Re: Complex MPLS VPN Hub and spoke

The internet VPN model would do this but it is not very scalable. I actually
deployed something like this with a customer. This lab is covered in
Narbik's Advanced MPLS course. There are 3 methods discussed. This being one
of them.

Paul

-- 
Paul Negron
CCIE# 14856 CCSI# 22752
Senior Technical Instructor
> From: Alberto <albertofsantos_at_gmail.com>
> Date: Fri, 3 Feb 2012 00:17:45 -0200
> To: Paul Negron <negron.paul_at_gmail.com>
> Cc: Marko Milivojevic <markom_at_ipexpert.com>, "<ccielab_at_groupstudy.com>"
> <ccielab_at_groupstudy.com>
> Subject: Re: Complex MPLS VPN Hub and spoke
> 
> Almost like this but it wont go to internet
> 
> Here is the traffic flow
> 
> CE01, PE01 mpls PE02 CEhub firewall CEhub PE02 mpls PE01 CE02
> 
> Enviado via iPhone
> 
> 
> Em 02/02/2012, `s 23:36, Paul Negron <negron.paul_at_gmail.com> escreveu:
> 
>> Are you thinking of something like............. 2 CE's using a default route
>> that is injected by an IGP or BGP that flows to a hub site on the VPN. It
>> then leaves out another VPN or a link in the clear that is protected by a
>> Firewall to the Internet or somewhere else?
>> 
>> Paul
>> -- 
>> Paul Negron
>> CCIE# 14856 CCSI# 22752
>> Senior Technical Instructor
>> 
>> 
>> 
>>> From: Marko Milivojevic <markom_at_ipexpert.com>
>>> Reply-To: Marko Milivojevic <markom_at_ipexpert.com>
>>> Date: Thu, 2 Feb 2012 17:03:16 -0800
>>> To: Alberto Santos <albertofsantos_at_gmail.com>
>>> Cc: <ccielab_at_groupstudy.com>
>>> Subject: Re: Complex MPLS VPN Hub and spoke
>>> 
>>> At the hub site, you should either use "half-duplex vrf" feature, or
>>> have inbound and outbound VRFs. As far as I'm aware, there's no other
>>> way to do this kind of a solution (but it HAS been a few years since I
>>> looked).
>>> 
>>> --
>>> Marko Milivojevic - CCIE #18427 (SP R&S)
>>> Senior CCIE Instructor - IPexpert
>>> 
>>> On Thu, Feb 2, 2012 at 15:44, Alberto Santos <albertofsantos_at_gmail.com>
>>> wrote:
>>>> Hi there,
>>>> 
>>>> I'm trying to deploy a solution where I have a bunch of CEs connected to
>>>> the same PE, but they only can talk to each other passing throughout the
>>>> Firewall, so different RTs will not help, we could create different VRFs,
>>>> but it wont scale, if you think I that I could have N CEs. I set up two
>>>> Vrfs, Vrf VPN-TO-Hub and Vrf VPN-TO-Spoke, so each direction has its own
>>>> routing table.
>>>> 
>>>> The problem I'm facing it's that I had to use static routes so the traffic
>>>> coming from the CEhub can reach each CE , but I don't think static route
>>>> scale either.
>>>> I tried to leak with BGP, I didn't work or I couldn't get it working :D.
>>>> 
>>>> if anyone out there could give a help on how I could use BGP instead of
>>>> route static I would be very thankful.
>>>> 
>>>> 
>>>> CE01--------PE01----MPLS---PE02---------CEHub------Firewall
>>>> B  B  B  B  B  B  B  B  B |
>>>> CEnn----------|
>>>> 
>>>> PE01
>>>> Routing Table: VPN-TO-Hub
>>>> 
>>>> Gateway of last resort is 10.1.3.3 to network 0.0.0.0
>>>> 
>>>> B* B  B 0.0.0.0/0 [200/0] via 10.1.3.3, 00:26:00
>>>> B  B  B 100.0.0.0/8 is variably subnetted, 4 subnets, 2 masks
>>>> C B  B  B  B 100.1.1.0/24 is directly connected, FastEthernet2/0
>>>> L B  B  B  B 100.1.1.1/32 is directly connected, FastEthernet2/0
>>>> C B  B  B  B 100.1.27.0/24 is directly connected, FastEthernet1/0
>>>> L B  B  B  B 100.1.27.2/32 is directly connected, FastEthernet1/0
>>>> 
>>>> 
>>>> Routing Table: VPN-TO-Spoke
>>>> 
>>>> Gateway of last resort is not set
>>>> 
>>>> B  B  B 1.0.0.0/32 is subnetted, 1 subnets
>>>> S B  B  B  B 1.1.1.1 [1/0] via 100.1.1.2, FastEthernet2/0
>>>> B  B  B 7.0.0.0/32 is subnetted, 1 subnets
>>>> S B  B  B  B 7.7.7.7 [1/0] via 100.1.27.7, FastEthernet1/0
>>>> B  B  B 100.0.0.0/32 is subnetted, 1 subnets
>>>> C B  B  B  B 100.2.2.2 is directly connected, Loopback100
>>>> 
>>>> 
>>>> PE02
>>>> Routing Table: VPN-TO-Hub
>>>> 
>>>> Gateway of last resort is 100.1.10.2 to network 0.0.0.0
>>>> 
>>>> B* B  B 0.0.0.0/0 [20/0] via 100.1.10.2, 02:08:19
>>>> B  B  B 100.0.0.0/8 is variably subnetted, 2 subnets, 2 masks
>>>> C B  B  B  B 100.1.10.0/24 is directly connected, FastEthernet4/0.1
>>>> L B  B  B  B 100.1.10.1/32 is directly connected, FastEthernet4/0.1
>>>> 
>>>> Routing Table: VPN-TO-Spoke
>>>> 
>>>> Gateway of last resort is not set
>>>> 
>>>> B  B  B 1.0.0.0/32 is subnetted, 1 subnets
>>>> B B  B  B  B 1.1.1.1 [200/0] via 10.1.2.2, 00:27:18
>>>> B  B  B 7.0.0.0/32 is subnetted, 1 subnets
>>>> B B  B  B  B 7.7.7.7 [200/0] via 10.1.2.2, 00:27:18
>>>> B  B  B 100.0.0.0/8 is variably subnetted, 2 subnets, 2 masks
>>>> C B  B  B  B 100.1.20.0/24 is directly connected, FastEthernet4/0.2
>>>> L B  B  B  B 100.1.20.1/32 is directly connected, FastEthernet4/0.2
>>>> 
>>>> 
>>>> trace ip
>>>> 
>>>> Target IP address: 7.7.7.7
>>>> Source address: 1.1.1.1
>>>> Numeric display [n]: y
>>>> Timeout in seconds [3]:
>>>> Probe count [3]:
>>>> Minimum Time to Live [1]:
>>>> Maximum Time to Live [30]:
>>>> Port Number [33434]:
>>>> Loose, Strict, Record, Timestamp, Verbose[none]:
>>>> Type escape sequence to abort.
>>>> Tracing the route to 7.7.7.7
>>>> 
>>>> B 1 100.1.1.1 32 msec 8 msec 8 msec
>>>> B 2 100.1.10.1 [AS 65001] [MPLS: Label 18 Exp 0] 12 msec 16 msec 4 msec
>>>> B 3 100.1.10.2 [AS 65001] 12 msec 16 msec 12 msec
>>>> B 4 192.168.1.1 [AS 65001] 16 msec 12 msec 8 msec
>>>> B 5 192.168.2.2 [AS 65001] 16 msec 12 msec 16 msec
>>>> B 6 100.1.20.1 [AS 65001] 12 msec 12 msec 12 msec
>>>> B 7 10.1.23.2 [AS 65001] [MPLS: Label 27 Exp 0] 8 msec 8 msec 12 msec
>>>> B 8 100.1.27.7 [AS 65001] 32 msec * B 24 msec
>>>> 
>>>> 
>>>> 
>>>> 
>>>> PE01
>>>> ip vrf VPN-TO-Hub
>>>> B rd 100:300
>>>> B route-target import 100:300
>>>> ip vrf VPN-TO-Spoke
>>>> B rd 100:400
>>>> B route-target export 100:400
>>>> !Interfaces facing CEs
>>>> interface FastEthernet1/0
>>>> B ip vrf forwarding VPN-TO-Hub
>>>> B ip address 100.1.27.2 255.255.255.0
>>>> B speed auto
>>>> B duplex auto
>>>> interface FastEthernet2/0
>>>> B ip vrf forwarding VPN-TO-Hub
>>>> B ip address 100.1.1.1 255.255.255.0
>>>> B speed auto
>>>> B duplex auto
>>>> ip route vrf VPN-TO-Spoke 1.1.1.1 255.255.255.255 FastEthernet2/0 100.1.1.2
>>>> ip route vrf VPN-TO-Spoke 7.7.7.7 255.255.255.255 FastEthernet1/0
>>>> 100.1.27.7
>>>> !
>>>> route-map INBOUND deny 200
>>>> !
>>>> router bgp 100
>>>> B no synchronization
>>>> B bgp log-neighbor-changes
>>>> B neighbor 10.1.3.3 remote-as 100
>>>> B neighbor 10.1.3.3 update-source Loopback0
>>>> B no auto-summary
>>>> B !
>>>> B address-family vpnv4
>>>> B neighbor 10.1.3.3 activate
>>>> B neighbor 10.1.3.3 send-community extended
>>>> B exit-address-family
>>>> B !
>>>> B address-family ipv4 vrf VPN-TO-Hub
>>>> B no synchronization
>>>> B neighbor 100.1.1.2 remote-as 65000
>>>> B neighbor 100.1.1.2 activate
>>>> B neighbor 100.1.1.2 route-map INBOUND in
>>>> B neighbor 100.1.27.7 remote-as 65000
>>>> B neighbor 100.1.27.7 activate
>>>> B neighbor 100.1.27.7 route-map INBOUND in
>>>> B exit-address-family
>>>> B !
>>>> B address-family ipv4 vrf VPN-TO-Spoke
>>>> B no synchronization
>>>> B redistribute static
>>>> B exit-address-family
>>>> 
>>>> 
>>>> PE02
>>>> ip vrf VPN-TO-Hub
>>>> B rd 100:300
>>>> B route-target export 100:300
>>>> ip vrf VPN-TO-Spoke
>>>> B rd 100:400
>>>> B route-target import 100:400
>>>> 
>>>> interface FastEthernet4/0.1
>>>> B encapsulation dot1Q 10
>>>> B ip vrf forwarding VPN-TO-Hub
>>>> B ip address 100.1.10.1 255.255.255.0
>>>> interface FastEthernet4/0.2
>>>> B encapsulation dot1Q 20
>>>> B ip vrf forwarding VPN-TO-Spoke
>>>> B ip address 100.1.20.1 255.255.255.0
>>>> 
>>>> router bgp 100
>>>> B no synchronization
>>>> B bgp log-neighbor-changes
>>>> B neighbor 10.1.2.2 remote-as 100
>>>> B neighbor 10.1.2.2 update-source Loopback0
>>>> B no auto-summary
>>>> B !
>>>> B address-family vpnv4
>>>> B neighbor 10.1.2.2 activate
>>>> B neighbor 10.1.2.2 send-community extended
>>>> B exit-address-family
>>>> B !
>>>> B address-family ipv4 vrf VPN-TO-Hub
>>>> B no synchronization
>>>> B neighbor 100.1.10.2 remote-as 65001
>>>> B neighbor 100.1.10.2 activate
>>>> B exit-address-family
>>>> B !
>>>> B address-family ipv4 vrf VPN-TO-Spoke
>>>> B no synchronization
>>>> B neighbor 100.1.20.2 remote-as 65001
>>>> B neighbor 100.1.20.2 activate
>>>> B exit-address-family
>>>> 
>>>> 
>>>> 
>>>> CEHub (Vrf-lite)
>>>> 
>>>> !To firewall
>>>> interface FastEthernet1/0.1
>>>> B encapsulation dot1Q 10
>>>> B ip vrf forwarding VPN-TO-hub
>>>> B ip address 192.168.1.2 255.255.255.0
>>>> interface FastEthernet1/0.2
>>>> B encapsulation dot1Q 20
>>>> B ip vrf forwarding VPN-TO-Spoke
>>>> B ip address 192.168.2.2 255.255.255.0
>>>> 
>>>> !To PE
>>>> interface FastEthernet4/0.1
>>>> B encapsulation dot1Q 10
>>>> B ip vrf forwarding VPN-TO-Hub
>>>> B ip address 100.1.10.2 255.255.255.0
>>>> interface FastEthernet4/0.2
>>>> B encapsulation dot1Q 20
>>>> B ip vrf forwarding VPN-TO-Spoke
>>>> B ip address 100.1.20.2 255.255.255.0
>>>> 
>>>> ip route vrf VPN-TO-Hub 0.0.0.0 0.0.0.0 192.168.1.1
>>>> 
>>>> router bgp 65001
>>>> B no synchronization
>>>> B bgp router-id 4.4.4.4
>>>> B bgp log-neighbor-changes
>>>> B no auto-summary
>>>> B !
>>>> B address-family ipv4 vrf VPN-TO-Hub
>>>> B no synchronization
>>>> B redistribute static
>>>> B neighbor 100.1.10.1 remote-as 100
>>>> B neighbor 100.1.10.1 activate
>>>> B default-information originate
>>>> B exit-address-family
>>>> B !
>>>> B address-family ipv4 vrf VPN-TO-Spoke
>>>> B no synchronization
>>>> B neighbor 100.1.20.1 remote-as 100
>>>> B neighbor 100.1.20.1 activate
>>>> 
>>>> 
>>>> BR,
>>>> 
>>>> --
>>>> *Alberto*
>>>> 
>>>> 
>>>> Blogs and organic groups at http://www.ccie.net
>>>> 
>>>> _______________________________________________________________________
>>>> Subscription information may be found at:
>>>> http://www.groupstudy.com/list/CCIELab.html
>>> 
>>> 
>>> Blogs and organic groups at http://www.ccie.net
>>> 
>>> _______________________________________________________________________
>>> Subscription information may be found at:
>>> http://www.groupstudy.com/list/CCIELab.html
Blogs and organic groups at http://www.ccie.net