MPLS VPN Hub and Spoke

Posted by
Facebooktwitterredditpinterestlinkedintumblr

Sometimes customer wants to implement MPLS VPN hub and spoke topology which allows the customer to control traffic between spokes and also to other resources like the Internet (access restriction). Therefore, the hub acts as a central transit point between spoke sites.

The MPLS VPN hub and spoke topology requires a special setup/configuration as shown in diagram. Hub site has two physical connections to PE-1 (denoted by S1/0 and S1/1), one link is used to pass spoke routes (denoted by from-spoke) and the other is used to pass hub routes back to spokes (denoted by from-hub). This can also be done by one physical link with multiple logical interfaces like VLAN sub-interfaces if it was an Ethernet.

MPLS VPN hub and spoke

Special attention must be given when BGP is used as its PE-CE routing. BGP allowas-in feature should be activated in PE-1 router to allow it to accept routes from its own AS for the routes advertised by the CE-1’s from-hub link.

Verification snippets shown with and without BGP allowas-in configured in PE-1’s customer-a-from-hub VRF.

!!!! output of debug ip bgp updates in PE-1
!
*Aug 27 07:38:08.271: BGP(0): 10.10.20.2 rcv UPDATE w/ attr: nexthop 10.10.20.2, origin i, originator 0.0.0.0, merged path 65000 100 65002, AS_PATH 65000 100 65002, community , extended community , SSA attribute 
*Aug 27 07:38:08.275: BGPSSA ssacount is 0
*Aug 27 07:38:08.275: BGP(0): 10.10.20.2 rcv UPDATE about 192.168.30.0/24 -- DENIED due to: AS-PATH contains our own AS;
!
!!!! show ip route output of CE-2. Note: 192.168.30.0/24 not installed in its routing table.
!
CE-2#sh ip route
Codes: C - connected, S - static, R - RIP, M - mobile, B - BGP
       D - EIGRP, EX - EIGRP external, O - OSPF, IA - OSPF inter area 
       N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2
       E1 - OSPF external type 1, E2 - OSPF external type 2
       i - IS-IS, su - IS-IS summary, L1 - IS-IS level-1, L2 - IS-IS level-2
       ia - IS-IS inter area, * - candidate default, U - per-user static route
       o - ODR, P - periodic downloaded static route

Gateway of last resort is not set

B    192.168.10.0/24 [20/0] via 10.20.20.1, 00:19:45
C    192.168.20.0/24 is directly connected, Loopback1
     10.0.0.0/30 is subnetted, 1 subnets
C       10.20.20.0 is directly connected, Serial1/0
!
!!!! show ip route output of CE-3. Note: 192.168.20.0/24 not installed in its routing table.
!
CE-3#sh ip route
Codes: C - connected, S - static, R - RIP, M - mobile, B - BGP
       D - EIGRP, EX - EIGRP external, O - OSPF, IA - OSPF inter area 
       N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2
       E1 - OSPF external type 1, E2 - OSPF external type 2
       i - IS-IS, su - IS-IS summary, L1 - IS-IS level-1, L2 - IS-IS level-2
       ia - IS-IS inter area, * - candidate default, U - per-user static route
       o - ODR, P - periodic downloaded static route

Gateway of last resort is not set

C    192.168.30.0/24 is directly connected, Loopback1
B    192.168.10.0/24 [20/0] via 10.30.30.1, 00:11:37
     10.0.0.0/30 is subnetted, 1 subnets
C       10.30.30.0 is directly connected, FastEthernet0/0

!!!! output of debug ip bgp updates in PE-1.
!
*Aug 27 07:54:21.147: BGP(0): 10.10.20.2 rcvd UPDATE w/ attr: nexthop 10.10.20.2, origin i, metric 0, merged path 65000, AS_PATH 65000
*Aug 27 07:54:21.155: BGP(0): 10.10.20.2 rcvd 192.168.10.0/24
*Aug 27 07:54:21.155: BGP: 10.10.20.2 Modifying prefix 192.168.10.0/24 from 0 -> 4 address...duplicate ignored
*Aug 27 07:54:21.155: BGP(0): 10.10.20.2 rcvd UPDATE w/ attr: nexthop 10.10.20.2, origin i, merged path 65000 100 65002, AS_PATH 65000 100 65002
*Aug 27 07:54:21.159: BGP(0): 10.10.20.2 rcvd 192.168.30.0/24
*Aug 27 07:54:21.159: BGP: 10.10.20.2 Modifying prefix 192.168.30.0/24 from 0 -> 4 address
*Aug 27 07:54:21.163: BGP(0): 10.10.20.2 rcvd UPDATE w/ attr: nexthop 10.10.20.2, origin i, merged path 65000 100 65001, AS_PATH 65000 100 65001
*Aug 27 07:54:21.167: BGP(0): 10.10.20.2 rcvd 192.168.20.0/24
*Aug 27 07:54:21.167: BGP: 10.10.20.2 Modifying prefix 192.168.20.0/24 from 0 -> 4 address
*Aug 27 07:54:21.167: BGP(4): Revise route installing 1 of 1 routes for 192.168.20.0
PE-1(config-router-af)#/24 -> 10.10.20.2(customer-a-from-hub) to customer-a-from-hub IP table
*Aug 27 07:54:21.171: BGP(4): Revise route installing 1 of 1 routes for 192.168.30.0/24 -> 10.10.20.2(customer-a-from-hub) to customer-a-from-hub IP table
*Aug 27 07:54:21.179: BGP(4): (base) 2.2.2.2 send UPDATE (format) 1:1:192.168.20.0/24, next 1.1.1.1, label 19, metric 0, path 65000 100 65001, extended community RT:1:1
*Aug 27 07:54:21.183: BGP(4): (base) 2.2.2.2 send UPDATE (format) 1:1:192.168.30.0/24, next 1.1.1.1, label 20, metric 0, path 65000 100 65002, extended community RT:1:1
!
!!!! show ip route output of CE-2. Note: 192.168.30.0/24 now installed in its routing table.
!
CE-2#sh ip route
Codes: C - connected, S - static, R - RIP, M - mobile, B - BGP
       D - EIGRP, EX - EIGRP external, O - OSPF, IA - OSPF inter area 
       N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2
       E1 - OSPF external type 1, E2 - OSPF external type 2
       i - IS-IS, su - IS-IS summary, L1 - IS-IS level-1, L2 - IS-IS level-2
       ia - IS-IS inter area, * - candidate default, U - per-user static route
       o - ODR, P - periodic downloaded static route

Gateway of last resort is not set

B    192.168.30.0/24 [20/0] via 10.20.20.1, 00:00:42
B    192.168.10.0/24 [20/0] via 10.20.20.1, 00:26:03
C    192.168.20.0/24 is directly connected, Loopback1
     10.0.0.0/30 is subnetted, 1 subnets
C       10.20.20.0 is directly connected, Serial1/0
!
!!!! Take note of the AS path - 100 65000 100 65002. AS 100 is allowed twice.
!
CE-2#sh ip bgp 192.168.30.0
BGP routing table entry for 192.168.30.0/24, version 40
Paths: (1 available, best #1, table Default-IP-Routing-Table)
  Not advertised to any peer
  100 65000 100 65002
    10.20.20.1 from 10.20.20.1 (2.2.2.2)
      Origin IGP, localpref 100, valid, external, best
!
!!!! show ip route output of CE-3. Note: 192.168.20.0/24 now installed in its routing table.
!
CE-3#sh ip route
Codes: C - connected, S - static, R - RIP, M - mobile, B - BGP
       D - EIGRP, EX - EIGRP external, O - OSPF, IA - OSPF inter area 
       N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2
       E1 - OSPF external type 1, E2 - OSPF external type 2
       i - IS-IS, su - IS-IS summary, L1 - IS-IS level-1, L2 - IS-IS level-2
       ia - IS-IS inter area, * - candidate default, U - per-user static route
       o - ODR, P - periodic downloaded static route

Gateway of last resort is not set

C    192.168.30.0/24 is directly connected, Loopback1
B    192.168.10.0/24 [20/0] via 10.30.30.1, 00:14:32
B    192.168.20.0/24 [20/0] via 10.30.30.1, 00:02:02
     10.0.0.0/30 is subnetted, 1 subnets
C       10.30.30.0 is directly connected, FastEthernet0/0
!
!!!! Take note of the AS path - 100 65000 100 65001. AS 100 is allowed twice.
!
CE-3#sh ip bgp 192.168.20.0
BGP routing table entry for 192.168.20.0/24, version 44
Paths: (1 available, best #1, table Default-IP-Routing-Table)
Flag: 0x820
  Not advertised to any peer
  100 65000 100 65001
    10.30.30.1 from 10.30.30.1 (3.3.3.3)
      Origin IGP, localpref 100, valid, external, best

In terms of route-target (RT) import and export policies, PE-1 imports RTs 1:2 (CE-2) and 1:3 (CE-3), and exports RT 1:1 (CE-1); PE-2 imports RT 1:1 (CE-1) and exports RT 1:2 (CE-2); PE-3 imports RT 1:1 (CE-1) and exports RT 1:3 (CE-3).

One last thing to note is a hub-and-spoke topology does not require one VRF for each spoke.

Reachability verification:

CE-1(tcl)#foreach VAR {
+>192.168.20.1
+>192.168.30.1
+>} { puts [exec "traceroute $VAR source loop1"] }

Type escape sequence to abort.
Tracing the route to 192.168.20.1

  1 10.10.10.1 8 msec 8 msec 12 msec
  2 10.20.20.1 [MPLS: Label 18 Exp 0] 20 msec 20 msec 20 msec
  3 10.20.20.2 40 msec 24 msec 40 msec

Type escape sequence to abort.
Tracing the route to 192.168.30.1

  1 10.10.10.1 8 msec 12 msec 8 msec
  2 1.1.10.1 [MPLS: Labels 17/19 Exp 0] 36 msec 32 msec 44 msec
  3 10.30.30.1 [MPLS: Label 19 Exp 0] 32 msec 28 msec 32 msec
  4 10.30.30.2 40 msec 24 msec 36 msec

CE-1#tclsh
CE-1(tcl)#foreach VAR {
+>192.168.20.1
+>192.168.30.1
+>} { puts [exec "ping $VAR source loop1"] }

Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 192.168.20.1, timeout is 2 seconds:
Packet sent with a source address of 192.168.10.1 
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 28/36/40 ms

Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 192.168.30.1, timeout is 2 seconds:
Packet sent with a source address of 192.168.10.1 
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 36/46/60 ms

CE-2(tcl)#foreach VAR {
+>192.168.10.1
+>192.168.30.1
+>} { puts [exec "traceroute $VAR source loop1"] }

Type escape sequence to abort.
Tracing the route to 192.168.10.1

  1 10.20.20.1 8 msec 20 msec 12 msec
  2 10.10.20.1 [MPLS: Label 19 Exp 0] 40 msec 28 msec 40 msec
  3 10.10.20.2 40 msec 36 msec 32 msec

Type escape sequence to abort.
Tracing the route to 192.168.30.1

  1 10.20.20.1 8 msec 12 msec 8 msec
  2 10.10.20.1 [MPLS: Label 22 Exp 0] 44 msec 20 msec 40 msec
  3 10.10.20.2 40 msec 40 msec 40 msec
  4 10.10.10.1 40 msec 24 msec 36 msec
  5 1.1.10.1 [MPLS: Labels 17/19 Exp 0] 60 msec 80 msec 80 msec
  6 10.30.30.1 [MPLS: Label 19 Exp 0] 88 msec 76 msec 76 msec
  7 10.30.30.2 84 msec 92 msec 100 msec

CE-2(tcl)#foreach VAR {
+>192.168.10.1
+>192.168.30.1
+>} { puts [exec "ping $VAR source loop1"] }

Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 192.168.10.1, timeout is 2 seconds:
Packet sent with a source address of 192.168.20.1 
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 20/26/36 ms

Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 192.168.30.1, timeout is 2 seconds:
Packet sent with a source address of 192.168.20.1 
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 64/69/80 ms

CE-3#tclsh
CE-3(tcl)#foreach VAR {
+>192.168.10.1
+>192.168.20.1
+>} { puts [exec "ping $VAR source loop1"] }

Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 192.168.10.1, timeout is 2 seconds:
Packet sent with a source address of 192.168.30.1 
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 48/49/52 ms

Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 192.168.20.1, timeout is 2 seconds:
Packet sent with a source address of 192.168.30.1 
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 52/76/92 ms

CE-3(tcl)#foreach VAR {
+>192.168.10.1
+>192.168.20.1
+>} { puts [exec "traceroute $VAR source loop1"] }

Type escape sequence to abort.
Tracing the route to 192.168.10.1

  1 10.30.30.1 20 msec 20 msec 8 msec
  2 1.1.10.2 [MPLS: Labels 16/19 Exp 0] 40 msec 40 msec 40 msec
  3 10.10.20.1 [MPLS: Label 19 Exp 0] 24 msec 36 msec 40 msec
  4 10.10.20.2 40 msec 40 msec 60 msec

Type escape sequence to abort.
Tracing the route to 192.168.20.1

  1 10.30.30.1 12 msec 16 msec 20 msec
  2 1.1.10.2 [MPLS: Labels 16/21 Exp 0] 64 msec 72 msec 60 msec
  3 10.10.20.1 [MPLS: Label 21 Exp 0] 80 msec 56 msec 72 msec
  4 10.10.20.2 76 msec 76 msec 84 msec
  5 10.10.10.1 76 msec 60 msec 60 msec
  6 10.20.20.1 [MPLS: Label 18 Exp 0] 100 msec 108 msec 96 msec
  7 10.20.20.2 140 msec 136 msec 144 msec

Final configuration with BGP allowas-in:

hostname PE-1
!
ip vrf customer-a-from-hub
 rd 1:1
 route-target export 1:1
!
ip vrf customer-a-from-spoke
 rd 1:11
 route-target import 1:2
 route-target import 1:3
!
ip cef
!
interface Loopback1
 ip address 1.1.1.1 255.255.255.255
!
interface FastEthernet0/0
 no ip address
 shutdown
 duplex auto
 speed auto
!
interface FastEthernet0/1
 ip address 1.1.10.0 255.255.255.254
 duplex auto
 speed auto
 mpls ip
!
interface Serial1/0
 ip vrf forwarding customer-a-from-spoke
 ip address 10.10.10.1 255.255.255.252
 serial restart-delay 0
!
interface Serial1/1
 ip vrf forwarding customer-a-from-hub
 ip address 10.10.20.1 255.255.255.252
 serial restart-delay 0
!
interface Serial1/2
 no ip address
 shutdown
 serial restart-delay 0
!
interface Serial1/3
 no ip address
 shutdown
 serial restart-delay 0
!
!
router eigrp 100
 network 1.1.1.1 0.0.0.0
 network 1.1.10.0 0.0.0.0
 eigrp router-id 1.1.1.1
!
router bgp 100
 bgp router-id 1.1.1.1
 bgp log-neighbor-changes
 no bgp default ipv4-unicast
 neighbor 2.2.2.2 remote-as 100
 neighbor 2.2.2.2 update-source Loopback1
 neighbor 3.3.3.3 remote-as 100
 neighbor 3.3.3.3 update-source Loopback1
 !
 address-family ipv4
 exit-address-family
 !
 address-family vpnv4
  neighbor 2.2.2.2 activate
  neighbor 2.2.2.2 send-community both
  neighbor 3.3.3.3 activate
  neighbor 3.3.3.3 send-community both
 exit-address-family
 !
 address-family ipv4 vrf customer-a-from-hub
  neighbor 10.10.20.2 remote-as 65000
  neighbor 10.10.20.2 update-source Serial1/1
  neighbor 10.10.20.2 activate
  neighbor 10.10.20.2 as-override
  neighbor 10.10.20.2 allowas-in
 exit-address-family
 !
 address-family ipv4 vrf customer-a-from-spoke
  neighbor 10.10.10.2 remote-as 65000
  neighbor 10.10.10.2 update-source Serial1/0
  neighbor 10.10.10.2 activate
 exit-address-family
!
mpls ldp router-id Loopback1 force

hostname PE-2
!
ip vrf customer-a
 rd 1:2
 route-target export 1:2
 route-target import 1:1
!
ip cef
!
interface Loopback1
 ip address 2.2.2.2 255.255.255.255
!
interface FastEthernet0/0
 ip address 1.1.10.2 255.255.255.254
 duplex auto
 speed auto
 mpls ip
!
interface FastEthernet0/1
 ip address 1.1.10.1 255.255.255.254
 duplex auto
 speed auto
 mpls ip
!
interface Serial1/0
 ip vrf forwarding customer-a
 ip address 10.20.20.1 255.255.255.252
 serial restart-delay 0
!
router eigrp 100
 network 1.1.10.1 0.0.0.0
 network 1.1.10.2 0.0.0.0
 network 2.2.2.2 0.0.0.0
 eigrp router-id 2.2.2.2
!
router bgp 100
 bgp router-id 2.2.2.2
 bgp log-neighbor-changes
 no bgp default ipv4-unicast
 neighbor PEER-GROUP1 peer-group
 neighbor PEER-GROUP1 remote-as 100
 neighbor PEER-GROUP1 update-source Loopback1
 neighbor 1.1.1.1 peer-group PEER-GROUP1
 neighbor 3.3.3.3 peer-group PEER-GROUP1
 !
 address-family ipv4
 exit-address-family
 !
 address-family vpnv4
  neighbor PEER-GROUP1 send-community both
  neighbor 1.1.1.1 activate
  neighbor 3.3.3.3 activate
 exit-address-family
 !
 address-family ipv4 vrf customer-a
  neighbor 10.20.20.2 remote-as 65001
  neighbor 10.20.20.2 update-source Serial1/0
  neighbor 10.20.20.2 activate
 exit-address-family
!
mpls ldp router-id Loopback1 force

hostname PE-3
!
ip vrf customer-a
 rd 1:3
 route-target export 1:3
 route-target import 1:1
!
ip cef
!
interface Loopback1
 ip address 3.3.3.3 255.255.255.255
!
interface FastEthernet0/0
 ip vrf forwarding customer-a
 ip address 10.30.30.1 255.255.255.252
 duplex full
 speed 100
!
interface FastEthernet0/1
 ip address 1.1.10.3 255.255.255.254
 duplex auto
 speed auto
 mpls ip
!
router eigrp 100
 network 1.1.10.3 0.0.0.0
 network 3.3.3.3 0.0.0.0
 eigrp router-id 3.3.3.3
!
router bgp 100
 bgp router-id 3.3.3.3
 bgp log-neighbor-changes
 no bgp default ipv4-unicast
 neighbor 1.1.1.1 remote-as 100
 neighbor 1.1.1.1 update-source Loopback1
 neighbor 2.2.2.2 remote-as 100
 neighbor 2.2.2.2 update-source Loopback1
 !
 address-family ipv4
 exit-address-family
 !
 address-family vpnv4
  neighbor 1.1.1.1 activate
  neighbor 1.1.1.1 send-community extended
  neighbor 2.2.2.2 activate
  neighbor 2.2.2.2 send-community extended
 exit-address-family
 !
 address-family ipv4 vrf customer-a
  neighbor 10.30.30.2 remote-as 65002
  neighbor 10.30.30.2 update-source FastEthernet0/0
  neighbor 10.30.30.2 activate
 exit-address-family
!
mpls ldp router-id Loopback1 force

hostname CE-1
!
ip cef
!
interface Loopback1
 ip address 192.168.10.1 255.255.255.0
!
interface Serial1/0
 ip address 10.10.10.2 255.255.255.252
 serial restart-delay 0
!
interface Serial1/1
 ip address 10.10.20.2 255.255.255.252
 serial restart-delay 0
!
router bgp 65000
 no synchronization
 bgp log-neighbor-changes
 network 192.168.10.0
 neighbor 10.10.10.1 remote-as 100
 neighbor 10.10.10.1 update-source Serial1/0
 neighbor 10.10.20.1 remote-as 100
 neighbor 10.10.20.1 update-source Serial1/1
 no auto-summary

hostname CE-2
!
boot-start-marker
boot-end-marker
!
!
no aaa new-model
memory-size iomem 5
no ip icmp rate-limit unreachable
ip cef
!

interface Loopback1
 ip address 192.168.20.1 255.255.255.0
!
interface Serial1/0
 ip address 10.20.20.2 255.255.255.252
 serial restart-delay 0
!
router bgp 65001
 no synchronization
 bgp log-neighbor-changes
 network 192.168.20.0
 neighbor 10.20.20.1 remote-as 100
 neighbor 10.20.20.1 update-source Serial1/0
 no auto-summary

hostname CE-3
!
ip cef
!
interface Loopback1
 ip address 192.168.30.1 255.255.255.0
!
interface FastEthernet0/0
 ip address 10.30.30.2 255.255.255.252
 duplex auto
 speed auto
!
interface FastEthernet0/1
 no ip address
 shutdown
 duplex auto
 speed auto
!
router bgp 65002
 no synchronization
 bgp log-neighbor-changes
 network 192.168.30.0
 neighbor 10.30.30.1 remote-as 100
 neighbor 10.30.30.1 update-source FastEthernet0/0
 no auto-summary

Leave a Reply

Your email address will not be published. Required fields are marked *

*