14 comments on “Hub and Spoke with BGP

  1. Thanks a lot for your post. it helps me a lot to understand.

    I do have another question regarding Hub-Spoke.
    between the spoke vrf on Hub PE and Hub CE there is ebgp peer, spoke vrf will advertise all bgp prefixes(only bgp) to Hub CE by default, won´t it ? my question is, should I configure policy on Hub PE to make spoke vrf advertise all routes which are listed in spoke vrf routing table to Hub CE ? because there might be other kind of routes which are necessarily to be advertised to Hub CE and then from Hub CE to hub vrf ?

    Best Regards

    • Yes, I would agree. My example is fairly basic in order to illustrate the fundamental concepts. It is important for the exam to ensure full reachability to all the VRF prefixes. It is especially important to ensure that interface routes are reachable. Often a /30 or /31 is assigned to the interface and doesn’t make it into BGP. When these routes are missed, you can lose points on an entire section of the exam.

      • sorry, still have question:
        ” It is especially important to ensure that interface routes are reachable. Often a /30 or /31 is assigned to the interface and doesn’t make it into BGP. When these routes are missed, you can lose points on an entire section of the exam.”

        I have seen these kind of requirements a lot, for example: “please make sure that PE-CE links subnets in customer VPN are advertised to the customer reomote VPN sites”.
        i am really confused with this kind of questions, because as my understanding, the PE-CE links will not be advertised only when there is no any prefixes learned from CE, then the PE-CE links can not be advertised. but this question is placed also when there is ospf or bgp between PE-CE. and in this case, even vrf-table-label is not configured, PE-CE links are still advertised. but anyway, the answer is “to configure vrf-table-label” .

        I have left my email address there, if you do not mind, could you please send me your email address, I send you email about my questions ? I hope I am not too rude. thank you very much

        • Hmmm, I don’t think vrf-table-label has anything to do with that. You might be confused about its function, which wouldn’t be unusual, since just about everybody is confused about vrf-table-label. I’ve been meaning to do an article on it. Meantime, just think of it this way. If the requirement says PE-CE links must be advertised, check the VRF routing table and see if they’re there. If not, export them into BGP (or OSPF or whatever.) It doesn’t need to be any more complicated than that.
          Unfortunately I don’t have time for JNCIE 1:1 coaching but you can always try the Jnet forums or techexams.net, where I am sure you can get answers to your questions.

          • Thanks a lot for your reply. I will check the question and answer again.
            Have a nice weekend!

  2. Thanks a lot for your reply. I do have several other questions, may I contact you ? it is regarding RTBH.

  3. Hi All,

    how to block spoke to spoke communication attached on the same PE,

    both spoke CEs on shared LAN connected to the PE via single interface.


  4. Nice post.

    What is the issue you refer to with route reflectors? I just tested BGP H&S with off-path route reflector and it worked OK providing loops 5 was also configured on the RR. Anything else we need to watch for?


    • Thanks for the kind word. Seeing as this article is a couple years old and I’m back at Cisco, I can’t really answer that. I haven’t configured H/S VPN for a long time, or even a Junos device. I had planned a follow-up article that never happened. If it’s working for you then great!

  5. Hej

    I have a problem with Hub and Spoke when using a Route Reflector in my network.

    I can see that Hub is indeed advertising all prefixes from other sites to Route reflector, so no problems with as-loops etc. However, route reflector also receives these routes from those specific Sites as well, so it does not install other site routes coming from the Hub. And as a result Site A doesn’t have the Route of Site B or C because of vrf-import not matching.

    I would appreciate any advise on how to solve this problem. I tried _family route-target_ but failed miserably


    • Thanks for the comment. Unfortunately, I passed the JNCIE in 2014, wrote the article in 2015, left for Cisco in 2015, and haven’t touched a Juniper device since. I remember H/S got tricky with route reflectors but I don’t remember the details and I wouldn’t know the Juniper CLI anyways. Best of luck to you.

    • If RR is not recognizing the routes as unique then check the route distinguisher. Each VRF on each PE should have a unique RD that gets prepended to the IP prefix, thus making the route unique.

Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.