MPLS-Branch to Branch connectivity

Answered Question
Jun 9th, 2009
User Badges:

Dear All,


I have Head office and Branch offices connected using MPLS VPN. It is not fully meshed, It is Hub & Spoke Topology

Now I am able communicate between branch offices and Headoffices.


But I want communication between Branch offices thru Head office (Not direct connection between Branch offices). I want to configure ACLS in Headoffice CE Router to block/allow some traffic between branchoffices.


I am aware that in Point-point Hub & spoke topology, it is possible. But in MPLS how it has to be done. The reason for raising this point is, When Traffic is destined from Branch-1 CE Router to Branch-2 CE Router, it get routed in

PE-3 Router itself and not via Head Office CE Router.


Then how to achieve this. Please help


RBK

Correct Answer by Laurent Aubert about 7 years 9 months ago

It won't because the traffic is MPLS switched up to the CE.


The PE will have a CEF entry with an outgoing interface associated to the VPN label so there is not lookup in the VRF routing table.


HTH


Laurent.

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 5 (2 ratings)
Loading.
Laurent Aubert Tue, 06/09/2009 - 06:38
User Badges:
  • Cisco Employee,

Hi RBK,


To deploy a HUb&Spoke VPN, you need two different RTs. One (RT1) will be used by PE-3 to export the Hub prefixes and an aggregate route of spoke prefixes (or a default-route).


The other RT (RT2) will be used by the remote PE to export the spoke prefixes.


So your PE configuration should look like:


PE-3:


ip vrf customer

import RT2

export RT1

!


PE-1 and PE-2:


ip vrf customer

import RT1

export RT2

!


PE-1 and PE-2 import routes only exported by PE-3


This way, all your spoke-to-spoke traffic will go through your HUB CE.


If you have several spokes connected to the same PE, you will need one VRF per spoke to avoid local switching.


HTH


Laurent.

hclisschennai Tue, 06/09/2009 - 07:58
User Badges:

Hi Laurent,


Your reply is helpful to understand the logic. I appreciate


But still i am not clear in a basic concept. That is, If the traffic is sent from BRANCH-1 CE destined to BRANCH-2 CE, wont it routed in PE-3 itself bypassing HEAD OFFICE CE?.


RBK


Correct Answer
Laurent Aubert Tue, 06/09/2009 - 08:48
User Badges:
  • Cisco Employee,

It won't because the traffic is MPLS switched up to the CE.


The PE will have a CEF entry with an outgoing interface associated to the VPN label so there is not lookup in the VRF routing table.


HTH


Laurent.

Actions

This Discussion