Overlapping VPNs

In an overlapping VPN, a site is a member of more than one VPN. For example, in Figure 86, the middle site is a member of both VPN A and VPN B. In other words, that site can communicate with all other VPN A sites and all other VPN B sites. An overlapping VPN is often used to provide centralized services. The central site might contain DNS servers or WWW servers or management stations that need to be reachable from multiple VPNs. Overlapping IPv4 and IPv6 VPNs are supported by the same route-target mechanism.

Figure 86: Site Connectivity in an Overlapping VPN

Figure 87 shows how to configure the VRF import and export route targets to build an overlapping VPN. In this example, the export and import route targets are different for VPN A and VPN B. Therefore, VPN A does not accept routes from VPN B and VPN B does not accept routes from VPN A.

The import route target list for the overlapping VPN AB includes both 100:10 and 100:20. VPN AB can therefore accept routes advertised by any site in either VPN A or VPN B. Because the VPN AB export route target list also includes both 100:10 and 100:20, every route advertised by VPN AB can be accepted by any site in either VPN A or VPN B.

Figure 87: Route Target Configuration for an Overlapping VPN

An interesting special case of an overlapping VPN is when two VRFs on the same PE router belong to the same VPN as shown in Figure 88. The configuration of the VRF import and export route targets is the same as for the example in Figure 87.

If the export route target of one VRF (for example, the VPN AB VRF) matches the import route target of another VRF (for example, the VPN A VRF), then BGP routes are exported from one VRF to the other VRF; in this case from the VPN AB VRF to the VPN A VRF. Consequently, traffic that arrives in one VRF is forwarded out another VRF without going through the MPLS core network.

Figure 88: Overlapping VPNs on a Single PE

From a given CE router you can ping the local address of any VRF that has a VPN overlapping another VPN to which the CE router belongs.

To achieve this internally, the router obtains the source address as follows:

• If the next-hop interface is in the same VRF and the interface is numbered, the router uses the source address of the interface.
• If the next-hop interface is in the same VRF and the interface is unnumbered, the router uses either the source address of the interface it is pointing to or the router ID of the VRF.
• If the next-hop interface is in a different VRF, the router uses the source address of the VRF. If the router does not have a router ID value, the packet is discarded.

  Note: The source address of the transmit interface is not used as the source address of the packet.

Copyright © 2008, Juniper Networks, Inc. All rights reserved. Trademark Notice.