. The recomendation for 2 interfaces comes from
> scenarios where it is required to advertised routes received from
> remote spokes back into other spokes. Given that there is no loop
> prevention mechanism for that scenario, one must pass those through
> and external peering session that tags an AS# to it...
> 
> Still, w/ 6.0+ i would probably recomend that you use a logical router
> inside the box, or some other hackery, to loop routes around.
> 
> > 
> > Now imagine that I have 3 CE routers in one PE location and one CE
> > router in other PE location where the hub is connected. All 4 CE
> > routers are in the same VPN!
> 
> If you have spoke + hub in same PE these must be in separate VRFs. A
> VRF is essentially a routing view and these guys need a different view
> of the universe.
> 
> > I like to all traffic from particular CE's (Spokes) send via Hub CE, 
> > but not between CE's directly.
> > Remember that all routers are in the same VPN (I have one VRF).
> 
> Not sure i can parse this statement. A typical hub & spoke scenario is
> where spokes are not allowed to talk to each other directly.
> 
> The simplest configuration for this is:
> 
> routing-instances {
>     spoke {
>  instance-type vrf;
>  vrf-target import target:10458:1; /* hub RT */
>  vrf-target export target:10458:2; /* spoke RT */
>  interface ;
>     }
>     hub {
>  instance-type vrf;
>  vrf-target export target:10458:1; /* hub RT */
>  vrf-target import target:10458:2; /* spoke RT */
>  interface <if-hub>;
>  routing-options {
>      static {
>   x.y/z {    /* aggregate of spoke prefixes */
>       next-hop <if-hub>;
>   }
>      }
>  }
>     }
> }
> 
> This is if you have mpls switching downstream on the hub instance. If
> you want to enable IP switching there it is a tad bit more complex in
> terms of policy.
> 
> > 
> > The question is how I can do it?
> 
> In way too many ways :-)
> 
> Not sure i understand the full contrains of your problem.
> 
>   Pedro.
> 