Hi there,
I'm trying to deploy a solution where I have a bunch of CEs connected to
the same PE, but they only can talk to each other passing throughout the
Firewall, so different RTs will not help, we could create different VRFs,
but it wont scale, if you think I that I could have N CEs. I set up two
Vrfs, Vrf VPN-TO-Hub and Vrf VPN-TO-Spoke, so each direction has its own
routing table.
The problem I'm facing it's that I had to use static routes so the traffic
coming from the CEhub can reach each CE , but I don't think static route
scale either.
I tried to leak with BGP, I didn't work or I couldn't get it working :D.
if anyone out there could give a help on how I could use BGP instead of
route static I would be very thankful.
CE01--------PE01----MPLS---PE02---------CEHub------Firewall
|
CEnn----------|
PE01
Routing Table: VPN-TO-Hub
Gateway of last resort is 10.1.3.3 to network 0.0.0.0
B* 0.0.0.0/0 [200/0] via 10.1.3.3, 00:26:00
100.0.0.0/8 is variably subnetted, 4 subnets, 2 masks
C 100.1.1.0/24 is directly connected, FastEthernet2/0
L 100.1.1.1/32 is directly connected, FastEthernet2/0
C 100.1.27.0/24 is directly connected, FastEthernet1/0
L 100.1.27.2/32 is directly connected, FastEthernet1/0
Routing Table: VPN-TO-Spoke
Gateway of last resort is not set
1.0.0.0/32 is subnetted, 1 subnets
S 1.1.1.1 [1/0] via 100.1.1.2, FastEthernet2/0
7.0.0.0/32 is subnetted, 1 subnets
S 7.7.7.7 [1/0] via 100.1.27.7, FastEthernet1/0
100.0.0.0/32 is subnetted, 1 subnets
C 100.2.2.2 is directly connected, Loopback100
PE02
Routing Table: VPN-TO-Hub
Gateway of last resort is 100.1.10.2 to network 0.0.0.0
B* 0.0.0.0/0 [20/0] via 100.1.10.2, 02:08:19
100.0.0.0/8 is variably subnetted, 2 subnets, 2 masks
C 100.1.10.0/24 is directly connected, FastEthernet4/0.1
L 100.1.10.1/32 is directly connected, FastEthernet4/0.1
Routing Table: VPN-TO-Spoke
Gateway of last resort is not set
1.0.0.0/32 is subnetted, 1 subnets
B 1.1.1.1 [200/0] via 10.1.2.2, 00:27:18
7.0.0.0/32 is subnetted, 1 subnets
B 7.7.7.7 [200/0] via 10.1.2.2, 00:27:18
100.0.0.0/8 is variably subnetted, 2 subnets, 2 masks
C 100.1.20.0/24 is directly connected, FastEthernet4/0.2
L 100.1.20.1/32 is directly connected, FastEthernet4/0.2
trace ip
Target IP address: 7.7.7.7
Source address: 1.1.1.1
Numeric display [n]: y
Timeout in seconds [3]:
Probe count [3]:
Minimum Time to Live [1]:
Maximum Time to Live [30]:
Port Number [33434]:
Loose, Strict, Record, Timestamp, Verbose[none]:
Type escape sequence to abort.
Tracing the route to 7.7.7.7
1 100.1.1.1 32 msec 8 msec 8 msec
2 100.1.10.1 [AS 65001] [MPLS: Label 18 Exp 0] 12 msec 16 msec 4 msec
3 100.1.10.2 [AS 65001] 12 msec 16 msec 12 msec
4 192.168.1.1 [AS 65001] 16 msec 12 msec 8 msec
5 192.168.2.2 [AS 65001] 16 msec 12 msec 16 msec
6 100.1.20.1 [AS 65001] 12 msec 12 msec 12 msec
7 10.1.23.2 [AS 65001] [MPLS: Label 27 Exp 0] 8 msec 8 msec 12 msec
8 100.1.27.7 [AS 65001] 32 msec * 24 msec
PE01
ip vrf VPN-TO-Hub
rd 100:300
route-target import 100:300
ip vrf VPN-TO-Spoke
rd 100:400
route-target export 100:400
!Interfaces facing CEs
interface FastEthernet1/0
ip vrf forwarding VPN-TO-Hub
ip address 100.1.27.2 255.255.255.0
speed auto
duplex auto
interface FastEthernet2/0
ip vrf forwarding VPN-TO-Hub
ip address 100.1.1.1 255.255.255.0
speed auto
duplex auto
ip route vrf VPN-TO-Spoke 1.1.1.1 255.255.255.255 FastEthernet2/0 100.1.1.2
ip route vrf VPN-TO-Spoke 7.7.7.7 255.255.255.255 FastEthernet1/0 100.1.27.7
!
route-map INBOUND deny 200
!
router bgp 100
no synchronization
bgp log-neighbor-changes
neighbor 10.1.3.3 remote-as 100
neighbor 10.1.3.3 update-source Loopback0
no auto-summary
!
address-family vpnv4
neighbor 10.1.3.3 activate
neighbor 10.1.3.3 send-community extended
exit-address-family
!
address-family ipv4 vrf VPN-TO-Hub
no synchronization
neighbor 100.1.1.2 remote-as 65000
neighbor 100.1.1.2 activate
neighbor 100.1.1.2 route-map INBOUND in
neighbor 100.1.27.7 remote-as 65000
neighbor 100.1.27.7 activate
neighbor 100.1.27.7 route-map INBOUND in
exit-address-family
!
address-family ipv4 vrf VPN-TO-Spoke
no synchronization
redistribute static
exit-address-family
PE02
ip vrf VPN-TO-Hub
rd 100:300
route-target export 100:300
ip vrf VPN-TO-Spoke
rd 100:400
route-target import 100:400
interface FastEthernet4/0.1
encapsulation dot1Q 10
ip vrf forwarding VPN-TO-Hub
ip address 100.1.10.1 255.255.255.0
interface FastEthernet4/0.2
encapsulation dot1Q 20
ip vrf forwarding VPN-TO-Spoke
ip address 100.1.20.1 255.255.255.0
router bgp 100
no synchronization
bgp log-neighbor-changes
neighbor 10.1.2.2 remote-as 100
neighbor 10.1.2.2 update-source Loopback0
no auto-summary
!
address-family vpnv4
neighbor 10.1.2.2 activate
neighbor 10.1.2.2 send-community extended
exit-address-family
!
address-family ipv4 vrf VPN-TO-Hub
no synchronization
neighbor 100.1.10.2 remote-as 65001
neighbor 100.1.10.2 activate
exit-address-family
!
address-family ipv4 vrf VPN-TO-Spoke
no synchronization
neighbor 100.1.20.2 remote-as 65001
neighbor 100.1.20.2 activate
exit-address-family
CEHub (Vrf-lite)
!To firewall
interface FastEthernet1/0.1
encapsulation dot1Q 10
ip vrf forwarding VPN-TO-hub
ip address 192.168.1.2 255.255.255.0
interface FastEthernet1/0.2
encapsulation dot1Q 20
ip vrf forwarding VPN-TO-Spoke
ip address 192.168.2.2 255.255.255.0
!To PE
interface FastEthernet4/0.1
encapsulation dot1Q 10
ip vrf forwarding VPN-TO-Hub
ip address 100.1.10.2 255.255.255.0
interface FastEthernet4/0.2
encapsulation dot1Q 20
ip vrf forwarding VPN-TO-Spoke
ip address 100.1.20.2 255.255.255.0
ip route vrf VPN-TO-Hub 0.0.0.0 0.0.0.0 192.168.1.1
router bgp 65001
no synchronization
bgp router-id 4.4.4.4
bgp log-neighbor-changes
no auto-summary
!
address-family ipv4 vrf VPN-TO-Hub
no synchronization
redistribute static
neighbor 100.1.10.1 remote-as 100
neighbor 100.1.10.1 activate
default-information originate
exit-address-family
!
address-family ipv4 vrf VPN-TO-Spoke
no synchronization
neighbor 100.1.20.1 remote-as 100
neighbor 100.1.20.1 activate
BR,
-- *Alberto* Blogs and organic groups at http://www.ccie.netReceived on Thu Feb 02 2012 - 21:44:49 ART
This archive was generated by hypermail 2.2.0 : Thu Mar 01 2012 - 11:46:56 ART