Hub and spoke networking scheme – H3C Technologies H3C S10500 Series Switches User Manual

226

Figure 56 Network diagram for basic VPN networking scheme

In

Figure 56

, for example, the VPN target for VPN 1 is 100:1 on the PEs, while that for VPN 2 is 200:1.

The two VPN 1 sites can communicate with each other, and the two VPN 2 sites can communicate with

each other. However, the VPN 1 sites cannot communicate with the VPN 2 sites.

Hub and spoke networking scheme

For a VPN where a central access control device is required and all users must communicate with each

other through the access control device, the hub and spoke networking scheme can be used to implement

the monitoring and filtering of user communications.
This networking scheme requires two VPN targets: one for the "hub" and the other for the "spoke".
The VPN target setting rules for VPN instances of all sites on PEs are as follows:

•

On spoke PEs (that is, the PEs connected with spoke sites), set the export target attribute to Spoke
and the import target attribute to Hub.

•

On the hub PE (that is, the PE connected to the hub site), specify two interfaces or subinterfaces, one
for receiving routes from spoke PEs, and the other for advertising routes to spoke PEs. Set the import

target attribute of the VPN instance for the former to Spoke, and the export target attribute of the

VPN instance for the latter to Hub.