VPN Overlap

In an overlapping VPN, a site is a member of more than one VPN. For example, in Figure 87, the middle site is a member of both VPN A and VPN B. In other words, that site can communicate with all other VPN A sites and all other VPN B sites. An overlapping VPN is often used to provide centralized services. The central site might contain DNS servers or WWW servers or management stations that need to be reachable from multiple VPNs. Overlapping IPv4 and IPv6 VPNs are supported by the same route-target mechanism.

Figure 87: Site Connectivity in an Overlapping VPN

Site Connectivity in an Overlapping VPN

Figure 88 shows how to configure the VRF import and export route targets to build an overlapping VPN. In this example, the export and import route targets are different for VPN A and VPN B. Therefore, VPN A does not accept routes from VPN B and VPN B does not accept routes from VPN A.

The import route target list for the overlapping VPN AB includes both 100:10 and 100:20. VPN AB can therefore accept routes advertised by any site in either VPN A or VPN B. Because the VPN AB export route target list also includes both 100:10 and 100:20, every route advertised by VPN AB can be accepted by any site in either VPN A or VPN B.

Figure 88: Route Target Configuration for an Overlapping VPN

Route Target Configuration for an Overlapping
VPN

An interesting special case of an overlapping VPN is when two VRFs on the same PE router belong to the same VPN as shown in Figure 89. The configuration of the VRF import and export route targets is the same as for the example in Figure 88.

If the export route target of one VRF (for example, the VPN AB VRF) matches the import route target of another VRF (for example, the VPN A VRF), then BGP routes are exported from one VRF to the other VRF; in this case from the VPN AB VRF to the VPN A VRF. Consequently, traffic that arrives in one VRF is forwarded out another VRF without going through the MPLS core network.

Figure 89: Overlapping VPNs on a Single PE

Overlapping VPNs on a Single PE

From a given CE router you can ping the local address of any VRF that has a VPN overlapping another VPN to which the CE router belongs.

To achieve this internally, the router obtains the source address as follows:

Related Documentation