Using Route Targets to Configure VPN Topologies
You can use VRF import and export route targets to configure a variety of VPN topologies, such as full-mesh VPNs, hub-and-spoke VPNs, and overlapping VPNs.
Full-Mesh VPNs
In a full-mesh VPN, each site in the VPN can communicate with every other site in that same VPN. For example, in Figure 81, each site in VPN A can communicate with all other VPN A sites but not with the sites in VPN B.
Figure 82 illustrates how you can configure the VRF import and export route targets to build a full-mesh VPN. Each VRF in VPN A has the same route target, 100:10, in their import list and export list. Each VPN A VRF accepts only received routes that have this route target attached. Because this route target is attached to each route advertised by VPN A VRFs, every site in VPN A accepts routes only from other sites in VPN A. The same principle applies to VPN B.
Hub-and-Spoke VPNs
In a hub-and-spoke VPN, the spoke sites in the VPN can communicate only with the hub sites; they cannot communicate with other spoke sites, as shown in Figure 83.
Figure 84 shows how to configure the VRF import and export route targets to build a hub-and-spoke VPN. Each spoke VRF has the same export route target, 100:12. The hub VRF has its import route target set to 100:12, so it accepts only routes from the spoke VRFs. Each spoke VRF has the same import route target, 100:11. Every route advertised by any spoke has an attached route target of 100:12. Because that route target does not match the import route target of any spoke, the spokes cannot accept any routes from another spoke. However, the hub VRF has an export route target of 100:11, so routes advertised by the hub do match the import target of each spoke and are accepted by all of the spokes.
Overlapping VPNs
In an overlapping VPN, a site is a member of more than one VPN. For example, in Figure 85, the middle site is a member of both VPN A and VPN B. In other words, that site can communicate with all other VPN A sites and all other VPN B sites. An overlapping VPN is often used to provide centralized services. The central site might contain DNS servers or WWW servers or management stations that need to be reachable from multiple VPNs. Overlapping IPv4 and IPv6 VPNs are supported by the same route-target mechanism.
Figure 86 shows how to configure the VRF import and export route targets to build an overlapping VPN. In this example, the export and import route targets are different for VPN A and VPN B. Therefore, VPN A does not accept routes from VPN B and VPN B does not accept routes from VPN A.
The import route target list for the overlapping VPN AB includes both 100:10 and 100:20. VPN AB can therefore accept routes advertised by any site in either VPN A or VPN B. Because the VPN AB export route target list also includes both 100:10 and 100:20, every route advertised by VPN AB can be accepted by any site in either VPN A or VPN B.
A interesting special case of an overlapping VPN is when two VRFs on the same PE router belong to the same VPN as shown in Figure 87. The configuration of the VRF import and export route targets is the same as for the example in Figure 86.
If the export route target of one VRF (for example, the VPN AB VRF) matches the import route target of another VRF (for example, the VPN A VRF), then BGP routes are exported from one VRF to the other VRF; in this case from the VPN AB VRF to the VPN A VRF. Consequently, traffic that arrives in one VRF is forwarded out another VRF without going through the MPLS core network.
From a given CE router you can ping the local address of any VRF that has a VPN overlapping another VPN to which the CE router belongs.
To achieve this internally, the router obtains the source address as follows:
- If the next-hop interface is in the same VRF and the interface is numbered, the router uses the source address of the interface.
- If the next-hop interface is in the same VRF and the interface is unnumbered, the router uses either the source address of the interface it is pointing to or the router ID of the VRF.
- If the next-hop interface is in a different VRF, the router uses the source address of the VRF. If the router does not have a router ID value, the packet is discarded.
NOTE: The source address of the transmit interface is not used as the source address of the packet.