Hey there,
On an MPLS VPN network, different VPNs are used to isolate different routes to achieve many purposes. However, in some cases, specific network segments or sites in different VPNs need to communicate with each other. There are many methods to achieve this goal. Today, I'd like to share with you two different scenarios/solutions.
Network topology
Scenario 1: Specific sites in different VPNs need to communicate with each other.
Requirement:
In the network, there are two service VPNs: VPN1 and VPN2. 11.11.11.11 in VPN1 on PE1 need to access the 200.200.200.200.200 in VPN2 on PE2. But other IP addresses in different VPNs cannot communicate.
Solution:
1. Import all VPNv4 routes of the destination VPN to the VPN instance.
PE1 | PE2 |
# ip vpn-instance vpn1 ipv4-family vpn-target 200:1 import-extcommunity # | # ip vpn-instance vpn2 ipv4-family vpn-target 100:1 import-extcommunity # |
2. Define a route-policy to filter the required routes.
# route-policy vpn1 permit node 10 if-match ip-prefix vpn1 if-match extcommunity-filter vpn2 // If all VPNs do not have duplicate network segments, this command can be ignored. # route-policy vpn1 permit node 20 if-match extcommunity-filter vpn1 // Permit the routes of VPN1. Otherwise, the routes in the VPN1 cannot communicate with each other. # ip ip-prefix vpn1 index 10 permit 200.200.200.200 32 # ip extcommunity-filter basic vpn1 permit rt 100:1 ip extcommunity-filter basic vpn2 permit rt 200:1 # ip vpn-instance vpn1 ipv4-family import route-policy vpn1 # | # route-policy vpn2 permit node 10 if-match ip-prefix vpn2 if-match extcommunity-filter vpn1 # route-policy vpn2 permit node 20 if-match extcommunity-filter vpn2 //Permit the routes of VPN2. Otherwise, the routes in the VPN2 cannot communicate with each other. # ip ip-prefix vpn2 index 10 permit 11.11.11.11 32 # ip extcommunity-filter basic vpn1 permit rt 100:1 ip extcommunity-filter basic vpn2 permit rt 200:1 # ip vpn-instance vpn2 ipv4-family import route-policy vpn2 # |
Summary: The vpn-target import-extcommunity command is run in the VPN instance view to import VPNv4 routes to the VPN routing table. The import route-policy command is used to filter the imported VPNv4 routes during the import. This is similar to route import in an IGP. Routes are filtered using a policy before being imported.
Scenario 2: Access the server in another VPN.
Requirement:
In the network, there are two service VPNs: VPN1 and VPN2. The sites in the VPN2 on PE2 need to access the server 11.11.11.11 in VPN1. But other IP addresses in different VPNs cannot communicate.
Solution:
Add the extended community attribute of the destination VPN when PE1 advertises the server address of VPN1. And import all routes of VPN2 to VPN1 on PE1. In this way, the sites in the VPN2 can access the server of VPN1.
PE1 # route-policy server permit node 10 if-match ip-prefix server apply extcommunity rt 200:1 additive //Match the server address and the extended community attribute of the destination VPN. Add additive; otherwise, the users of the VPN cannot access the server because the original 100:1 attribute is overwritten by the 200:1 attribute. # route-policy server permit node 20 // Permit packets from other network segments of the VPN instance. Otherwise, packets from other network segments cannot be sent. # ip vpn-instance vpn1 ipv4-family route-distinguisher 2.2.2.2:100 export route-policy server //The VPN advertises the server address with two ext-community attributes. vpn-target 100:1 export-extcommunity vpn-target 100:1 import-extcommunity vpn-target 100:1 200:1 import-extcommunity # |
Summary: When the export route-policy command is run on the remote end, all PEs in the destination VPN can receive the route. Pay attention to the following points when running the command:
1. The additive parameter must be added.
2. The export routing policy must allow routes in the local VPN to pass through. Otherwise, other routes in the VPN are unavailable.
