Help us improve your experience.

Let us know what you think.

Do you have time for a two-minute survey?

Configuring Virtual Networks for Hub-and-Spoke Topology

 

Contrail Networking supports hub-and-spoke topology, which can be used to ensure that virtual machines (VMs) don’t communicate with each other directly; their communication is only allowed indirectly by means of a designated hub virtual network.

Route Targets for Virtual Networks in Hub-and-Spoke Topology

Hub-and-spoke topology can be used to ensure that virtual machines (VMs) don’t communicate with each other directly; their communication is only allowed indirectly by means of a designated hub virtual network (VN). The VMs are configured in spoke VNs.

This is useful for enabling VMs in a spoke VN to communicate by means of a policy or firewall, where the firewall exists in a hub site.

hub-and-spoke topology is implemented using two route targets (hub-rt and spoke-rt), as follows:

  • Hub route target (hub-rt):

    • The hub VN exports all routes tagged with hub-rt.

    • The spoke VN imports routes tagged with hub-rt, ensuring that the spoke VN has only routes exported by the hub VN.

    • To attract spoke traffic, the hub VN readvertises the spoke routes or advertises the default route.

  • Spoke route target (spoke-rt):

    • All spoke VNs export routes with route target spoke-rt.

    • The hub VN imports all spoke routes, ensuring that hub VN has all spoke routes.

Note

The hub VN or VRF can reside in an external gateway, such as an MX Series router, while the spoke VN resides in the Contrail controller.

Example: Hub-and-Spoke Topology

In the example shown in Figure 1, the hub-vn is configured as a hub virtual network, and the three spoke-vns are configured as spoke virtual networks. The hub and spokes each use a unique export route target. The hub-vn exports its hub-rt (target:1:1) routes to the spokes, and each spoke-vn imports them. Each spoke-vn exports its spoke-rt (target:1:2, target:1:3, target:1:4) routes to the hub, and the hub-vn imports them.

Figure 1: Hub-and-Spoke Topology
Hub-and-Spoke Topology

Troubleshooting Hub-and-Spoke Topology

The following examples provide methods to help you troubleshoot hub-and-spoke configurations.

Example: Validating the Configuration on the Virtual Network

The following example uses the api-server HTTP get request to validate the configuration on the virtual network.

Hub VN configuration:

curl -u admin:<password> http://<host ip>/virtual-network/<hub-vn-uuid>| python -m json.tool

Spoke VN configuration:

curl -u admin:<password> http://<host ip>:8095/virtual-network/<spoke-vn-uuid> | python -m json.tool

Example: Validate the Configuration on the Routing Instance

The following example uses api-server HTTP get request to validate the configuration on the routing instance.

Spoke VRF configuration (with a system-created VRF by schema transformer):

user@node:/opt/contrail/utils# curl -u admin:<password> http://<host ip>:8095/routing-instance/<spoke-vrf-uuid>| python -m json.tool

Hub VRF configuration:

curl -u admin:<password> http://<host ip>:8095/routing-instance/<hub-vrf-uuid> | python -m json.tool

Example: Using Contrail Control Introspect

Figure 2 shows the import and export targets for hub-vn and spoke-vns, by invoking contrail-control-introspect.

Figure 2: Contrail Introspect
Contrail Introspect