HUB-AND-SPOKE environment of mpls vpn

Source: Internet
Author: User
Tags domain lookup

In the HUB-AND-SPOKE environment of mpls vpn, for the sake of security AND cost, the branches are not interconnected, AND the access between the branches must go through the firewall of the headquarters, both the security effect and the cost are saved.

The experiment topology is as follows:
Due to the existence of the downstream bits and domain tags in the anti-ring mechanism of OSPF, the route may not be received in the outbound VRF of r6. therefore, the downstream bits and domain tags must be disabled in the outbound VRF. The following is an attachment to the configuration of ASA and R6: ASA www.2cto.com interface Ethernet0/0 no nameif no security-level no ip address! Interface Ethernet0/0 vlan 0.100 nameif ouside security-level 0 ip address 192.168.100.254 255.255.255.0! Interface Ethernet0/0.200 vlan 200 nameif inside security-level 100 ip address 192.168.200.254 255.255.255.0router ospf 200 network 192.168.100.0 255.255.255.0 area 0 log-adj-changes! Router ospf 300 network 192.168.200.0 255.255.0 area 0 log-adj-changes redistribute ospf 200 subnets shard line limit R6: www.2cto.com R6 # SHOW RUNBuilding configuration... Current configuration: 2320 bytes! Version 12.4 service timestamps debug datetime msecservice timestamps log datetime msecno service password-encryption! Hostname R6! Boot-start-markerboot-end-marker !! No aaa new-modelmemory-size iomem 5 !! Ip cefno ip domain lookup !! Ip vrf r6in rd 6100 route-target import 100:100! Www.2cto.com ip vrf r6out rd route-target export! Mpls label range 600 699 mpls label protocol ldp! Interface Loopback0 ip address 6.6.6.6 255.255.255.255! Interface FastEthernet0/0 ip address 192.168.56.6 255.255.255.0 duplex auto speed auto mpls ip! Interface FastEthernet0/1 no ip address duplex auto speed auto! Interface FastEthernet0/0/0 encapsulation dot1Q 1.100 ip vrf forwarding r6in ip address 192.168.100.6 255.255.255.0! Interface FastEthernet0/0/0 encapsulation dot1Q 1.200 ip vrf forwarding r6out ip address 192.168.200.6 255.255.255.0 !! Router ospf 200 vrf r6in log-adjacency-changes capability vrf-lite redistribute bgp 100 subnets network 192.168.100.0 0.0.255 area 0! Router ospf 300 vrf r6out log-adjacency-changes capability vrf-lite redistribute bgp 100 subnets network 192.168.200.0 0.0.255 area 0! Www.2cto.com router ospf 100 router-id 6.6.6.6 log-adjacency-changes network 6.6.6.6 0.0.0.0 area 0 network 192.168.56.0 0.0.0.255 area 0! Router bgp 100 bgp router-id router no bgp default ipv4-unicast bgp log-neighbor-changes neighbor 3.3.3.3 remote-as 100 neighbor 3.3.3.3 update-source Loopback0 neighbor 4.4.4.4 remote-as 100 neighbor merge update- source Loopback0! Address-family vpnv4 neighbor 3.3.3.3 activate neighbor 3.3.3.3 send-community extended neighbor 4.4.4.4 activate neighbor 4.4.4.4 send-community extended exit-address-family! Address-family ipv4 vrf r6out redistribute ospf 300 vrf r6out match internal external 1 external 2 nssa-external 1 nssa-external 2 no synchronization exit-address-family! Address-family ipv4 vrf r6in redistribute ospf 200 vrf r6in match internal external 1 external 2 nssa-external 1 nssa-external 2 no synchronization exit-address-family! No ip http serverno ip http secure-server! Mpls ldp router-id Loopback0! Www.2cto.com! Control-plane! Line con 0 exec-timeout 0 0 logging synchronousline aux 0 line vty 0 4 login !! End Verification:
It can be seen that the VRF has correctly received the route

R2-R4 is an IP pack
R4-R5 double label R5-R6 is a single label (due to PHP pop-up upper label) www.2cto.com
R6-ASA is an IP pack
From the above analysis, it has been proved that the data packet is sent to the author wenlf136 through ASA.

Contact Us

The content source of this page is from Internet, which doesn't represent Alibaba Cloud's opinion; products and services mentioned on that page don't have any relationship with Alibaba Cloud. If the content of the page makes you feel confusing, please write us an email, we will handle the problem within 5 days after receiving your email.

If you find any instances of plagiarism from the community, please send an email to: info-contact@alibabacloud.com and provide relevant evidence. A staff member will contact you within 5 working days.

A Free Trial That Lets You Build Big!

Start building with 50+ products and up to 12 months usage for Elastic Compute Service

  • Sales Support

    1 on 1 presale consultation

  • After-Sales Support

    24/7 Technical Support 6 Free Tickets per Quarter Faster Response

  • Alibaba Cloud offers highly flexible support services tailored to meet your exact needs.