Configure Routing Instances for VPNs on the Hub-and-Spoke PE Routers
For the hub PE router to be able to distinguish between packets going to and coming from the spoke PE routers, you must configure it with two routing instances:
- One routing instance (in this example,
Spokes-to-Hub-CE) is associated with the interface that carries packets from the hub PE router to the hub CE router (in this example, interfacege-0/0/0.0). Its VRF table contains the routes being announced by the spoke PE routers and the hub PE router to the hub CE router.- The second routing instance (in this example,
Hub-CE-to-Spokes) is associated with the interface that carries packets from the hub CE router to the hub PE router (in this example, interfacege-0/0/1.0). Its VRF table contains the routes being announced from the hub CE router to the hub-and-spoke PE routers.On each spoke router, you must configure one routing instance.
You must define the following in the routing instance:
- Route distinguisher, which is used to distinguish the addresses in one VPN from those in another VPN.
- Instance type of
vrf, which creates the VRF table on the PE router.- Interfaces that are part of the VPN and that connect the PE routers to their CE routers.
- VRF import and export policies. Both import policies must include reference to a community. Otherwise, when you try to commit the configuration, the commit fails. (The exception to this is if the import policy contains only a
then rejectstatement.) In the VRF export policy, spoke PE routers attach the spoke target community.- Routing between the PE and CE routers, which is required for the PE router to distribute VPN-related routes to and from connected CE routers. You can configure a routing protocol—BGP, OSPF, or RIP—or you can configure static routing.
For a hub-and-spoke topology, you must configure different policies in each routing instance on the hub CE router. For the routing instance associated with the interface that carries packets from the hub PE router to the hub CE router (in this example,
Spokes-to-Hub-CE), the import policy must accept all routes received on the IBGP session between the hub-and-spoke PE routers and the export policy must reject all routes received from the hub CE router. For the routing instance associated with the interfaces that carries packets from the hub CE router to the hub PE router (in this example,Hub-CE-to-Spokes), the import policy must reject all routes received from the spoke PE routers, and the export policy must export to all the spoke routers.On hub PE Router D, configure the following routing instances. Router D uses OSPF to distribute routes to and from the hub CE router.
[edit]routing-instance {Spokes-to-Hub-CE {instance-type vrf;interface ge-0/0/0.0;route-distinguisher 10.255.1.174:65535;vrf-import spoke;vrf-export null;protocols {ospf {export redistribute-vpn;area 0.0.0.0 {interface ge-0/0/0;}}}}Hub-CE-to-Spokes {instance-type vrf;interface ge-0/0/1.0;route-distinguisher 10.255.1.174:65535;vrf-import null;vrf-export hub;protocols {ospf {export redistribute-vpn;area 0.0.0.0 {interface ge-0/0/1.0;}}}}}On spoke PE Router E, configure the following routing instances. Router E uses OSPF to distribute routes to and from the spoke CE Router CE1.
[edit]routing-instance {Spoke-E-to-Hub {instance-type vrf;interface fe-0/1/0.0;route-distinguisher 10.255.14.80:65535;vrf-import hub;vrf-export spoke;protocols {ospf {export redistribute-vpn;area 0.0.0.0 {interface fe-0/1/0.0;]}}}}On spoke PE Router F, configure the following routing instances. Router F uses OSPF to distribute routes to and from the spoke CE Router CE2.
[edit]routing-instance {Spoke-F-to-Hub {instance-type vrf;interface fe-1/0/1.0;route-distinguisher 10.255.14.182:65535;vrf-import hub;vrf-export spoke;protocols {ospf {export redistribute-vpn;area 0.0.0.0 {interface fe-1/0/1.0;]}}}}