Comware

 View Only

  • 1.  Inter-vpn routing on HPE 5900

    Posted Oct 14, 2016 04:15 AM

    Hi,

    I have a question :  How to set up inter-vpn routing on HPE 5900 ?

     

    For instance, I want subnet 1684 (10.155.163.64/26) inside vpn-instance SIG_pub to communicate with subnet 1688 (10.155.164.128/26) inside vpn-instance SIG_med

    Addresses of the Switch in 1684 is 10.155.163.126 and in 1688 is 10.155.164.190

    So I wanted to add those 2 routes:

    ip route-static vpn-instance SIG_pub 10.155.164.128 26 vpn-instance SIG_med

    ip route-static vpn-instance SIG_med 10.155.163.64 26 vpn-instance SIG_pub

    just to indicate the VPN it has to go to for the target subnet.

    I would do this way with Ericsson routers for instance.

     

    However HPE syntax wants a gateway. I do not know why.

    [ToR-SW1]ip route-static vpn-instance SIG_med 10.155.163.64 26 vpn-instance SIG_pub 

                                                                                        ^

    % Incomplete command found at '^' position.

    [ToR-SW1]

     

    As all gateways in route commands, it has to be reachable from the source, so for the 2nd command for instance, I need to specify a gateway in vpn-instance SIG_med.

    Let’s try with 10.155.164.190. The command is accepted but the route is not integrated into the routing table :

    [ToR-SW1]ip route-static vpn-instance SIG_med 10.155.163.64 26 vpn-instance SIG_pub 10.155.164.190 permanent

    Route has been modified.

    [ToR-SW1]display ip routing-table vpn-instance SIG_med | i 10.155.163.

    [ToR-SW1]

     

    If I try with a gateway belonging to the target VPN (so the gw is not ditrectly reachable !), same behavior :

    [ToR-SW1]ip route-static vpn-instance SIG_med 10.155.163.64 26 vpn-instance SIG_pub 10.155.163.126 permanent

    [ToR-SW1]display ip routing-table vpn-instance SIG_med | i 10.155.163.

    [ToR-SW1]

     

     

    So now I am wondering , how to set up inter-vpn routing ?

     

    If for some reason it is not possible this way (with “ip route-static vpn-instance … vpn-instance …” command), it is possible to make it with a external physical loop ?

    For instance one side ‘bound’ to vpn SIG_pub, the side side ‘bound’ to vpn SIG_med.

     

    Can anyone help me on that ?

    Thanks in advance

    Fabien



  • 2.  RE: Inter-vpn routing on HPE 5900

    Posted Oct 15, 2016 11:13 AM

    Howdy,

    You could use an external physical loop with a cable to connect them (ugly) or you could use a third VPN as a sort of DMZ between the two and keep some control.

    The term to get familiar with is called "route leaking" and that's basically allowing certain vpn's to purposefully have access to others by manipulating the route distinguisher : route target combos on the VPNs.

    Have a look at this white paper on this very subject which explains what to do better than I can:

    https://www.hpe.com/h20195/v2/GetPDF.aspx/4AA5-9271ENW.pdf

    Hope that suits what you are trying to do

    Cheers

    Ian



  • 3.  RE: Inter-vpn routing on HPE 5900

    Posted Oct 15, 2016 11:35 AM

    Oh I forgot to say,

    WHy not try out your configuration and route leaking on the Comware Simulator rather than your production boxes

    Have a look at this forum for where to get it from and how to set it up

    Thanks

    Ian

     



  • 4.  RE: Inter-vpn routing on HPE 5900

    Posted Oct 15, 2016 07:17 PM

    Hi Ian,

    thx for your reply.

    yes a 3rd VPN was actually my idea.

    Commands above were just for testing.

    Indeed I saw that config with the route-distinguishers , but I understood it was only with BGP. In my case all routing is static

    Should I understand the “ip route-static vpn-instance … vpn-instance …” command from the commands reference doc I tried (my first message of this post) is usable only with BGP ?

    Fabien

     



Related Content