Re: Complex MPLS VPN Hub and spoke from Paul Negron on 2012-02-02 (Ccielab archives 02/2012)

From: Paul Negron <negron.paul_at_gmail.com>
Date: Thu, 02 Feb 2012 20:36:12 -0500
Are you thinking of something like............. 2 CE's using a default route
that is injected by an IGP or BGP that flows to a hub site on the VPN. It
then leaves out another VPN or a link in the clear that is protected by a
Firewall to the Internet or somewhere else?
Paul
-- 
Paul Negron
CCIE# 14856 CCSI# 22752
Senior Technical Instructor
> From: Marko Milivojevic <markom_at_ipexpert.com>
> Reply-To: Marko Milivojevic <markom_at_ipexpert.com>
> Date: Thu, 2 Feb 2012 17:03:16 -0800
> To: Alberto Santos <albertofsantos_at_gmail.com>
> Cc: <ccielab_at_groupstudy.com>
> Subject: Re: Complex MPLS VPN Hub and spoke
> 
> At the hub site, you should either use "half-duplex vrf" feature, or
> have inbound and outbound VRFs. As far as I'm aware, there's no other
> way to do this kind of a solution (but it HAS been a few years since I
> looked).
> 
> --
> Marko Milivojevic - CCIE #18427 (SP R&S)
> Senior CCIE Instructor - IPexpert
> 
> On Thu, Feb 2, 2012 at 15:44, Alberto Santos <albertofsantos_at_gmail.com> wrote:
>> Hi there,
>> 
>> I'm trying to deploy a solution where I have a bunch of CEs connected to
>> the same PE, but they only can talk to each other passing throughout the
>> Firewall, so different RTs will not help, we could create different VRFs,
>> but it wont scale, if you think I that I could have N CEs. I set up two
>> Vrfs, Vrf VPN-TO-Hub and Vrf VPN-TO-Spoke, so each direction has its own
>> routing table.
>> 
>> The problem I'm facing it's that I had to use static routes so the traffic
>> coming from the CEhub can reach each CE , but I don't think static route
>> scale either.
>> I tried to leak with BGP, I didn't work or I couldn't get it working :D.
>> 
>> if anyone out there could give a help on how I could use BGP instead of
>> route static I would be very thankful.
>> 
>> 
>> CE01--------PE01----MPLS---PE02---------CEHub------Firewall
>> B  B  B  B  B  B  B  B  B |
>> CEnn----------|
>> 
>> PE01
>> Routing Table: VPN-TO-Hub
>> 
>> Gateway of last resort is 10.1.3.3 to network 0.0.0.0
>> 
>> B* B  B 0.0.0.0/0 [200/0] via 10.1.3.3, 00:26:00
>> B  B  B 100.0.0.0/8 is variably subnetted, 4 subnets, 2 masks
>> C B  B  B  B 100.1.1.0/24 is directly connected, FastEthernet2/0
>> L B  B  B  B 100.1.1.1/32 is directly connected, FastEthernet2/0
>> C B  B  B  B 100.1.27.0/24 is directly connected, FastEthernet1/0
>> L B  B  B  B 100.1.27.2/32 is directly connected, FastEthernet1/0
>> 
>> 
>> Routing Table: VPN-TO-Spoke
>> 
>> Gateway of last resort is not set
>> 
>> B  B  B 1.0.0.0/32 is subnetted, 1 subnets
>> S B  B  B  B 1.1.1.1 [1/0] via 100.1.1.2, FastEthernet2/0
>> B  B  B 7.0.0.0/32 is subnetted, 1 subnets
>> S B  B  B  B 7.7.7.7 [1/0] via 100.1.27.7, FastEthernet1/0
>> B  B  B 100.0.0.0/32 is subnetted, 1 subnets
>> C B  B  B  B 100.2.2.2 is directly connected, Loopback100
>> 
>> 
>> PE02
>> Routing Table: VPN-TO-Hub
>> 
>> Gateway of last resort is 100.1.10.2 to network 0.0.0.0
>> 
>> B* B  B 0.0.0.0/0 [20/0] via 100.1.10.2, 02:08:19
>> B  B  B 100.0.0.0/8 is variably subnetted, 2 subnets, 2 masks
>> C B  B  B  B 100.1.10.0/24 is directly connected, FastEthernet4/0.1
>> L B  B  B  B 100.1.10.1/32 is directly connected, FastEthernet4/0.1
>> 
>> Routing Table: VPN-TO-Spoke
>> 
>> Gateway of last resort is not set
>> 
>> B  B  B 1.0.0.0/32 is subnetted, 1 subnets
>> B B  B  B  B 1.1.1.1 [200/0] via 10.1.2.2, 00:27:18
>> B  B  B 7.0.0.0/32 is subnetted, 1 subnets
>> B B  B  B  B 7.7.7.7 [200/0] via 10.1.2.2, 00:27:18
>> B  B  B 100.0.0.0/8 is variably subnetted, 2 subnets, 2 masks
>> C B  B  B  B 100.1.20.0/24 is directly connected, FastEthernet4/0.2
>> L B  B  B  B 100.1.20.1/32 is directly connected, FastEthernet4/0.2
>> 
>> 
>> trace ip
>> 
>> Target IP address: 7.7.7.7
>> Source address: 1.1.1.1
>> Numeric display [n]: y
>> Timeout in seconds [3]:
>> Probe count [3]:
>> Minimum Time to Live [1]:
>> Maximum Time to Live [30]:
>> Port Number [33434]:
>> Loose, Strict, Record, Timestamp, Verbose[none]:
>> Type escape sequence to abort.
>> Tracing the route to 7.7.7.7
>> 
>> B 1 100.1.1.1 32 msec 8 msec 8 msec
>> B 2 100.1.10.1 [AS 65001] [MPLS: Label 18 Exp 0] 12 msec 16 msec 4 msec
>> B 3 100.1.10.2 [AS 65001] 12 msec 16 msec 12 msec
>> B 4 192.168.1.1 [AS 65001] 16 msec 12 msec 8 msec
>> B 5 192.168.2.2 [AS 65001] 16 msec 12 msec 16 msec
>> B 6 100.1.20.1 [AS 65001] 12 msec 12 msec 12 msec
>> B 7 10.1.23.2 [AS 65001] [MPLS: Label 27 Exp 0] 8 msec 8 msec 12 msec
>> B 8 100.1.27.7 [AS 65001] 32 msec * B 24 msec
>> 
>> 
>> 
>> 
>> PE01
>> ip vrf VPN-TO-Hub
>> B rd 100:300
>> B route-target import 100:300
>> ip vrf VPN-TO-Spoke
>> B rd 100:400
>> B route-target export 100:400
>> !Interfaces facing CEs
>> interface FastEthernet1/0
>> B ip vrf forwarding VPN-TO-Hub
>> B ip address 100.1.27.2 255.255.255.0
>> B speed auto
>> B duplex auto
>> interface FastEthernet2/0
>> B ip vrf forwarding VPN-TO-Hub
>> B ip address 100.1.1.1 255.255.255.0
>> B speed auto
>> B duplex auto
>> ip route vrf VPN-TO-Spoke 1.1.1.1 255.255.255.255 FastEthernet2/0 100.1.1.2
>> ip route vrf VPN-TO-Spoke 7.7.7.7 255.255.255.255 FastEthernet1/0 100.1.27.7
>> !
>> route-map INBOUND deny 200
>> !
>> router bgp 100
>> B no synchronization
>> B bgp log-neighbor-changes
>> B neighbor 10.1.3.3 remote-as 100
>> B neighbor 10.1.3.3 update-source Loopback0
>> B no auto-summary
>> B !
>> B address-family vpnv4
>> B neighbor 10.1.3.3 activate
>> B neighbor 10.1.3.3 send-community extended
>> B exit-address-family
>> B !
>> B address-family ipv4 vrf VPN-TO-Hub
>> B no synchronization
>> B neighbor 100.1.1.2 remote-as 65000
>> B neighbor 100.1.1.2 activate
>> B neighbor 100.1.1.2 route-map INBOUND in
>> B neighbor 100.1.27.7 remote-as 65000
>> B neighbor 100.1.27.7 activate
>> B neighbor 100.1.27.7 route-map INBOUND in
>> B exit-address-family
>> B !
>> B address-family ipv4 vrf VPN-TO-Spoke
>> B no synchronization
>> B redistribute static
>> B exit-address-family
>> 
>> 
>> PE02
>> ip vrf VPN-TO-Hub
>> B rd 100:300
>> B route-target export 100:300
>> ip vrf VPN-TO-Spoke
>> B rd 100:400
>> B route-target import 100:400
>> 
>> interface FastEthernet4/0.1
>> B encapsulation dot1Q 10
>> B ip vrf forwarding VPN-TO-Hub
>> B ip address 100.1.10.1 255.255.255.0
>> interface FastEthernet4/0.2
>> B encapsulation dot1Q 20
>> B ip vrf forwarding VPN-TO-Spoke
>> B ip address 100.1.20.1 255.255.255.0
>> 
>> router bgp 100
>> B no synchronization
>> B bgp log-neighbor-changes
>> B neighbor 10.1.2.2 remote-as 100
>> B neighbor 10.1.2.2 update-source Loopback0
>> B no auto-summary
>> B !
>> B address-family vpnv4
>> B neighbor 10.1.2.2 activate
>> B neighbor 10.1.2.2 send-community extended
>> B exit-address-family
>> B !
>> B address-family ipv4 vrf VPN-TO-Hub
>> B no synchronization
>> B neighbor 100.1.10.2 remote-as 65001
>> B neighbor 100.1.10.2 activate
>> B exit-address-family
>> B !
>> B address-family ipv4 vrf VPN-TO-Spoke
>> B no synchronization
>> B neighbor 100.1.20.2 remote-as 65001
>> B neighbor 100.1.20.2 activate
>> B exit-address-family
>> 
>> 
>> 
>> CEHub (Vrf-lite)
>> 
>> !To firewall
>> interface FastEthernet1/0.1
>> B encapsulation dot1Q 10
>> B ip vrf forwarding VPN-TO-hub
>> B ip address 192.168.1.2 255.255.255.0
>> interface FastEthernet1/0.2
>> B encapsulation dot1Q 20
>> B ip vrf forwarding VPN-TO-Spoke
>> B ip address 192.168.2.2 255.255.255.0
>> 
>> !To PE
>> interface FastEthernet4/0.1
>> B encapsulation dot1Q 10
>> B ip vrf forwarding VPN-TO-Hub
>> B ip address 100.1.10.2 255.255.255.0
>> interface FastEthernet4/0.2
>> B encapsulation dot1Q 20
>> B ip vrf forwarding VPN-TO-Spoke
>> B ip address 100.1.20.2 255.255.255.0
>> 
>> ip route vrf VPN-TO-Hub 0.0.0.0 0.0.0.0 192.168.1.1
>> 
>> router bgp 65001
>> B no synchronization
>> B bgp router-id 4.4.4.4
>> B bgp log-neighbor-changes
>> B no auto-summary
>> B !
>> B address-family ipv4 vrf VPN-TO-Hub
>> B no synchronization
>> B redistribute static
>> B neighbor 100.1.10.1 remote-as 100
>> B neighbor 100.1.10.1 activate
>> B default-information originate
>> B exit-address-family
>> B !
>> B address-family ipv4 vrf VPN-TO-Spoke
>> B no synchronization
>> B neighbor 100.1.20.1 remote-as 100
>> B neighbor 100.1.20.1 activate
>> 
>> 
>> BR,
>> 
>> --
>> *Alberto*
>> 
>> 
>> Blogs and organic groups at http://www.ccie.net
>> 
>> _______________________________________________________________________
>> Subscription information may be found at:
>> http://www.groupstudy.com/list/CCIELab.html
> 
> 
> Blogs and organic groups at http://www.ccie.net
> 
> _______________________________________________________________________
> Subscription information may be found at:
> http://www.groupstudy.com/list/CCIELab.html
Blogs and organic groups at http://www.ccie.net
Received on Thu Feb 02 2012 - 20:36:12 ART
This archive was generated by hypermail 2.2.0 : Thu Mar 01 2012 - 11:46:56 ART