Case Study 2: Hub-and-Spoke VPN Configuration

Previous page
Table of content
Next page

In the example of the Layer 3 VPN hub-and-spoke configuration displayed in Figure 13-12, there are three PE routers and three CE routers. With both sets of routers, there will be one hub and two spokes. PE router Chicago will be configured as the PE hub, while Rome and New York will be configured as PE spokes. Seattle will be the CE hub, while Singapore and Berlin will be the CE spokes . The configurations for the routers are listed following the explanation below:

  1. The routing-instance associated with interface at-1/2/1.100 on the PE hub router Chicago will be used to send routes to the CE hub router Seattle, while the other routing-instance associated with interface at-1/2/1.102 will be used to receive routes.

  2. With this hub-and-spoke configuration, CE router Singapore will announce its routes to PE spoke router Rome.

  3. Rome will then install the learned routes into the VRF for the VPN.

  4. Rome's export policy To-Spoke will be examined, and for all matching routes and the community, SPOKE will be added. These routes are then announced to PE hub router Chicago.

  5. Chicago's import policy is configured to accept any routes with the community set to SPOKE and install them into the bgp.l3vpn.0 routing table. In the bgp.l3vpn.0 routing table, the routes are listed with the RD.

  6. Before these routes are removed for forwarding to the CE hub, they are checked against the VRF import policy, and the routes will be installed into the VRF for the VPN.

  7. From the VPN's VRF, the routes will be sent to the CE hub. For the configuration shown, this announcement will take place over the at-1/2/1.100 interface.

  8. Once CE hub router Seattle receives the routes, they will be announced from Seattle back to PE hub router Chicago. This information will be sent on the at-1/2/1.102 interface. Now, the policy-statement To-Hub will be applied.

  9. The matching routes will be installed into the VRF "CE-Routes-To-Spokes." From this VRF, the export policy will be applied and the routes will be forwarded to all of the other PE spokes in the network with the community HUB added.

Figure 13-12. Case Study 2

graphics/13fig12.gif

Note

When using BGP as the protocol between the CE hub and PE hub, BGP should be configured to accept routes with its own ASN listed more than once in the AS path list. 


 [edit routing-options]  set autonomous-system  as-number  loops  number of loops from 0-10

The following examples show working Layer 3 VPN configurations on Juniper Networks routers. Each section is labeled with the router name and displays the configuration for the routers listed in Figure 13-12.

PE Hub Router Chicago

The following output is the configuration used by PE router Chicago in Case Study 2. This router will be used as the PE hub and exchange routing information with the other two PE routers. Chicago's configuration is displayed below: 

 interfaces {      fe-1/0/3 {         unit 0 {             family inet {                 address 10.0.8.1/24;             }             family mpls;          }     }     at-1/2/1 {         atm-options {             vpi 0 maximum-vcs 200;         }         unit 100 {             vci 0.100;             family inet {                 address 10.0.0.2/24;             }             family mpls;         }         unit 102 {             vci 0.102;             family inet {                 address 172.16.1.1/24;             }             family mpls;             }         }     }     lo0 {         unit 0 {             family inet {                 address 192.168.5.1/32;             }         }     } } routing-options {     router-id 192.168.5.1;     autonomous-system 100; } protocols {     mpls {         interface at-1/2/1.100;         interface at-1/2/1.102;         interface fe-1/0/3.0;         interface at-1/2/0.100;     }     bgp {         local-address 192.168.5.1;         family inet-vpn {             unicast;         }         group VPN-PE-Routers {             type internal;             neighbor 192.168.12.1;             neighbor 192.168.2.1;         }     }     ospf {         traffic-engineering;         area 0.0.0.0 {             interface at-1/2/0.100;             interface fe-1/0/3.0;             interface lo0.0;         }     }     ldp {         interface fe-1/0/3.0;         interface at-1/2/0.100;     } } policy-options {     policy-statement REJECT {         then reject;     }     policy-statement HUB {         term A {             from protocol ospf;             then {                 community add HUB;                 accept;             }         }         term B {             then reject;         }     }     policy-statement SPOKE {         term A {             from {                 protocol bgp;                 community SPOKE;             }             then accept;         }         term B {             then reject;         }     }     policy-statement SEND-VPN {         term A {             from protocol bgp;             then accept;         }         term B {             then reject;         }     }     community HUB members target:64512:01;     community SPOKE members target:64512:02; } routing-instances {     CE-Hub-Routes-to-Spokes {         instance-type vrf;         interface at-1/2/1.102;         route-distinguisher 192.168.5.1:64512;         vrf-import REJECT;         vrf-export HUB;         protocols {             ospf {                 export SEND-VPN;                 area 0.0.0.0 {                     interface at-1/2/1.102;                 }             }         }     }     Spoke-Routes-to-CE-Hub {         instance-type vrf;         interface at-1/2/1.100;         route-distinguisher 192.168.5.1:64512;         vrf-import SPOKE;         vrf-export REJECT;         protocols {             ospf {                 export SEND-VPN;                 area 0.0.0.0 {                     interface at-1/2/1.100;

PE Spoke Router Rome

The Rome router is being used in Case Study 2 as a PE spoke. The configuration is displayed below: 

 interfaces {      fe-1/0/3 {         unit 0 {             family inet {                 address 10.0.8.2/24;             }             family mpls;         }     }     ge-1/2/0 {         unit 0 {             family inet {                 address 10.0.13.2/24;             }             family mpls;          }     }     lo0 {         unit 0 {             family inet {                 address 192.168.12.1/32;             }         }     } } routing-options {     router-id 192.168.12.1;     autonomous-system 100; } protocols {     mpls {         interface fe-1/0/3.0;         interface ge-1/2/0.0;     }     bgp {         local-address 192.168.12.1;         family inet-vpn {             unicast;         }         group VPN-PE-Routers {             type internal;             neighbor 192.168.5.1;         }     }     ospf {         traffic-engineering;         area 0.0.0.0 {             interface fe-1/0/3.0;             interface lo0.0;         }     }     ldp {         interface fe-1/0/3.0;     } } policy-options {     policy-statement To-Hub {         term A {             from {                 protocol bgp;                 community HUB;             }             then accept;         }         term B {             then reject;         }     }     policy-statement To-Spoke {         term A {             from protocol ospf;             then {                 community add SPOKE;                 accept;             }         }         term B {             then reject;         }     }     policy-statement SEND-VPN {         term A {             from protocol bgp;             then accept;         }         term B {             then reject;         }     }     community HUB members target:64512:01;     community SPOKE members target:64512:02; } routing-instances {     PE-Spoke-Rome-to-PE-Hub {         instance-type vrf;         interface ge-1/2/0.0;         route-distinguisher 192.168.12.1:64512;         vrf-import To-Hub;         vrf-export To-Spoke;         protocols {             ospf {                 export SEND-VPN;                 area 0.0.0.0 {                     interface ge-1/2/0.0;

PE Spoke Router New York

PE spoke router New York is one of the two PE spokes that exchanges routing information with PE hub Chicago. New York's configuration is displayed below: 

 interfaces {      so-0/1/0 {         unit 0 {             family inet {                 address 10.0.24.1/24;             }             family mpls;         }     }     at-6/2/0 {         atm-options {             vpi 0 maximum-vcs 200;         }         unit 100 {             vci 0.100;             family inet {                 address 10.0.2.1/24;             }          }     }     lo0 {         unit 0 {             family inet {                 address 192.168.2.1/32;             }         }     } } routing-options {     router-id 192.168.2.1;     autonomous-system 100; } protocols {     mpls {         interface at-6/2/0.100;         interface so-0/1/0.0;     }     bgp {         local-address 192.168.2.1;         group VPN-PE-Routers {             type internal;             neighbor 192.168.5.1 {                 family inet-vpn {                     unicast;                 }             }         }     }     ospf {         traffic-engineering;         area 0.0.0.0 {             interface at-6/2/0.100;             interface lo0.0;         }     }     ldp {         interface at-6/2/0.100;     } } policy-options {     policy-statement To-Hub {         term A {             from {                 protocol bgp;                 community HUB;             }             then accept;         }         term B {             then reject;         }     }     policy-statement To-Spoke {         term A {             from protocol ospf;             then {                 community add SPOKE;                 accept;             }         }         term B {             then reject;         }     }     policy-statement SEND-VPN {         term A {             from protocol bgp;             then accept;         }         term B {             then reject;         }     }     community HUB members target:64512:01;     community SPOKE members target:64512:02; } routing-instances {     PE-Spoke-NewYork-to-PE-Hub {         instance-type vrf;         interface so-0/1/0.0;         route-distinguisher 192.168.2.1:64512;         vrf-import To-Hub;         vrf-export To-Spoke;         protocols {             ospf {                 export SEND-VPN;                 area 0.0.0.0 {                     interface so-0/1/0.0;

CE Hub Router Seattle

CE hub router Seattle uses the router configuration displayed below. This router will serve as a hub router for the other two CE routers, Berlin and Singapore. 

 interfaces {      at-1/2/0 {         atm-options {             vpi 0 maximum-vcs 200;         }         unit 100 {             vci 0.100;             family inet {                 address 10.0.0.1/24;             }         }         unit 102 {             vci 0.102;             family inet {                 address 172.16.1.2/24;     lo0 {         unit 0 {             family inet {                 address 192.168.0.1/32;             }         }     } } routing-options {     router-id 192.168.0.1; } protocols {     ospf {         area 0.0.0.0 {             interface all;

CE Spoke Router Singapore

The configuration of the CE spoke router Singapore is displayed below: 

 interfaces {      ge-1/1/1 {         unit 0 {             family inet {                 address 10.0.13.1/24;     lo0 {         unit 0 {             family inet {                 address 192.168.8.1/32; routing-options {     router-id 192.168.8.1; } protocols {     ospf {         area 0.0.0.0 {             interface all;

CE Spoke Router Berlin

The configuration for the CE spoke router Berlin is displayed below: 

 interfaces {      so-1/1/0 {         unit 0 {             family inet {     lo0 {         unit 0 {             family inet {                 address 192.168.24.1/32; routing-options {     router-id 192.168.24.1; } protocols {     ospf {         area 0.0.0.0 {             interface all;

Previous page
Table of content
Next page
Juniper Networks Reference Guide. JUNOS Routing, Configuration, and Architecture
Juniper Networks Reference Guide: JUNOS Routing, Configuration, and Architecture: JUNOS Routing, Configuration, and Architecture
ISBN: 0201775921
EAN: 2147483647
Year: 2002
Pages: 176
Authors: Thomas M. Thomas, Doris Pavlichek, Lawrence H. Dwyer, Rajah Chowbay, Wayne W. Downing, James Sonderegger
BUY ON AMAZON
CISSP Exam Cram 2
Professional Java Native Interfaces with SWT/JFace (Programmer to Programmer)
Oracle SQL*Plus: The Definitive Guide (Definitive Guides)
Java Concurrency in Practice
Java All-In-One Desk Reference For Dummies
Understanding Digital Signal Processing (2nd Edition)
flylib.com © 2008-2017.
If you may any questions please contact us: flylib@qtcs.net
Privacy policy