Hub and Spoke VPLS

Load vpls.hub.and.spoke.cfg

#IOS-XE (R1-R6, CE1-3, CE10)
config replace flash:vpls.hub.and.spoke.cfg

CE1, CE2, CE3, and CE10 are preconfigured in 10.0.0.X/24.

  • Configure a hub and spoke VPLS that allows all routers to communicate with CE1 but CE2,3,10 cannot communicate with each other.

  • Use BGP for both autodiscovery and autosignaling.

  • BGP l2vpn/vpls is already established in the lab.

Answer

#R1
l2vpn vfi context VPLS1
 vpn id 100
 autodiscovery bgp signaling bgp
  ve id 1
  route-target import 65000:100
  route-target export 65000:101
  no auto-route-target
!
int gi4
 service instance 10 eth
  encapsulation default
 exit
!
bridge-domain 10
 member gi4 service-instance 10
 member vfi VPLS1

#R2
l2vpn vfi context VPLS1
 vpn id 100
 autodiscovery bgp signaling bgp
  ve id 2
  route-target import 65000:101
  route-target export 65000:100
  no auto-route-target
!
int gi4
 service instance 10 eth
  encapsulation default
 exit
!
bridge-domain 10
 member gi4 service-instance 10
 member vfi VPLS1

#R3
l2vpn vfi context VPLS1
 vpn id 100
 autodiscovery bgp signaling bgp
  ve id 3
  route-target import 65000:101
  route-target export 65000:100
  no auto-route-target
!
int gi6
 service instance 10 eth
  encapsulation default
 exit
!
bridge-domain 10
 member gi6 service-instance 10
 member vfi VPLS1

#R5
l2vpn vfi context VPLS1
 vpn id 100
 autodiscovery bgp signaling bgp
  ve id 5
  route-target import 65000:101
  route-target export 65000:100
  no auto-route-target
!
int gi6
 service instance 10 eth
  encapsulation default
 exit
!
bridge-domain 10
 member gi6 service-instance 10
 member vfi VPLS1

Explanation

By using the RTs for import/export control as we do with L3VPN, we can constrain the L2VPN topology. In this case we allow CE1 to communicate with all spokes, but all spokes can only communicate with CE1, not with each other.

To do this, we specify the import/export RTs under the VFI. All spokes only import the hub’s target. The hub site imports the spoke target. We must make sure to use no auto-route-target, otherwise the route-target commands will have no effect - the router will import/export <ASN>:<VPN ID> like usual.

By configuring all PEs besides R1 to only import R1’s RT, we do not allow any other pseudowires to form. This forces the constrained hub and spoke topology.

Verification

On R1 we should see pseudowires with all other PEs. All other PEs should only have a pseudowire with R1.

CE1 should be able to reach all spoke CE routers, but all spokes should only be able to reach CE1:

PreviousVPLS with BGP onlyNextTunnel L2 Protocols over VPLS

Last updated