[j-nsp] Hub and Spoke VPN
joe lin
jlin at doradosoftware.com
Fri Nov 14 10:16:28 EST 2003
You should have a separate vrf per spoke site. This way, you can avoid
possible operational config fubars, and each spoke site's view of the world
would be contain in their own vrf.
if you want all the spokes in one vrf because of design issues. You could
achieve the same if you used static routes or do policy trickery/egress
filtering..
but that seems like a lot of work when the easy way is to have a vrf per
spoke.
If this is for L2VPN or CCC, you can nail up p2p connections from spoke to
hub..
-joe
----- Original Message -----
From: "Adam Szymajda" <aszymajd at wp.pl>
To: <juniper-nsp at puck.nether.net>
Sent: Friday, November 14, 2003 12:46 AM
Subject: Re: Re: [j-nsp] Hub and Spoke VPN
> Let's say we have the following scenario:
> _______ _______
> S----| | | |
> S----| | | |
> S----| | | |-------Hub
> S----| PE1 |---------| PE2 |
> S----| | | |
> S----|_____| |_____|
>
> S - spoke sites connected via different [sub]interfaces to the
> same vrf.
>
> The main goal is to force the spokes to communicate only via hub.
> Putting all spoke subinterfaces into single vrf is the simplest
> solution to maintain and most preffered, however you have to set
> static routes in this vrf to reach a particular spoke site. This
> will cause that it is possible to reach spoke site 1 from spoke
> site 2 omitting the hub site. (traffic will be routed within PE1
> even if hub will export default route pointing it)
> There can be more PE's with spokes connected to it. Is there any
> way to achieve it without complicating things, like separate VRF
> for each site?
>
> Best regards,
> Adam
>
> -------------------------------------------------------------------
> Rozejrzyj się wokoło... świat wilkołaków i wampirów
> jest bliżej niż się wydaje! "Underworld" w kinach od 28 listopada!
> http://film.wp.pl/p/film.html?id=7801
>
>
>
> _______________________________________________
> juniper-nsp mailing list juniper-nsp at puck.nether.net
> http://puck.nether.net/mailman/listinfo/juniper-nsp
>
>
More information about the juniper-nsp
mailing list