Академический Документы
Профессиональный Документы
Культура Документы
Advanced Topics
VRF-
VRF-A VRF-
VRF-B
VPN--A/B
VPN VPN--B/A
VPN
Routes Routes
CE-
CE- A CE-
CE-B
VPN-
VPN-A VPN-
VPN-B
1
auto-export Example
2
Verifying the Results
user@PE# run show route table vpn-b
3
Hub-and-Spoke Topologies
Reduces the number of BGP sessions and LSPs
required, but the cost is an extra CE router hop
•Spoke-to-spoke communications must transit hub site
Requires two VRF instances in the hub PE router
•Spoke VRF table contains routes received from spoke sites
•Hub VRF table contains routes received from the hub CE device
Requires two VRF interfaces at the hub CE/PE link
•Can be logical units on the same interface
Requires two route targets and possibly two route
distinguishers when supporting route reflectors
Watch for AS path loop detection and OSPF domain ID
problems
Issues might arise when hub PE router has locally
connected spokes, or when multiple spoke sites attach
to the same spoke PE router
© 2010 Juniper Networks, Inc. All rights reserved. www.juniper.net | 7
Hub
CE
ge-0/0/0.0 4 ge-0/0/0.1
3
Spoke Hub PE Hub
VRF VRF
Target: Target:
Spoke Hub
2 5
4
Data Flow Between Spokes
Hub
CE
4 3
ge-0/0/0.0 ge-0/0/0.1
5 2
5
Sample Spoke Configuration (2 of 3)
6
Sample Hub Configuration (1 of 4)
7
Sample Hub Configuration (3 of 4)
The spoke instance imports routes from the remote
spokes and sends them to the hub CE device:
routing-instances {
. . .
spoke {
instance-type vrf;
interface ge-0/0/0.0;
route-distinguisher 192.168.24.1:1;
vrf-import spoke-in;
vrf-export null;
protocols {
bgp {
group ext {
type external;
peer-as 65001;
as-override;
neighbor 10.0.29.2;
}
}
8
Hub-and-Spoke Troubleshooting
9
VPNs CoS Configuration Example
user@R1# show interfaces ge-1/0/0
unit 0 {
family inet {
filter {
input test;
}
address 10.0.6.1/24;
. . .
user@R1# show firewall family inet
filter test {
term 1 {
from {
protocol icmp;
}
then forwarding-class assured-forwarding;
}
term 2 {
then accept;
}
. . .
user@R1# show protocols mpls label-switched-path am
to 192.168.24.1;
class-of-service 4;
10
VPN Load Balancing/Prefix Mapping
11
VPN Prefix Mapping: Policy Example (2 of 2)
map policy is applied to main routing instance:
user@R1# show routing-options
autonomous-system 65412;
forwarding-table {
export map;
}
12
PE-PE GRE Tunnel Configuration
Unnumbered GRE tunnel with family mpls
user@pe1# show interfaces gr-1/0/10
unit 0 {
tunnel {
source 192.168.8.1;
destination 192.168.28.1;
}
family inet;
family mpls;
}
user@pe1# show routing-options
rib inet.3 {
static {
route 192.168.28.1/32 next-hop gr-1/0/10.0;
}
}
Private Addresses
13
IPsec and Layer 3 VPN Integration
172.20.4/24
ge-0/0/0.0 IP ge-0/0/0.0
CE
Provider Core 2 PE-2 Network B
lo0: 192.168.24.1 200.0.1.1 200.0.0.1
ge-0/0/1
P-n
172.20.0/24
ge-0/0/0 ge-0/0/1 10.0.29.1 IPsec Tunnel 10.0.29.2
CE 2 PE-1
1 1 lo0: 192.168.16.1 1 PE-CE Traffic
A 21/24
CE-CE IPsec Tunnel
CE-CE Traffic
The Junos OS supports IPsec/Layer 3 VPN integration
•IPsec tunnels terminate between the PE and CE routers
•CE-CE IPsec tunnels extend through PE routers
•IPsec tunnels can use manual or dynamic security
associations
•PE and CE routers both require AS PIC or ES PIC
•PE-PE configuration requires no change, firewall filter-based
classification not used
PE
ge-0/0/1
2 ge-0/0/0
CE PE-1
HK
1
21/24 1 lo0: 192.168.16.1
A
172.20.0/24
14
15