[j-nsp] Hub and Spoke VPN

E.T.Metz at telecom.tno.nl E.T.Metz at telecom.tno.nl
Fri Nov 14 04:24:06 EST 2003 

There are a number of options to achieve what you want. However, since "without complicating things" is subject to personal opinion it is probably hard to identify the "simplest" options:

- One VRF for every spoke (on the same PE), but I understand this is too complex in your opinion.
- An upstream and a downstream VRF, this also requires a upstream and downstream interface per spoke. Spokes send traffic through the upstream VRF (that only imports a default from the hub), and receive traffc through the downstream interface/VRF. This introduces some issues related unidirectional links.
- GRE tunnels from spokes to hub, only distribute loopbacks in the VRF/VPN, rest of routing through tunnels (e.g. OSPF).
- L2VPN solution, this requires as many sub-interfaces on the hub as there are spokes.

Possibly there are number more ...

cheers,
	Eduard

ps in theory, you like to force the 'next-hop' of packets received on spoke interfaces (on the PE) to be set to the hub PE, but I'm not sure if this can be actually configured in a Juniper (or any other) box

> -----Original Message-----
> From: Adam Szymajda [mailto:aszymajd at wp.pl]
> Sent: vrijdag 14 november 2003 9:46
> To: juniper-nsp at puck.nether.net
> Subject: Re: Re: [j-nsp] Hub and Spoke VPN
> 
> 
> Let's say we have the following scenario:
>      _______         _______
> S----|     |         |     |
> S----|     |         |     |
> S----|     |         |     |-------Hub
> S----| PE1 |---------| PE2 |
> S----|     |         |     |
> S----|_____|         |_____|
> 
> S - spoke sites connected via different [sub]interfaces to the 
> same vrf.
> 
> The main goal is to force the spokes to communicate only via hub.
> Putting all spoke subinterfaces into single vrf is the simplest 
> solution to maintain and most preffered, however you have to set 
> static routes in this vrf to reach a particular spoke site. This 
> will cause that it is possible to reach spoke site 1 from spoke 
> site 2 omitting the hub site. (traffic will be routed within PE1 
> even if hub will export default route pointing it)
> There can be more PE's with spokes connected to it. Is there any 
> way to achieve it without complicating things, like separate VRF 
> for each site?
> 
> Best regards,
> Adam
> 
> -------------------------------------------------------------------
> Rozejrzyj się wokoło... świat wilkołaków i wampirów
> jest bliżej niż się wydaje! "Underworld" w kinach od 28 listopada!
> http://film.wp.pl/p/film.html?id=7801
> 
> 
> 
> _______________________________________________
> juniper-nsp mailing list juniper-nsp at puck.nether.net
> http://puck.nether.net/mailman/listinfo/juniper-nsp
>

More information about the juniper-nsp mailing list