Configure VPN Policy on the PE Routers
You must configure VPN import and export policies on each of the hub-and-spoke PE routers so that they install the appropriate routes in the VRF tables, which they use to forward packets within each VPN.
On the spoke routers, you define policies to exchange routes with the hub router.
On the hub router, you define policies to accept routes from the spoke PE routers and distribute them to the hub CE router, and vice versa. The hub PE router has two VRF tables:
- Spoke-to-hub VRF table—Handles routes received from spoke routers and announces these routes to the hub CE router. For this VRF table, the import policy must check that the spoke target name is present and that the route was received from the IBGP session between the hub PE and the spoke PE routers. This VRF table must not export any routes, so its export policy should reject everything.
- Hub-to-spoke VRF table—Handles routes received from the hub CE router and announces them to the spoke routers. For this VRF table, the export policy must add the hub target community. This VRF table must not import any routes, so its import policy should reject everything.
In the VPN policy, you also configure the VPN target communities.
On hub PE Router D, configure the following policies to apply to the VRF tables:
spoke—Accepts routes received from the IBGP session between it and the spoke PE routers that contain the community targetspoke, and rejects all other routes.hub—Adds the community target hub to all routes received from OSPF (that is, from the session between it and the hub CE router). It rejects all other routes.null—Rejects all routes.redistribute-vpn—Redistributes OSPF routes to neighbors within the routing instance.[edit]policy-options {policy-statement spoke {term a {from {protocol bgp;community spoke;}then accept;}term b {then reject;}}policy-statement hub {term a {from protocol ospf;then {community add hub;accept;}}term b {then reject;}}policy-statement null {then reject;}policy-statement redistribute-vpn {term a {from protocol bgp;then accept;}term b {then reject;}}community hub members target:65535:1;community spoke members target:65535:2;}To apply the VRF policies on Router D, include the
vrf-exportandvrf-importstatements when you configure the routing instances:[edit]routing-instance {Spokes-to-Hub-CE {vrf-import spoke;vrf-export null;}Hub-CE-to-Spokes {vrf-import null;vrf-export hub;}}On spoke PE Router E and Router F, configure the following policies to apply to the VRF tables:
hub—Accepts routes received from the IBGP session between it and the hub PE routers that contain the community targethub, and rejects all other routes.spoke—Adds the community target spoke to all routes received from OSPF (that is, from the session between it and the hub CE router) and rejects all other routes.redistribute-vpn—Redistributes OSPF routes to neighbors within the routing instance.On spoke PE Router E and Router F, configure the following VPN import and export policies:
[edit]policy-options {policy-statement hub {term a {from {protocol bgp;community hub;}then accept;}term b {then reject;}}policy-statement spoke {term a {from protocol ospf;then {community add spoke;accept;}}term b {then reject;}}policy-statement redistribute-vpn {term a {from protocol bgp;then accept;}term b {then reject;}}community hub members target:65535:1;community spoke members target 65535:2;}To apply the VRF policies on the spoke routers, include the
vrf-exportandvrf-importstatements when you configure the routing instances:[edit]routing-instance {Spoke-E-to-Hub {vrf-import hub;vrf-export spoke;}}[edit]routing-instance {Spoke-F-to-Hub {vrf-import hub;vrf-export spoke;}}