MPLS-Branch to Branch connectivity

Answered Question
Jun 9th, 2009

Dear All,

I have Head office and Branch offices connected using MPLS VPN. It is not fully meshed, It is Hub & Spoke Topology

Now I am able communicate between branch offices and Headoffices.

But I want communication between Branch offices thru Head office (Not direct connection between Branch offices). I want to configure ACLS in Headoffice CE Router to block/allow some traffic between branchoffices.

I am aware that in Point-point Hub & spoke topology, it is possible. But in MPLS how it has to be done. The reason for raising this point is, When Traffic is destined from Branch-1 CE Router to Branch-2 CE Router, it get routed in

PE-3 Router itself and not via Head Office CE Router.

Then how to achieve this. Please help

RBK

I have this problem too.
0 votes
Correct Answer by Laurent Aubert about 7 years 6 months ago

It won't because the traffic is MPLS switched up to the CE.

The PE will have a CEF entry with an outgoing interface associated to the VPN label so there is not lookup in the VRF routing table.

HTH

Laurent.

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 5 (2 ratings)
Loading.
Laurent Aubert Tue, 06/09/2009 - 06:38

Hi RBK,

To deploy a HUb&Spoke VPN, you need two different RTs. One (RT1) will be used by PE-3 to export the Hub prefixes and an aggregate route of spoke prefixes (or a default-route).

The other RT (RT2) will be used by the remote PE to export the spoke prefixes.

So your PE configuration should look like:

PE-3:

ip vrf customer

import RT2

export RT1

!

PE-1 and PE-2:

ip vrf customer

import RT1

export RT2

!

PE-1 and PE-2 import routes only exported by PE-3

This way, all your spoke-to-spoke traffic will go through your HUB CE.

If you have several spokes connected to the same PE, you will need one VRF per spoke to avoid local switching.

HTH

Laurent.

hclisschennai Tue, 06/09/2009 - 07:58

Hi Laurent,

Your reply is helpful to understand the logic. I appreciate

But still i am not clear in a basic concept. That is, If the traffic is sent from BRANCH-1 CE destined to BRANCH-2 CE, wont it routed in PE-3 itself bypassing HEAD OFFICE CE?.

RBK

Correct Answer
Laurent Aubert Tue, 06/09/2009 - 08:48

It won't because the traffic is MPLS switched up to the CE.

The PE will have a CEF entry with an outgoing interface associated to the VPN label so there is not lookup in the VRF routing table.

HTH

Laurent.

Actions

This Discussion