Re: Complex MPLS VPN Hub and spoke

At the hub site, you should either use "half-duplex vrf" feature, or
have inbound and outbound VRFs. As far as I'm aware, there's no other
way to do this kind of a solution (but it HAS been a few years since I
looked).

--
Marko Milivojevic - CCIE #18427 (SP R&S)
Senior CCIE Instructor - IPexpert
On Thu, Feb 2, 2012 at 15:44, Alberto Santos <albertofsantos_at_gmail.com> wrote:
> Hi there,
>
> I'm trying to deploy a solution where I have a bunch of CEs connected to
> the same PE, but they only can talk to each other passing throughout the
> Firewall, so different RTs will not help, we could create different VRFs,
> but it wont scale, if you think I that I could have N CEs. I set up two
> Vrfs, Vrf VPN-TO-Hub and Vrf VPN-TO-Spoke, so each direction has its own
> routing table.
>
> The problem I'm facing it's that I had to use static routes so the traffic
> coming from the CEhub can reach each CE , but I don't think static route
> scale either.
> I tried to leak with BGP, I didn't work or I couldn't get it working :D.
>
> if anyone out there could give a help on how I could use BGP instead of
> route static I would be very thankful.
>
>
> CE01--------PE01----MPLS---PE02---------CEHub------Firewall
> B  B  B  B  B  B  B  B  B |
> CEnn----------|
>
> PE01
> Routing Table: VPN-TO-Hub
>
> Gateway of last resort is 10.1.3.3 to network 0.0.0.0
>
> B* B  B 0.0.0.0/0 [200/0] via 10.1.3.3, 00:26:00
> B  B  B 100.0.0.0/8 is variably subnetted, 4 subnets, 2 masks
> C B  B  B  B 100.1.1.0/24 is directly connected, FastEthernet2/0
> L B  B  B  B 100.1.1.1/32 is directly connected, FastEthernet2/0
> C B  B  B  B 100.1.27.0/24 is directly connected, FastEthernet1/0
> L B  B  B  B 100.1.27.2/32 is directly connected, FastEthernet1/0
>
>
> Routing Table: VPN-TO-Spoke
>
> Gateway of last resort is not set
>
> B  B  B 1.0.0.0/32 is subnetted, 1 subnets
> S B  B  B  B 1.1.1.1 [1/0] via 100.1.1.2, FastEthernet2/0
> B  B  B 7.0.0.0/32 is subnetted, 1 subnets
> S B  B  B  B 7.7.7.7 [1/0] via 100.1.27.7, FastEthernet1/0
> B  B  B 100.0.0.0/32 is subnetted, 1 subnets
> C B  B  B  B 100.2.2.2 is directly connected, Loopback100
>
>
> PE02
> Routing Table: VPN-TO-Hub
>
> Gateway of last resort is 100.1.10.2 to network 0.0.0.0
>
> B* B  B 0.0.0.0/0 [20/0] via 100.1.10.2, 02:08:19
> B  B  B 100.0.0.0/8 is variably subnetted, 2 subnets, 2 masks
> C B  B  B  B 100.1.10.0/24 is directly connected, FastEthernet4/0.1
> L B  B  B  B 100.1.10.1/32 is directly connected, FastEthernet4/0.1
>
> Routing Table: VPN-TO-Spoke
>
> Gateway of last resort is not set
>
> B  B  B 1.0.0.0/32 is subnetted, 1 subnets
> B B  B  B  B 1.1.1.1 [200/0] via 10.1.2.2, 00:27:18
> B  B  B 7.0.0.0/32 is subnetted, 1 subnets
> B B  B  B  B 7.7.7.7 [200/0] via 10.1.2.2, 00:27:18
> B  B  B 100.0.0.0/8 is variably subnetted, 2 subnets, 2 masks
> C B  B  B  B 100.1.20.0/24 is directly connected, FastEthernet4/0.2
> L B  B  B  B 100.1.20.1/32 is directly connected, FastEthernet4/0.2
>
>
> trace ip
>
> Target IP address: 7.7.7.7
> Source address: 1.1.1.1
> Numeric display [n]: y
> Timeout in seconds [3]:
> Probe count [3]:
> Minimum Time to Live [1]:
> Maximum Time to Live [30]:
> Port Number [33434]:
> Loose, Strict, Record, Timestamp, Verbose[none]:
> Type escape sequence to abort.
> Tracing the route to 7.7.7.7
>
> B 1 100.1.1.1 32 msec 8 msec 8 msec
> B 2 100.1.10.1 [AS 65001] [MPLS: Label 18 Exp 0] 12 msec 16 msec 4 msec
> B 3 100.1.10.2 [AS 65001] 12 msec 16 msec 12 msec
> B 4 192.168.1.1 [AS 65001] 16 msec 12 msec 8 msec
> B 5 192.168.2.2 [AS 65001] 16 msec 12 msec 16 msec
> B 6 100.1.20.1 [AS 65001] 12 msec 12 msec 12 msec
> B 7 10.1.23.2 [AS 65001] [MPLS: Label 27 Exp 0] 8 msec 8 msec 12 msec
> B 8 100.1.27.7 [AS 65001] 32 msec * B 24 msec
>
>
>
>
> PE01
> ip vrf VPN-TO-Hub
> B rd 100:300
> B route-target import 100:300
> ip vrf VPN-TO-Spoke
> B rd 100:400
> B route-target export 100:400
> !Interfaces facing CEs
> interface FastEthernet1/0
> B ip vrf forwarding VPN-TO-Hub
> B ip address 100.1.27.2 255.255.255.0
> B speed auto
> B duplex auto
> interface FastEthernet2/0
> B ip vrf forwarding VPN-TO-Hub
> B ip address 100.1.1.1 255.255.255.0
> B speed auto
> B duplex auto
> ip route vrf VPN-TO-Spoke 1.1.1.1 255.255.255.255 FastEthernet2/0 100.1.1.2
> ip route vrf VPN-TO-Spoke 7.7.7.7 255.255.255.255 FastEthernet1/0 100.1.27.7
> !
> route-map INBOUND deny 200
> !
> router bgp 100
> B no synchronization
> B bgp log-neighbor-changes
> B neighbor 10.1.3.3 remote-as 100
> B neighbor 10.1.3.3 update-source Loopback0
> B no auto-summary
> B !
> B address-family vpnv4
> B neighbor 10.1.3.3 activate
> B neighbor 10.1.3.3 send-community extended
> B exit-address-family
> B !
> B address-family ipv4 vrf VPN-TO-Hub
> B no synchronization
> B neighbor 100.1.1.2 remote-as 65000
> B neighbor 100.1.1.2 activate
> B neighbor 100.1.1.2 route-map INBOUND in
> B neighbor 100.1.27.7 remote-as 65000
> B neighbor 100.1.27.7 activate
> B neighbor 100.1.27.7 route-map INBOUND in
> B exit-address-family
> B !
> B address-family ipv4 vrf VPN-TO-Spoke
> B no synchronization
> B redistribute static
> B exit-address-family
>
>
> PE02
> ip vrf VPN-TO-Hub
> B rd 100:300
> B route-target export 100:300
> ip vrf VPN-TO-Spoke
> B rd 100:400
> B route-target import 100:400
>
> interface FastEthernet4/0.1
> B encapsulation dot1Q 10
> B ip vrf forwarding VPN-TO-Hub
> B ip address 100.1.10.1 255.255.255.0
> interface FastEthernet4/0.2
> B encapsulation dot1Q 20
> B ip vrf forwarding VPN-TO-Spoke
> B ip address 100.1.20.1 255.255.255.0
>
> router bgp 100
> B no synchronization
> B bgp log-neighbor-changes
> B neighbor 10.1.2.2 remote-as 100
> B neighbor 10.1.2.2 update-source Loopback0
> B no auto-summary
> B !
> B address-family vpnv4
> B neighbor 10.1.2.2 activate
> B neighbor 10.1.2.2 send-community extended
> B exit-address-family
> B !
> B address-family ipv4 vrf VPN-TO-Hub
> B no synchronization
> B neighbor 100.1.10.2 remote-as 65001
> B neighbor 100.1.10.2 activate
> B exit-address-family
> B !
> B address-family ipv4 vrf VPN-TO-Spoke
> B no synchronization
> B neighbor 100.1.20.2 remote-as 65001
> B neighbor 100.1.20.2 activate
> B exit-address-family
>
>
>
> CEHub (Vrf-lite)
>
> !To firewall
> interface FastEthernet1/0.1
> B encapsulation dot1Q 10
> B ip vrf forwarding VPN-TO-hub
> B ip address 192.168.1.2 255.255.255.0
> interface FastEthernet1/0.2
> B encapsulation dot1Q 20
> B ip vrf forwarding VPN-TO-Spoke
> B ip address 192.168.2.2 255.255.255.0
>
> !To PE
> interface FastEthernet4/0.1
> B encapsulation dot1Q 10
> B ip vrf forwarding VPN-TO-Hub
> B ip address 100.1.10.2 255.255.255.0
> interface FastEthernet4/0.2
> B encapsulation dot1Q 20
> B ip vrf forwarding VPN-TO-Spoke
> B ip address 100.1.20.2 255.255.255.0
>
> ip route vrf VPN-TO-Hub 0.0.0.0 0.0.0.0 192.168.1.1
>
> router bgp 65001
> B no synchronization
> B bgp router-id 4.4.4.4
> B bgp log-neighbor-changes
> B no auto-summary
> B !
> B address-family ipv4 vrf VPN-TO-Hub
> B no synchronization
> B redistribute static
> B neighbor 100.1.10.1 remote-as 100
> B neighbor 100.1.10.1 activate
> B default-information originate
> B exit-address-family
> B !
> B address-family ipv4 vrf VPN-TO-Spoke
> B no synchronization
> B neighbor 100.1.20.1 remote-as 100
> B neighbor 100.1.20.1 activate
>
>
> BR,
>
> --
> *Alberto*
>
>
> Blogs and organic groups at http://www.ccie.net
>
> _______________________________________________________________________
> Subscription information may be found at:
> http://www.groupstudy.com/list/CCIELab.html
Blogs and organic groups at http://www.ccie.net