The MPLS-OPS Archive[Date Prev][Date Next][Thread Prev][Thread Next] [Date Index][Thread Index][Author Index][Subject Index] Re: Clarify Management VPN?
Frederik, At 02:54 PM 8/1/2003, Frederik H. Andersen wrote: >Hi Ives, > >Thanx, your reply was very helpful. >Why do you have the '/24 le 32' in the prefix match specification? Shouldn't >it be sufficient with /24? Nah.../24 will only the prefixes that have /24 mask. Having "le 32" allows the whole range from /24 to /32. This would be the case if you don't know what subnet the loopbacks are allocated with. If it is affirmative that each loopback is allocated a /32, then you can safely include /32 (instead of the whole range) in the prefix-list. Also, few folks prefer to make the management have the reachability information to the PE-CE interface and in that case, you may want to allow the whole range. Cheers, Rajiv >Perhaps you can help on this issue too: >When the management station gets connected via a management VPN then what >about access to PE routers loopback addresses? > >- Fred > > > > -----Original Message----- > > From: Ives Dekoninck [mailto:Ives.Dekoninck@eu.didata.com] > > Sent: Friday, August 01, 2003 1:57 PM > > To: 'Frederik H. Andersen' > > Subject: RE: [MPLS-OPS]: Clarify Management VPN? > > > > > > Hi Fred, > > > > For the management VPN what I do is export the Mgmt routes by a route > > target X which I import in all my VPN sites. For the VPN's themself I use > > an export map which tages specific routes with an additional Route target > > (don't forget the additive keyword in your route-map) which I then import > > in the management VPN. > > > > As such the management can reach eg. all loopback addresses from the VPN > > sites. > > > > I use an export map so that I only have to add the map on VPN creation, and > > I don't need to alter my mgmt VPN configuration. > > > > Below is a config example: > > > > ip vrf MGT > > rd 65000:1 > > route-target export 65000:1 > > route-target import 65000:2 > > > > ip vrf VPN1 > > rd 65000:10 > > export-map export_to_mgt > > route-target import 65000:1 > > route-target export 65000:10 > > > > ip vrf VPN2 > > rd 65000:11 > > export-map export_to_mgt > > route-target import 65000:1 > > route-target export 65000:11 > > > > route-map export_to_mgt > > match ip address prefix-list loopbacks > > set extended 65000:2 additive > > > > ip prefix-list loopbacks permit W.X.Y.Z/24 le 32 > > > > > > > > Hope this helps, > > > > -Ives- > > > > > > > > -----Original Message----- > > From: Frederik H. Andersen [mailto:Frederik.H.Andersen@netman.dk] > > Sent: vendredi 1 août 2003 13:36 > > To: mpls-ops@mplsrc.com > > Subject: [MPLS-OPS]: Clarify Management VPN? > > > > > > > > Hi, > > > > I'm planning a Cisco hub&spoke type ISP Management VPN and have some doubts > > which I hope some with insight is willing spend the time to resolve: > > > > Assume the following (generic) VRFs: > > Any VPN Site: The Management Hub site: > > VRF Site1 VRF Hub > > RD S1 RD HH > > RT import Spoke RT export Spoke > > RT export Hub RT import Hub > > RT ... > > > > 1) Is it correct, that the routes exported by the sites and imported by the > > Hub (having RT Hub) are NOT redistributed by the Hub (iBGP) to the spoke > > sites with a RT of Spoke ? > > > > 2) Are they redistributed at all, with e.g. an RT of Hub? > > > > 3) If they are not redistributed, what if a customer VPN had a similar > > hub&spoke configuration. How would this VPN learn the routes, e.g. how > > would a Site1 know the route to e.g. a Site2 > > > > To limit the number of routes to be stored by the management Hub site PE, I > > understand that e.g. an import route map could be deployed by the Hub site > > to filter unwanted routes. E.g. something like: > > VRF Hub > > RD HH > > RT export Spoke > > RT import Hub > > import map mgmt_map > > > > 4) Will the 'RT import Hub' and an 'import map' work as an OR or as an AND? > > I.e. will only routes with RT Hub AND satisfying the map match criteria be > > imported? > > > > 5) Is it possible/better to limit the distribution of management routes at > > the sites, by use of an export map configuration? > > > > 6) If a map uses a 'match ip address' construct, what address is actually > > matched? a) Is it the src or dst IP address in the route update protocol > > (BGP peer)? b) Is it the route prefix in the routes? > > c) Is it the next hop address in the routes? > > > > 7) It looks to me, that a VPN topology refers to the control plane and not > > the data plane, because when a site route is learnt on PE1 from some other > > iBGP peer (e.g. a PE-hub), it refers to the PE2 connecting to that prefix, > > and then the IGP will point PE1 to the next hop router towards PE2 and > > this will typically not be the hub?! Is this correct? > > > > I hope some may clarify these issues or point me to some information that > > might. > > > > - Fred > > > > > > > > ------- > > The MPLS-OPS Mailing List > > Subscribe/Unsubscribe: http://www.mplsrc.com/mplsops.shtml > > Archive: http://www.mplsrc.com/mpls-ops_archive.shtml > > >------- >The MPLS-OPS Mailing List >Subscribe/Unsubscribe: http://www.mplsrc.com/mplsops.shtml >Archive: http://www.mplsrc.com/mpls-ops_archive.shtml ------- The MPLS-OPS Mailing List Subscribe/Unsubscribe: http://www.mplsrc.com/mplsops.shtml Archive: http://www.mplsrc.com/mpls-ops_archive.shtml
|
|