Saturday, March 18, 2017

Hub and Spoke VPNs



  • Traffic from Spokes can go to other spokes through hub's only 
  • Normally a PE would receive the remote routes directly from the Route Reflector. It would receive the routes matching its VRF targets. When it has to send traffic to destinations it has learned, it sends it to the remote PE and by pushing in couple of labels
  • To prevent spokes form sending traffic directly to other spokes, we only accept routes tagged with the hub community 
  • Now, because the way IBGP behaves, routes that are received by a PE are not reflected back to to other PE's (unless they are RR). 
  • So to solve this problem, we create two VRF's on the hub PE. Lets call them hub VRF and Spoke VRF
  • In spoke VRF we import routes from all the spoke VRF's. These routes are advertised to a CE. From the same CE we again learn routes into the Hub VRF. 
  • From the hub VRF we advertise these routes to all the spokes. On the spokes they filter out routes with their own communities (site of origin filter)

Configs:
Hub

r9@MX-LAB:r9> show configuration routing-instances    
HUB {
    instance-type vrf;
    interface lt-0/1/0.92;
    vrf-import nothing;
    vrf-export HUB-OUT;
    protocols {
        bgp {
            group grp1 {
                neighbor 2.92.0.2 {
                    peer-as 65001;
                }
            }
        }
    }
}
SPOKE {
    instance-type vrf;
    interface lt-0/1/0.93;
    vrf-import SPOKE-IN;
    vrf-export nothing;
    protocols {
        bgp {
            group grp1 {
                neighbor 2.93.0.2 {
                    peer-as 65001;
                }
            }
        }
    }
}



r9@MX-LAB:r9> show configuration policy-options 
policy-statement HUB-OUT {
    term 1 {
        from protocol bgp;
        then {
            community add hub;
            accept;
        }
    }
}
policy-statement SPOKE-IN {
    term 1 {
        from community spoke;
        then accept;
    }
}
policy-statement export-rr {
    term 1 {
        from protocol [ static direct ];
        then accept;
    }
}
policy-statement nothing {
    then reject;
}
community hub members target:100:1;
community spoke members target:200:1;

Spoke config:

r4@MX-LAB:r4> show configuration protocols bgp
group rr {
    type internal;
    local-address 4.4.4.4;
    family inet {
        labeled-unicast;
    }
    family inet-vpn {
        unicast;
    }
    family inet6 {
        labeled-unicast;
    }
    neighbor 6.6.6.6;
    neighbor 5.5.5.5;
}

r4@MX-LAB:r4> show configuration policy-options
policy-statement vrf1-in {
    term 1 {
        from community spoke4;
        then reject;
    }
    term 2 {
        from community hub;
        then accept;
    }
}
policy-statement vrf1-out {
    term 1 {
        then {
            community add spoke;
            community add spoke4;
            accept;
        }
    }
}
community hub members target:100:1;
community spoke members target:200:1;
community spoke4 members target:300:4;

r4@MX-LAB:r4> 
at
Labels: ,

No comments:

Post a Comment

Subscribe to: Post Comments (Atom)

test

  • L2VPN and VPLS configs
    BGP L2VPN set interfaces ge-0/0/0 vlan-tagging set interfaces ge-0/0/0 encapsulation extended-vlan-ccc set interfaces ge-0/0/0 unit 100 ...
  • (no title)
    test
  • (no title)
    Useful links http://switchpacket.blogspot.com/2014/08/juniper-junos-vrf-table-label.html https://www.inetzero.com/junos-os-route-reflec...