Re: Complex MPLS VPN Hub and spoke

What is the problem with just having 2 RTs, spoke originated and hub
originated. That will put all the traffic to go through CEHub.
Now you need some policy routing to force MPLS side traffic to the
firewall. (If you use half duplex VRF then you can't use IGP, it seems,
but kind of the same idea).

-Carlos

Alberto @ 02/02/2012 23:17 -0300 dixit:
> Almost like this but it wont go to internet
>
> Here is the traffic flow
>
> CE01, PE01 mpls PE02 CEhub firewall CEhub PE02 mpls PE01 CE02
>
> Enviado via iPhone
>
>
> Em 02/02/2012, C s 23:36, Paul Negron<negron.paul_at_gmail.com> escreveu:
>
>> Are you thinking of something like............. 2 CE's using a default route
>> that is injected by an IGP or BGP that flows to a hub site on the VPN. It
>> then leaves out another VPN or a link in the clear that is protected by a
>> Firewall to the Internet or somewhere else?
>>
>> Paul
>> --
>> Paul Negron
>> CCIE# 14856 CCSI# 22752
>> Senior Technical Instructor
>>
>>
>>
>>> From: Marko Milivojevic<markom_at_ipexpert.com>
>>> Reply-To: Marko Milivojevic<markom_at_ipexpert.com>
>>> Date: Thu, 2 Feb 2012 17:03:16 -0800
>>> To: Alberto Santos<albertofsantos_at_gmail.com>
>>> Cc:<ccielab_at_groupstudy.com>
>>> Subject: Re: Complex MPLS VPN Hub and spoke
>>>
>>> At the hub site, you should either use "half-duplex vrf" feature, or
>>> have inbound and outbound VRFs. As far as I'm aware, there's no other
>>> way to do this kind of a solution (but it HAS been a few years since I
>>> looked).
>>>
>>> --
>>> Marko Milivojevic - CCIE #18427 (SP R&S)
>>> Senior CCIE Instructor - IPexpert
>>>
>>> On Thu, Feb 2, 2012 at 15:44, Alberto Santos<albertofsantos_at_gmail.com> wrote:
>>>> Hi there,
>>>>
>>>> I'm trying to deploy a solution where I have a bunch of CEs connected to
>>>> the same PE, but they only can talk to each other passing throughout the
>>>> Firewall, so different RTs will not help, we could create different VRFs,
>>>> but it wont scale, if you think I that I could have N CEs. I set up two
>>>> Vrfs, Vrf VPN-TO-Hub and Vrf VPN-TO-Spoke, so each direction has its own
>>>> routing table.
>>>>
>>>> The problem I'm facing it's that I had to use static routes so the traffic
>>>> coming from the CEhub can reach each CE , but I don't think static route
>>>> scale either.
>>>> I tried to leak with BGP, I didn't work or I couldn't get it working :D.
>>>>
>>>> if anyone out there could give a help on how I could use BGP instead of
>>>> route static I would be very thankful.
>>>>
>>>>
>>>> CE01--------PE01----MPLS---PE02---------CEHub------Firewall
>>>> B B B B B B B B B |
>>>> CEnn----------|
>>>>
>>>> PE01
>>>> Routing Table: VPN-TO-Hub
>>>>
>>>> Gateway of last resort is 10.1.3.3 to network 0.0.0.0
>>>>
>>>> B* B B 0.0.0.0/0 [200/0] via 10.1.3.3, 00:26:00
>>>> B B B 100.0.0.0/8 is variably subnetted, 4 subnets, 2 masks
>>>> C B B B B 100.1.1.0/24 is directly connected, FastEthernet2/0
>>>> L B B B B 100.1.1.1/32 is directly connected, FastEthernet2/0
>>>> C B B B B 100.1.27.0/24 is directly connected, FastEthernet1/0
>>>> L B B B B 100.1.27.2/32 is directly connected, FastEthernet1/0
>>>>
>>>>
>>>> Routing Table: VPN-TO-Spoke
>>>>
>>>> Gateway of last resort is not set
>>>>
>>>> B B B 1.0.0.0/32 is subnetted, 1 subnets
>>>> S B B B B 1.1.1.1 [1/0] via 100.1.1.2, FastEthernet2/0
>>>> B B B 7.0.0.0/32 is subnetted, 1 subnets
>>>> S B B B B 7.7.7.7 [1/0] via 100.1.27.7, FastEthernet1/0
>>>> B B B 100.0.0.0/32 is subnetted, 1 subnets
>>>> C B B B B 100.2.2.2 is directly connected, Loopback100
>>>>
>>>>
>>>> PE02
>>>> Routing Table: VPN-TO-Hub
>>>>
>>>> Gateway of last resort is 100.1.10.2 to network 0.0.0.0
>>>>
>>>> B* B B 0.0.0.0/0 [20/0] via 100.1.10.2, 02:08:19
>>>> B B B 100.0.0.0/8 is variably subnetted, 2 subnets, 2 masks
>>>> C B B B B 100.1.10.0/24 is directly connected, FastEthernet4/0.1
>>>> L B B B B 100.1.10.1/32 is directly connected, FastEthernet4/0.1
>>>>
>>>> Routing Table: VPN-TO-Spoke
>>>>
>>>> Gateway of last resort is not set
>>>>
>>>> B B B 1.0.0.0/32 is subnetted, 1 subnets
>>>> B B B B B 1.1.1.1 [200/0] via 10.1.2.2, 00:27:18
>>>> B B B 7.0.0.0/32 is subnetted, 1 subnets
>>>> B B B B B 7.7.7.7 [200/0] via 10.1.2.2, 00:27:18
>>>> B B B 100.0.0.0/8 is variably subnetted, 2 subnets, 2 masks
>>>> C B B B B 100.1.20.0/24 is directly connected, FastEthernet4/0.2
>>>> L B B B B 100.1.20.1/32 is directly connected, FastEthernet4/0.2
>>>>
>>>>
>>>> trace ip
>>>>
>>>> Target IP address: 7.7.7.7
>>>> Source address: 1.1.1.1
>>>> Numeric display [n]: y
>>>> Timeout in seconds [3]:
>>>> Probe count [3]:
>>>> Minimum Time to Live [1]:
>>>> Maximum Time to Live [30]:
>>>> Port Number [33434]:
>>>> Loose, Strict, Record, Timestamp, Verbose[none]:
>>>> Type escape sequence to abort.
>>>> Tracing the route to 7.7.7.7
>>>>
>>>> B 1 100.1.1.1 32 msec 8 msec 8 msec
>>>> B 2 100.1.10.1 [AS 65001] [MPLS: Label 18 Exp 0] 12 msec 16 msec 4 msec
>>>> B 3 100.1.10.2 [AS 65001] 12 msec 16 msec 12 msec
>>>> B 4 192.168.1.1 [AS 65001] 16 msec 12 msec 8 msec
>>>> B 5 192.168.2.2 [AS 65001] 16 msec 12 msec 16 msec
>>>> B 6 100.1.20.1 [AS 65001] 12 msec 12 msec 12 msec
>>>> B 7 10.1.23.2 [AS 65001] [MPLS: Label 27 Exp 0] 8 msec 8 msec 12 msec
>>>> B 8 100.1.27.7 [AS 65001] 32 msec * B 24 msec
>>>>
>>>>
>>>>
>>>>
>>>> PE01
>>>> ip vrf VPN-TO-Hub
>>>> B rd 100:300
>>>> B route-target import 100:300
>>>> ip vrf VPN-TO-Spoke
>>>> B rd 100:400
>>>> B route-target export 100:400
>>>> !Interfaces facing CEs
>>>> interface FastEthernet1/0
>>>> B ip vrf forwarding VPN-TO-Hub
>>>> B ip address 100.1.27.2 255.255.255.0
>>>> B speed auto
>>>> B duplex auto
>>>> interface FastEthernet2/0
>>>> B ip vrf forwarding VPN-TO-Hub
>>>> B ip address 100.1.1.1 255.255.255.0
>>>> B speed auto
>>>> B duplex auto
>>>> ip route vrf VPN-TO-Spoke 1.1.1.1 255.255.255.255 FastEthernet2/0 100.1.1.2
>>>> ip route vrf VPN-TO-Spoke 7.7.7.7 255.255.255.255 FastEthernet1/0 100.1.27.7
>>>> !
>>>> route-map INBOUND deny 200
>>>> !
>>>> router bgp 100
>>>> B no synchronization
>>>> B bgp log-neighbor-changes
>>>> B neighbor 10.1.3.3 remote-as 100
>>>> B neighbor 10.1.3.3 update-source Loopback0
>>>> B no auto-summary
>>>> B !
>>>> B address-family vpnv4
>>>> B neighbor 10.1.3.3 activate
>>>> B neighbor 10.1.3.3 send-community extended
>>>> B exit-address-family
>>>> B !
>>>> B address-family ipv4 vrf VPN-TO-Hub
>>>> B no synchronization
>>>> B neighbor 100.1.1.2 remote-as 65000
>>>> B neighbor 100.1.1.2 activate
>>>> B neighbor 100.1.1.2 route-map INBOUND in
>>>> B neighbor 100.1.27.7 remote-as 65000
>>>> B neighbor 100.1.27.7 activate
>>>> B neighbor 100.1.27.7 route-map INBOUND in
>>>> B exit-address-family
>>>> B !
>>>> B address-family ipv4 vrf VPN-TO-Spoke
>>>> B no synchronization
>>>> B redistribute static
>>>> B exit-address-family
>>>>
>>>>
>>>> PE02
>>>> ip vrf VPN-TO-Hub
>>>> B rd 100:300
>>>> B route-target export 100:300
>>>> ip vrf VPN-TO-Spoke
>>>> B rd 100:400
>>>> B route-target import 100:400
>>>>
>>>> interface FastEthernet4/0.1
>>>> B encapsulation dot1Q 10
>>>> B ip vrf forwarding VPN-TO-Hub
>>>> B ip address 100.1.10.1 255.255.255.0
>>>> interface FastEthernet4/0.2
>>>> B encapsulation dot1Q 20
>>>> B ip vrf forwarding VPN-TO-Spoke
>>>> B ip address 100.1.20.1 255.255.255.0
>>>>
>>>> router bgp 100
>>>> B no synchronization
>>>> B bgp log-neighbor-changes
>>>> B neighbor 10.1.2.2 remote-as 100
>>>> B neighbor 10.1.2.2 update-source Loopback0
>>>> B no auto-summary
>>>> B !
>>>> B address-family vpnv4
>>>> B neighbor 10.1.2.2 activate
>>>> B neighbor 10.1.2.2 send-community extended
>>>> B exit-address-family
>>>> B !
>>>> B address-family ipv4 vrf VPN-TO-Hub
>>>> B no synchronization
>>>> B neighbor 100.1.10.2 remote-as 65001
>>>> B neighbor 100.1.10.2 activate
>>>> B exit-address-family
>>>> B !
>>>> B address-family ipv4 vrf VPN-TO-Spoke
>>>> B no synchronization
>>>> B neighbor 100.1.20.2 remote-as 65001
>>>> B neighbor 100.1.20.2 activate
>>>> B exit-address-family
>>>>
>>>>
>>>>
>>>> CEHub (Vrf-lite)
>>>>
>>>> !To firewall
>>>> interface FastEthernet1/0.1
>>>> B encapsulation dot1Q 10
>>>> B ip vrf forwarding VPN-TO-hub
>>>> B ip address 192.168.1.2 255.255.255.0
>>>> interface FastEthernet1/0.2
>>>> B encapsulation dot1Q 20
>>>> B ip vrf forwarding VPN-TO-Spoke
>>>> B ip address 192.168.2.2 255.255.255.0
>>>>
>>>> !To PE
>>>> interface FastEthernet4/0.1
>>>> B encapsulation dot1Q 10
>>>> B ip vrf forwarding VPN-TO-Hub
>>>> B ip address 100.1.10.2 255.255.255.0
>>>> interface FastEthernet4/0.2
>>>> B encapsulation dot1Q 20
>>>> B ip vrf forwarding VPN-TO-Spoke
>>>> B ip address 100.1.20.2 255.255.255.0
>>>>
>>>> ip route vrf VPN-TO-Hub 0.0.0.0 0.0.0.0 192.168.1.1
>>>>
>>>> router bgp 65001
>>>> B no synchronization
>>>> B bgp router-id 4.4.4.4
>>>> B bgp log-neighbor-changes
>>>> B no auto-summary
>>>> B !
>>>> B address-family ipv4 vrf VPN-TO-Hub
>>>> B no synchronization
>>>> B redistribute static
>>>> B neighbor 100.1.10.1 remote-as 100
>>>> B neighbor 100.1.10.1 activate
>>>> B default-information originate
>>>> B exit-address-family
>>>> B !
>>>> B address-family ipv4 vrf VPN-TO-Spoke
>>>> B no synchronization
>>>> B neighbor 100.1.20.1 remote-as 100
>>>> B neighbor 100.1.20.1 activate
>>>>
>>>>
>>>> BR,
>>>>
>>>> --
>>>> *Alberto*
>>>>
>>>>
>>>> Blogs and organic groups at http://www.ccie.net
>>>>
>>>> _______________________________________________________________________
>>>> Subscription information may be found at:
>>>> http://www.groupstudy.com/list/CCIELab.html
>>>
>>>
>>> Blogs and organic groups at http://www.ccie.net
>>>
>>> _______________________________________________________________________
>>> Subscription information may be found at:
>>> http://www.groupstudy.com/list/CCIELab.html
>
>
> Blogs and organic groups at http://www.ccie.net
>
> _______________________________________________________________________
> Subscription information may be found at:
> http://www.groupstudy.com/list/CCIELab.html
>
>
>
>
>
>
>

-- 
Carlos G Mendioroz  <tron_at_huapi.ba.ar>  LW7 EQI  Argentina
Blogs and organic groups at http://www.ccie.net