Configuring overlay and routing
Interconnecting regions allows for communication between edge devices in different regions.
We will interconnect the regions by using a mix of CLI Templates and ad-hoc CLI Scripts. A full mesh of overlay tunnels must be built between all the Regional Hubs, over each available underlay transport:
We will establish EBGP session over each tunnel, in order to exchange regional summaries between the Hubs. The Hubs will then advertise these summaries further to their local Edge devices. The following figure shows an example of end-to-end advertisement of a particular LAN prefix between the two regions:
As a result, inter-regional connectivity will be provided via the Regional Hubs.
Following is a summary of how to configure overlay and routing:
- Create a CLI template to summarize and advertise the region’s LAN network. See Creating a CLI Template.
These network summaries are exchanged via eBGP sessions between the regional hubs.
- Add the new CLI template to the hub CLI template group, and install the group. See Adding CLI templates to the CLI Template Group installing.
- Create 3 CLI scripts (one for each hub) to configure the inter-hub IPSec tunnels.See Creating CLI scripts.
The IPSec tunnels secure the data and eBGP sessions between the regional hubs.
- Run each of the 3 CLI scripts against their respective hubs. See Running CLI scripts.
Creating a CLI Template
As can be seen, this simple template adds the following configuration:
- It generates an aggregate route for the regional summary (as defined by the lan-summary Meta Field). This route will be advertised to the remote regions.
- It creates an access list matching this summary, and defines a route-map HUB2HUB_OUT that instructs BGP to advertise only this summary. This route-map will be used on the inter-regional EBGP peering, as will be shown further.
To create a CLI Template:
- Create (or import) a new CLI Template called 04-Hub-Routing-MultiRegion with the following content:
config router bgp
config aggregate-address
edit 1
set prefix $(lan-summary)
next
end
end
config router access-list
edit "REGION_SUMMARY"
config rule
edit 1
set prefix $(lan-summary)
set exact-match enable
next
end
next
end
config router route-map
edit "HUB2HUB_OUT"
config rule
edit 1
set match-ip-address "REGION_SUMMARY"
next
edit 100
set action deny
next
end
next
end
Adding CLI templates to the CLI Template Group installing
To add CLI Templates to a CLI Template Group:
- Add the new CLI template to the group Hub-Template created earlier.
- Install the configuration on all the Hubs by using the Quick Install (Device DB) method.
Creating CLI scripts
Now we will use CLI Scripts to create all the necessary IPSEC tunnels between the Hubs. We will add a CLI script per Hub.
Each script will configure the following:
- Two new loopback interfaces (lo-BGP_INET and lo-BGP_MPLS) will be used for EBGP session termination between the Hubs. (Note that we use a separate loopback for each type of overlay.)
- IPSEC tunnels to the remote Hubs, over each available underlay transport. In our example, Region 2 Hub will build two tunnels to each of the Region 1 Hubs (4 tunnels in total). Note that each IPSEC tunnel uses
exchange-ip-addr4feature to let the remote Hub inject the route to the loopback address (added above). This guarantees that the loopback addresses are reachable between the Hubs. - All the newly added IPSEC tunnels are grouped into a new System Zone called hub2hub-overlay.
- EBGP session over each of the above IPSEC tunnels, terminated on one of the loopback interfaces added above. This session will use HUB2HUB_OUT route-map added earlier, in order to advertise only the regional summary route to the remote Hubs.
- Policy routes to extend overlay stickiness across the regions. This is to ensure that when a local Edge device selects a certain type of overlay (for example, overlay over the Internet), the traffic continues on its way to the remote region via the same type of overlay. Note that the remote Hub will also have its own policy routes in place, ensuring that the traffic continues on its last hop towards the target Edge device by using the same type of overlay as well. Hence, this way we achieve an end-to-end overlay stickiness.
To create a CLI scripts:
- In Device Manager, navigate to Scripts, and create (or import) the CLI scripts.
Following is the content of the CLI scripts for each of the 3 Hubs in our example.
site1-H1 (Region 1, Primary Hub)
config system interface
edit "lo-BGP_INET"
set vdom "root"
set ip 10.201.0.1 255.255.255.255
set allowaccess ping
set type loopback
next
edit "lo-BGP_MPLS"
set vdom "root"
set ip 10.202.0.1 255.255.255.255
set allowaccess ping
set type loopback
next
end
config vpn ipsec phase1-interface
edit "SITE2-H1_INET"
set interface port1
set ike-version 2
set authmethod signature
set keylife 28800
set peertype any
set proposal aes256-sha256
set add-route disable
set remote-gw 100.64.3.1
set exchange-ip-addr4 10.201.0.1
set exchange-interface-ip enable
set certificate "Hub"
set dpd-retrycount 3
set dpd-retryinterval 5
set dpd on-idle
next
edit "SITE2-H1_MPLS"
set interface port4
set ike-version 2
set authmethod signature
set keylife 28800
set peertype any
set proposal aes256-sha256
set add-route disable
set remote-gw 172.16.3.5
set exchange-ip-addr4 10.202.0.1
set exchange-interface-ip enable
set certificate "Hub"
set dpd-retrycount 3
set dpd-retryinterval 5
set dpd on-idle
next
end
config vpn ipsec phase2-interface
edit "SITE2-H1_INET"
set phase1name "SITE2-H1_INET"
set proposal aes256-sha256
set keepalive enable
set keylifeseconds 3600
next
edit "SITE2-H1_MPLS"
set phase1name "SITE2-H1_MPLS"
set proposal aes256-sha256
set keepalive enable
set keylifeseconds 3600
next
end
config system zone
edit hub2hub-overlay
set interface "SITE2-H1_INET" "SITE2-H1_MPLS"
next
end
config router bgp
config neighbor
edit 10.201.0.3
set ebgp-enforce-multihop enable
set soft-reconfiguration enable
set advertisement-interval 1
set link-down-failover enable
set interface "lo-BGP_INET"
set update-source "lo-BGP_INET"
set route-map-out "HUB2HUB_OUT"
set connect-timer 1
set remote-as 65002
next
edit 10.202.0.3
set ebgp-enforce-multihop enable
set soft-reconfiguration enable
set advertisement-interval 1
set link-down-failover enable
set interface "lo-BGP_MPLS"
set update-source "lo-BGP_MPLS"
set route-map-out "HUB2HUB_OUT"
set connect-timer 1
set remote-as 65002
next
end
end
config router policy
edit 11
set input-device "EDGE_INET"
set output-device "SITE2-H1_INET"
set dst 10.0.0.0/8
next
edit 12
set input-device "SITE2-H1_INET"
set output-device "EDGE_INET"
set dst 10.0.0.0/8
next
edit 13
set input-device "EDGE_MPLS"
set output-device "SITE2-H1_MPLS"
set dst 10.0.0.0/8
next
edit 14
set input-device "SITE2-H1_MPLS"
set output-device "EDGE_MPLS"
set dst 10.0.0.0/8
next
end
site1-H2 (Region 1, Secondary Hub)
config system interface
edit "lo-BGP_INET"
set vdom "root"
set ip 10.201.0.2 255.255.255.255
set allowaccess ping
set type loopback
next
edit "lo-BGP_MPLS"
set vdom "root"
set ip 10.202.0.2 255.255.255.255
set allowaccess ping
set type loopback
next
end
config vpn ipsec phase1-interface
edit "SITE2-H1_INET"
set interface port1
set ike-version 2
set authmethod signature
set keylife 28800
set peertype any
set proposal aes256-sha256
set add-route disable
set remote-gw 100.64.3.1
set exchange-ip-addr4 10.201.0.2
set exchange-interface-ip enable
set certificate "Hub"
set dpd-retrycount 3
set dpd-retryinterval 5
set dpd on-idle
next
edit "SITE2-H1_MPLS"
set interface port4
set ike-version 2
set authmethod signature
set keylife 28800
set peertype any
set proposal aes256-sha256
set add-route disable
set remote-gw 172.16.3.5
set exchange-ip-addr4 10.202.0.2
set exchange-interface-ip enable
set certificate "Hub"
set dpd-retrycount 3
set dpd-retryinterval 5
set dpd on-idle
next
end
config vpn ipsec phase2-interface
edit "SITE2-H1_INET"
set phase1name "SITE2-H1_INET"
set proposal aes256-sha256
set keepalive enable
set keylifeseconds 3600
next
edit "SITE2-H1_MPLS"
set phase1name "SITE2-H1_MPLS"
set proposal aes256-sha256
set keepalive enable
set keylifeseconds 3600
next
end
config system zone
edit hub2hub-overlay
set interface "SITE2-H1_INET" "SITE2-H1_MPLS"
next
end
config router bgp
config neighbor
edit 10.201.0.3
set ebgp-enforce-multihop enable
set soft-reconfiguration enable
set advertisement-interval 1
set link-down-failover enable
set interface "lo-BGP_INET"
set update-source "lo-BGP_INET"
set route-map-out "HUB2HUB_OUT"
set connect-timer 1
set remote-as 65002
next
edit 10.202.0.3
set ebgp-enforce-multihop enable
set soft-reconfiguration enable
set advertisement-interval 1
set link-down-failover enable
set interface "lo-BGP_MPLS"
set update-source "lo-BGP_MPLS"
set route-map-out "HUB2HUB_OUT"
set connect-timer 1
set remote-as 65002
next
end
end
config router policy
edit 11
set input-device "EDGE_INET"
set output-device "SITE2-H1_INET"
set dst 10.0.0.0/8
next
edit 12
set input-device "SITE2-H1_INET"
set output-device "EDGE_INET"
set dst 10.0.0.0/8
next
edit 13
set input-device "EDGE_MPLS"
set output-device "SITE2-H1_MPLS"
set dst 10.0.0.0/8
next
edit 14
set input-device "SITE2-H1_MPLS"
set output-device "EDGE_MPLS"
set dst 10.0.0.0/8
next
end
site2-H1 (Region 2, Hub)
config system interface
edit "lo-BGP_INET"
set vdom "root"
set ip 10.201.0.3 255.255.255.255
set allowaccess ping
set type loopback
next
edit "lo-BGP_MPLS"
set vdom "root"
set ip 10.202.0.3 255.255.255.255
set allowaccess ping
set type loopback
next
end
config vpn ipsec phase1-interface
edit "SITE1-H1_INET"
set interface port1
set ike-version 2
set authmethod signature
set keylife 28800
set peertype any
set proposal aes256-sha256
set add-route disable
set remote-gw 100.64.1.1
set exchange-ip-addr4 10.201.0.3
set exchange-interface-ip enable
set certificate "Hub"
set dpd-retrycount 3
set dpd-retryinterval 5
set dpd on-idle
next
edit "SITE1-H1_MPLS"
set interface port4
set ike-version 2
set authmethod signature
set keylife 28800
set peertype any
set proposal aes256-sha256
set add-route disable
set remote-gw 172.16.1.5
set exchange-ip-addr4 10.202.0.3
set exchange-interface-ip enable
set certificate "Hub"
set dpd-retrycount 3
set dpd-retryinterval 5
set dpd on-idle
next
edit "SITE1-H2_INET"
set interface port1
set ike-version 2
set authmethod signature
set keylife 28800
set peertype any
set proposal aes256-sha256
set add-route disable
set remote-gw 100.64.2.1
set exchange-ip-addr4 10.201.0.3
set exchange-interface-ip enable
set certificate "Hub"
set dpd-retrycount 3
set dpd-retryinterval 5
set dpd on-idle
next
edit "SITE1-H2_MPLS"
set interface port4
set ike-version 2
set authmethod signature
set keylife 28800
set peertype any
set proposal aes256-sha256
set add-route disable
set remote-gw 172.16.2.5
set exchange-ip-addr4 10.202.0.3
set exchange-interface-ip enable
set certificate "Hub"
set dpd-retrycount 3
set dpd-retryinterval 5
set dpd on-idle
next
end
config vpn ipsec phase2-interface
edit "SITE1-H1_INET"
set phase1name "SITE1-H1_INET"
set proposal aes256-sha256
set keepalive enable
set keylifeseconds 3600
next
edit "SITE1-H1_MPLS"
set phase1name "SITE1-H1_MPLS"
set proposal aes256-sha256
set keepalive enable
set keylifeseconds 3600
next
edit "SITE1-H2_INET"
set phase1name "SITE1-H2_INET"
set proposal aes256-sha256
set keepalive enable
set keylifeseconds 3600
next
edit "SITE1-H2_MPLS"
set phase1name "SITE1-H2_MPLS"
set proposal aes256-sha256
set keepalive enable
set keylifeseconds 3600
next
end
config system zone
edit hub2hub-overlay
set interface "SITE1-H1_INET" "SITE1-H1_MPLS" "SITE1-H2_INET" "SITE1-H2_MPLS"
next
end
config router bgp
config neighbor
edit 10.201.0.1
set ebgp-enforce-multihop enable
set soft-reconfiguration enable
set advertisement-interval 1
set link-down-failover enable
set interface "lo-BGP_INET"
set update-source "lo-BGP_INET"
set route-map-out "HUB2HUB_OUT"
set connect-timer 1
set remote-as 65001
next
edit 10.202.0.1
set ebgp-enforce-multihop enable
set soft-reconfiguration enable
set advertisement-interval 1
set link-down-failover enable
set interface "lo-BGP_MPLS"
set update-source "lo-BGP_MPLS"
set route-map-out "HUB2HUB_OUT"
set connect-timer 1
set remote-as 65001
next
edit 10.201.0.2
set ebgp-enforce-multihop enable
set soft-reconfiguration enable
set advertisement-interval 1
set link-down-failover enable
set interface "lo-BGP_INET"
set update-source "lo-BGP_INET"
set route-map-out "HUB2HUB_OUT"
set connect-timer 1
set remote-as 65001
next
edit 10.202.0.2
set ebgp-enforce-multihop enable
set soft-reconfiguration enable
set advertisement-interval 1
set link-down-failover enable
set interface "lo-BGP_MPLS"
set update-source "lo-BGP_MPLS"
set route-map-out "HUB2HUB_OUT"
set connect-timer 1
set remote-as 65001
next
end
end
config router policy
edit 11
set input-device "EDGE_INET"
set output-device "SITE1-H1_INET"
set dst 10.0.0.0/8
next
edit 12
set input-device "SITE1-H1_INET"
set output-device "EDGE_INET"
set dst 10.0.0.0/8
next
edit 13
set input-device "EDGE_MPLS"
set output-device "SITE1-H1_MPLS"
set dst 10.0.0.0/8
next
edit 14
set input-device "SITE1-H1_MPLS"
set output-device "EDGE_MPLS"
set dst 10.0.0.0/8
next
edit 15
set input-device "EDGE_INET"
set output-device "SITE1-H2_INET"
set dst 10.0.0.0/8
next
edit 16
set input-device "SITE1-H2_INET"
set output-device "EDGE_INET"
set dst 10.0.0.0/8
next
edit 17
set input-device "EDGE_MPLS"
set output-device "SITE1-H2_MPLS"
set dst 10.0.0.0/8
next
edit 18
set input-device "SITE1-H2_MPLS"
set output-device "EDGE_MPLS"
set dst 10.0.0.0/8
next
end
Running CLI scripts
To run CLI scripts:
- Run the CLI scripts on respective Hubs (one script per Hub):
