LAN Routing
cancel
Showing results for 
Search instead for 
Did you mean: 

Inter-vpn routing on HPE 5900

 
fab2
Occasional Advisor

Inter-vpn routing on HPE 5900

Hi,

I have a question :  How to set up inter-vpn routing on HPE 5900 ?

 

For instance, I want subnet 1684 (10.155.163.64/26) inside vpn-instance SIG_pub to communicate with subnet 1688 (10.155.164.128/26) inside vpn-instance SIG_med

Addresses of the Switch in 1684 is 10.155.163.126 and in 1688 is 10.155.164.190

So I wanted to add those 2 routes:

ip route-static vpn-instance SIG_pub 10.155.164.128 26 vpn-instance SIG_med

ip route-static vpn-instance SIG_med 10.155.163.64 26 vpn-instance SIG_pub

just to indicate the VPN it has to go to for the target subnet.

I would do this way with Ericsson routers for instance.

 

However HPE syntax wants a gateway. I do not know why.

[ToR-SW1]ip route-static vpn-instance SIG_med 10.155.163.64 26 vpn-instance SIG_pub 

                                                                                    ^

% Incomplete command found at '^' position.

[ToR-SW1]

 

As all gateways in route commands, it has to be reachable from the source, so for the 2nd command for instance, I need to specify a gateway in vpn-instance SIG_med.

Let’s try with 10.155.164.190. The command is accepted but the route is not integrated into the routing table :

[ToR-SW1]ip route-static vpn-instance SIG_med 10.155.163.64 26 vpn-instance SIG_pub 10.155.164.190 permanent

Route has been modified.

[ToR-SW1]display ip routing-table vpn-instance SIG_med | i 10.155.163.

[ToR-SW1]

 

If I try with a gateway belonging to the target VPN (so the gw is not ditrectly reachable !), same behavior :

[ToR-SW1]ip route-static vpn-instance SIG_med 10.155.163.64 26 vpn-instance SIG_pub 10.155.163.126 permanent

[ToR-SW1]display ip routing-table vpn-instance SIG_med | i 10.155.163.

[ToR-SW1]

 

 

So now I am wondering , how to set up inter-vpn routing ?

 

If for some reason it is not possible this way (with “ip route-static vpn-instance … vpn-instance …” command), it is possible to make it with a external physical loop ?

For instance one side ‘bound’ to vpn SIG_pub, the side side ‘bound’ to vpn SIG_med.

 

Can anyone help me on that ?

Thanks in advance

Fabien

3 REPLIES
Ian Vaughan
Honored Contributor

Re: Inter-vpn routing on HPE 5900

Howdy,

You could use an external physical loop with a cable to connect them (ugly) or you could use a third VPN as a sort of DMZ between the two and keep some control.

The term to get familiar with is called "route leaking" and that's basically allowing certain vpn's to purposefully have access to others by manipulating the route distinguisher : route target combos on the VPNs.

Have a look at this white paper on this very subject which explains what to do better than I can:

https://www.hpe.com/h20195/v2/GetPDF.aspx/4AA5-9271ENW.pdf

Hope that suits what you are trying to do

Cheers

Ian

Hope that helps - please click "Thumbs up" for Kudos if it does
## ---------------------------------------------------------------------------##
Which is the only cheese that is made backwards?
Edam!
Tweets: @2techie4me
Ian Vaughan
Honored Contributor

Re: Inter-vpn routing on HPE 5900

Oh I forgot to say,

WHy not try out your configuration and route leaking on the Comware Simulator rather than your production boxes

Have a look at this forum for where to get it from and how to set it up

Thanks

Ian

 

Hope that helps - please click "Thumbs up" for Kudos if it does
## ---------------------------------------------------------------------------##
Which is the only cheese that is made backwards?
Edam!
Tweets: @2techie4me
fab2
Occasional Advisor

Re: Inter-vpn routing on HPE 5900

Hi Ian,

thx for your reply.

yes a 3rd VPN was actually my idea.

Commands above were just for testing.

Indeed I saw that config with the route-distinguishers , but I understood it was only with BGP. In my case all routing is static

Should I understand the “ip route-static vpn-instance … vpn-instance …” command from the commands reference doc I tried (my first message of this post) is usable only with BGP ?

Fabien