This article discusses Spoke-Hub-Hub-Spoke (SHHS) configuration via Versa Director GUI. Topology A is referred in doing the SHHS configuration. In Spoke-Hub-Hub-Spoke setup, there are three different transport domain(Networks) connecting the topology.  Transport Domain id 30 for SPOKE1& SPOKE2  to HUB1(MPLS1), Transport Domain id 20 HUB1 to HUB2 (Internet) connectivity and Transport Domain id 35 for  SPOKE3& SPOKE 4 to HUB2 (MPLS2). Controller reachability is  via Hub only (Refer  KB for Controller behind HUB setup). There is no direct communication between two spokes of different spoke group. HUB1 and HUB2 will act as transit for communication between two different spoke groups

 

Setup Details

 

Pre-requisite

·         Versa director and Controller already deployed. Should be aware of Workflow Template and Branch On boarding.

Configuration

1.    Configuring Hub1 Template

  • In the Versa Director, Select Configuration > Workflow>Templates > Create Template. Fill the required information and make sure (Key Value) Device type should be HUB
  • Interfaces> assign WAN  and LAN  interfaces. Adding Lan interface will make workflow create LAN-VR (To install route on HUB) and LAN-VR-EXPORT(To advertise route learned in LAN-VR to controller with next-hop-self) on HUB, this is required for HUB’s to be transit for SHHS. 

 

cid:image001.png@01D4EE2C.5F7C4B60

 

  • Network Name INT is mapped to Internet (default) TRANSPORT DOMAIN id 20 connecting HUB1 to Controller and HUB2. Controller WAN interface is also mapped to Transport Domain is 20. Configure Network MPLS-HUB1 is mapped to HUB1-MPLS Transport Domain id 35 connecting HUB1 and SPOKE1 and SPOKE2. 
  • Select  Continue and Create Template.  

 cid:image002.png@01D4EE2C.8F52FFA0




Follow work flow template to created  Device Configuration > Workflow>Devices> + Add Device and Device Group for HUB1 staging

2.    Configuring Hub 2 Template

  • In the Versa Director, Select Configuration > Workflow>Templates > Create Template. Fill the required information and make sure (Key Value) Device type should be HUB
  • Interfaces> assign WAN  and LAN  interfaces. Adding Lan interface will make workflow  create LAN-VR (To install route on HUB) and LAN-VR-EXPORT(To advertise route learned in LAN-VR to controller with next hop-self) on HUB, this is required for HUB’s to be transit for SHHS. 



  • Using same Network INT(Network Name can be different but TRANSPORT DOMAIN id should be same as HUB1 and Controller) mapped to Internet (default)  Transport Domain id 20 connecting HUB2 to  Controller and HUB1. Configure Network MPLS-HUB2 mapped to HUB2-MPLS Transport Domain id 35 connecting HUB2 and SPOKE3 & SPOKE 4. 
  • Select  Continue and Create Template.  



Follow work flow template to create  Device 

  1. Configure Hub to install routes from peer Hub and advertise to their Spoke Groups

·     Hub1

  •       Go to Configuration>Device-Template and select Hub1.

  • To install routes advertised via Hub2 in LAN-VR, go to routing instance DUN-SubOrg-LAN-VR, add Hub2 route target value target:16036L:106(To get Hub2 RT go to Hub2 > Virtual Router> Export VR  “DUN-SubOrg-LAN-VR-Export” find under “VRF Export Target target”) in “VRF Import Target”
  • Multiple route target( In case of multi-HUB) can be defined separated by space as shown in screen shot(target:16036L:107 is dummy value). 


§  There is already a redistribution policy created by workflow “To-DUN-SubOrg-LAN-VR-Export”, configured in LAN-VR and called in LAN-Export-VR to export BGP routes from LAN-VR to LAN-Export-VR on HUB1. 

§  These routes are advertise by HUB1 from LAN-Export-VR as next hop-self  to controller(RR, but this can cause a routing loop as HUB1 will be advertising HUB2 and its spoke group routes as self. 

§  To avoid this we will add one more term to redistribution policy “To-DUN-SubOrg-LAN-VR-Export” in DUN-SubOrg-LAN-VR to match routes learned via Hub2 and add specific community when exporting them to LAN-Export-VR of HUB1.

§  First we will create a prefix list to match the HUB2 routes. 

 

§  In redistribution policy To-DUN-SubOrg-LAN-VR-Export add on more term(PEER-HUB) on top and call the prefix-list PEER-HUB. You can also uses Community/Extended Community in place of Prefix Filter.

 


§  Add a community in action and accept. We have set community 8889:1 for HUB2 routes in HUB1 (On HUB2 set it to 8880:1 for HUB1 routes

 

cid:image043.png@01D4EE33.D1DF4480


§  In routing instance DUN-SubOrg-Control-VR on Hub1 edit  BGP> Import-From-SDWAN-policy and add a term(Reject-Loop) on top to reject the Hub1 and it spoke(1/2) group routes exported by Hub2.

§  We will use community configured on HUB2 for HUB1 routes to match and reject them.

 

 


· HUB 2

§  On Hub2, follow similar step as we did in Hub1. Add VRF import target of Hub1to Install the Hub1 advertised routes in Hub2 LAN-VR. 

 


§  Set specific community to HUB1 route when exporting to LAN-Export-VR.

 

cid:image049.png@01D4EE3C.B5345060

 cid:image050.png@01D4EE3C.B5345060


§  Reject the Hub2 and it spoke group routes exported by Hub1

 

 

 

4.    Configure Hub to be transit for Spoke and Controller Communication.

  • Please follow this KB  LINK to setup Hub1 and Hub2 to be transit routers for their Peer Spoke(Spoke Group) to Controller reachability      

5.    Configuring Spoke Groups

  • We need to create two Spoke-Groups that will group Spoke on same TRANSPORT DOMAIN and map it there HUB. Select Configuration > Workflow>Spoke Groups > select + Add. We selected (Key Value) Spoke Group type as Spoke to Spoke Via Hub. Set HUB priority to 1.
  • In the  multiple hub case(here HUB 2 is in different TRANSPORT DOMAIN), you can give different priorities to make one hub preferred over other  for traffic forwarding to or via it.



 

6.    Configuring Spoke Templates

  • SPOKE1 & SPOKE 2 and SPOKE3 & SPOKE 4  in topology will be mapped to Spoke Group HUB1-GROUP and HUB2-GROUP respectively.
  • Create template for Spoke Configuration > Workflow>Templates > Create Template. and fill the required information make sure (Key Value) Device type should be Spoke select Spoke-Group from drop down


  • The WAN Network Name SG-MPLS is mapped to two Transport Domain, with id 30 created on HUB1 and to Internet (Default) Transport Domain id 20. 
  • Branch and Controller are in different Transport Domain (different  id). Workflow required at least one interface on branch to be in same Transport domain as Controller WAN interface. We have to add two Transport-domain on WAN interface on Branch. Internet is the same Transport Domain with id 20 mapped to controller WAN link as well, Adding this will push controller WAN Internet link IP address in SPOKE template configuration for post staging reachability. 
  • Interfaces> Assign WAN and LAN interfaces, click Continue and Create Template

  • Follow work flow template to created  Device 
  • Follow the same steps to create Spoke 2. Spoke Group will be HUB1-GROUP and WAN interface network name will SG-MPLS
  1. To configure the Spoke 3 & Spoke 4
  • The WAN Network Name SG-MPLS2 is mapped to two Trans, with id 35 created on HUB1 and to Internet (Default) Transport Domain id 20.


  • Follow work flow template to create  Device .
  • Follow the same steps to create Spoke3. Spoke Group will be HUB1-GROUP and WAN interface network name will SG-MPLS2
  • Check HUB and Spoke status post staging .Administration > Appliances

 

8.    Reachability Validation

#HUB1: 

“LAN-VR”  and “LAN-VR-Export” in HUB will have routes for spoke subnets. Hub will act as transit router  for all spoke to spoke communication.

admin@HUB1-cli> show route routing-instance DUN-SubOrg-LAN-VR-Export

Prot   Type  Dest Address/Mask   Next-hop        Age      Interface name

----   ----  -----------------   --------        ---      --------------

BGP    RTI  +192.168.77.0/24     0.0.0.0         2d23h10m Indirect

BGP    RTI  +192.168.88.0/24     0.0.0.0         2d23h10m Indirect

BGP    RTI  +192.168.99.0/24     0.0.0.0         2d23h11m Indirect

BGP    RTI  +192.168.109.0/24    0.0.0.0         2d23h11m Indirect

BGP    RTI  +192.168.129.0/24    0.0.0.0         2d23h11m Indirect

 admin@HUB1-cli> show route routing-instance DUN-SubOrg-LAN-VR

Prot   Type  Dest Address/Mask   Next-hop        Age      Interface name

----   ----  -----------------   --------        ---      --------------

conn   N/A  +169.254.0.2/31      0.0.0.0         2d23h20m tvi-0/603.0

local  N/A  +169.254.0.3/32      0.0.0.0         2d23h20m directly connected

conn   N/A  +192.168.56.0/24     0.0.0.0         2d23h11m vni-0/2.0

local  N/A  +192.168.56.1/32     0.0.0.0         2d23h11m directly connected

BGP    N/A  +192.168.77.0/24     10.4.64.103     2d23h11m Indirect

BGP    N/A  +192.168.88.0/24     10.4.64.105     2d23h11m Indirect

BGP    N/A  +192.168.99.0/24     10.4.64.106     2d23h11m Indirect

BGP    N/A  +192.168.109.0/24    10.4.64.106     2d23h11m Indirect

BGP    N/A  +192.168.129.0/24    10.4.64.106     2d23h11m Indirect

admin@HUB1-cli> show interfaces brief

tvi-0/16.0   n/a                up     up     2       DUN-SubOrg-Control-VR   10.4.0.104/32

tvi-0/17.0   n/a                up     up     2       DUN-SubOrg-Control-VR   10.4.64.104/32

tvi-0/602.0  n/a                up     up     2       INT-Transport-VR        169.254.0.2/31

tvi-0/603.0  n/a                up     up     2       DUN-SubOrg-LAN-VR       169.254.0.3/31

tvi-0/604.0  n/a                up     up     2       INT-Transport-VR        169.254.0.4/31

tvi-0/605.0  n/a                up     up     2       MPLS-HUB1-Transport-VR  169.254.0.5/31

vni-0/0.0    52:54:00:ac:f4:70  up     up     2       INT-Transport-VR        192.168.50.10/24

vni-0/1.0    52:54:00:df:7f:3b  up     up     2       MPLS-HUB1-Transport-VR  192.168.51.10/24

vni-0/2.0    52:54:00:a3:cd:d0  up     up     2       DUN-SubOrg-LAN-VR       192.168.56.1/24 


 #SPOKE1:

Spoke1 will have all route  with next hop as hub1 tvi-0/17 (.104)

admin@SPOKE1-cli> show route routing-instance DUN-SubOrg-LAN-VR

Prot   Type  Dest Address/Mask   Next-hop        Age      Interface name

----   ----  -----------------   --------        ---      --------------

BGP    N/A  +192.168.56.0/24     10.4.64.104     2d23h06m Indirect

conn   N/A  +192.168.77.0/24     0.0.0.0         5d15h16m vni-0/2.10

local  N/A  +192.168.77.1/32     0.0.0.0         5d15h16m directly connected

BGP    N/A  +192.168.88.0/24     10.4.64.104     2d23h06m Indirect

BGP    N/A  +192.168.99.0/24     10.4.64.104     2d23h06m Indirect

BGP    N/A  +192.168.109.0/24    10.4.64.104     2d23h06m Indirect

BGP    N/A  +192.168.129.0/24    10.4.64.104     2d23h06m Indirect 


 

admin@SPOKE1-cli> show interfaces brief

tvi-0/16.0  n/a                up     up     2       DUN-SubOrg-Control-VR  10.4.0.103/32

tvi-0/17.0  n/a                up     up     2       DUN-SubOrg-Control-VR  10.4.64.103/32

vni-0/1.0   52:54:00:1a:9b:e6  up     up     2       SG-MPLS1-Transport-VR  192.168.71.1/24

vni-0/2.10  52:54:00:e8:96:34  up     up     2       DUN-SubOrg-LAN-VR      192.168.77.1/24 


#SPOKE2:

Similarly spoke2 will have all route   with  next hop as hub1 tvi-0/17 (.104)

admin@SPOKE2-cli> show route routing-instance DUN-SubOrg-LAN-VR

Prot   Type  Dest Address/Mask   Next-hop        Age      Interface name

----   ----  -----------------   --------        ---      --------------

BGP    N/A  +192.168.56.0/24     10.4.64.104     2d23h08m Indirect

BGP    N/A  +192.168.77.0/24     10.4.64.104     2d23h08m Indirect

conn   N/A  +192.168.88.0/24     0.0.0.0         5d15h22m vni-0/2.0

local  N/A  +192.168.88.1/32     0.0.0.0         5d15h22m directly connected

BGP    N/A  +192.168.99.0/24     10.4.64.104     2d23h08m Indirect

BGP    N/A  +192.168.109.0/24    10.4.64.104     2d23h08m Indirect

BGP    N/A  +192.168.129.0/24    10.4.64.104     2d23h08m Indirect


admin@SPOKE2-cli> show interfaces brief

tvi-0/16.0  n/a                up     up     2       DUN-SubOrg-Control-VR  10.4.0.105/32

tvi-0/17.0  n/a                up     up     2       DUN-SubOrg-Control-VR  10.4.64.105/32

vni-0/1.0   52:54:00:4b:65:2f  up     up     2       SG-MPLS1-Transport-VR  192.168.81.1/24

vni-0/2.0   52:54:00:26:f0:e4  up     up     2       DUN-SubOrg-LAN-VR      192.168.88.1/24 


#HUB2: 

“LAN-VR”  and “LAN-VR-Export” in HUB will have routes for spoke subnets. Hub will act as transit router  for all spoke to spoke communication.

admin@HUB1-cli> show route routing-instance DUN-SubOrg-LAN-VR-Export

Prot   Type  Dest Address/Mask   Next-hop        Age      Interface name

----   ----  -----------------   --------        ---      --------------

BGP    RTI  +192.168.56.0/24     0.0.0.0         2d23h22m Indirect

BGP    RTI  +192.168.77.0/24     0.0.0.0         2d23h22m Indirect

BGP    RTI  +192.168.88.0/24     0.0.0.0         2d23h22m Indirect

BGP    RTI  +192.168.109.0/24    0.0.0.0         2d23h37m Indirect

BGP    RTI  +192.168.129.0/24    0.0.0.0         2d23h35m Indirect

 

admin@HUB1-cli> show route routing-instance DUN-SubOrg-LAN-VR

Prot   Type  Dest Address/Mask   Next-hop        Age      Interface name

----   ----  -----------------   --------        ---      --------------

BGP    N/A  +192.168.56.0/24     10.4.64.104     2d23h22m Indirect

BGP    N/A  +192.168.77.0/24     10.4.64.104     2d23h22m Indirect

BGP    N/A  +192.168.88.0/24     10.4.64.104     2d23h22m Indirect

conn   N/A  +192.168.99.0/24     0.0.0.0         2d23h42m vni-0/2.0

local  N/A  +192.168.99.1/32     0.0.0.0         2d23h42m directly connected

BGP    N/A  +192.168.109.0/24    10.4.64.107     2d23h37m Indirect

BGP    N/A  +192.168.129.0/24    10.4.64.108     2d23h35m Indirect 


admin@HUB1-cli> show interfaces brief

tvi-0/16.0   n/a                up     up     2       DUN-SubOrg-Control-VR   10.4.0.106/32

tvi-0/17.0   n/a                up     up     2       DUN-SubOrg-Control-VR   10.4.64.106/32

tvi-0/602.0  n/a                up     up     2       INT-Transport-VR        169.254.0.2/31

tvi-0/603.0  n/a                up     up     2       DUN-SubOrg-LAN-VR       169.254.0.3/31

tvi-0/604.0  n/a                up     up     2       INT-Transport-VR        169.254.0.4/31

tvi-0/605.0  n/a                up     up     2       MPLS-HUB2-Transport-VR  169.254.0.5/31

vni-0/0.0    52:54:00:5a:e4:e4  up     up     2       INT-Transport-VR        192.168.90.1/24

vni-0/1.0    52:54:00:52:b0:e3  up     up     2       MPLS-HUB2-Transport-VR  192.168.91.1/24

vni-0/2.0    52:54:00:85:84:75  up     up     2       DUN-SubOrg-LAN-VR       192.168.99.1/24


 #SPOKE3:

Spoke3  will have all routes with next hop as hub2 tvi-0/17 (.106)

admin@SPOKE1-cli> show route routing-instance DUN-SubOrg-LAN-VR

Prot   Type  Dest Address/Mask   Next-hop        Age      Interface name

----   ----  -----------------   --------        ---      --------------

BGP    N/A  +192.168.56.0/24     10.4.64.106     2d23h24m Indirect

BGP    N/A  +192.168.77.0/24     10.4.64.106     2d23h24m Indirect

BGP    N/A  +192.168.88.0/24     10.4.64.106     2d23h24m Indirect

BGP    N/A  +192.168.99.0/24     10.4.64.106     2d23h40m Indirect

conn   N/A  +192.168.109.0/24    0.0.0.0         2d23h40m vni-0/2.0

local  N/A  +192.168.109.1/32    0.0.0.0         2d23h40m directly connected

BGP    N/A  +192.168.129.0/24    10.4.64.106     2d23h37m Indirect


admin@SPOKE1-cli> show interfaces brief

NAME        MAC                OPER   ADMIN  TENANT  VRF                    IP

-----------------------------------------------------------------------------------------------

tvi-0/16.0  n/a                up     up     2       DUN-SubOrg-Control-VR  10.4.0.107/32

tvi-0/17.0  n/a                up     up     2       DUN-SubOrg-Control-VR  10.4.64.107/32

vni-0/1.0   52:54:00:61:25:6e  up     up     2       SG-MPLS2-Transport-VR  192.168.101.1/24

vni-0/2.0   52:54:00:5c:be:e1  up     up     2       DUN-SubOrg-LAN-VR      192.168.109.1/24


#SPOKE4:

Similarly spoke4 will have all routes with next hop as hub2 tvi-0/17 (.106)

admin@SPOKE2-cli> show route routing-instance DUN-SubOrg-LAN-VR

Prot   Type  Dest Address/Mask   Next-hop        Age      Interface name

----   ----  -----------------   --------        ---      --------------

BGP    N/A  +192.168.56.0/24     10.4.64.106     2d23h25m Indirect

BGP    N/A  +192.168.77.0/24     10.4.64.106     2d23h25m Indirect

BGP    N/A  +192.168.88.0/24     10.4.64.106     2d23h25m Indirect

BGP    N/A  +192.168.99.0/24     10.4.64.106     2d23h39m Indirect

BGP    N/A  +192.168.109.0/24    10.4.64.106     2d23h39m Indirect

conn   N/A  +192.168.129.0/24    0.0.0.0         2d23h39m vni-0/2.0

local  N/A  +192.168.129.1/32    0.0.0.0         2d23h39m directly connected


admin@SPOKE2-cli> show interfaces brief

tvi-0/16.0  n/a                up     up     2       DUN-SubOrg-Control-VR  10.4.0.108/32

tvi-0/17.0  n/a                up     up     2       DUN-SubOrg-Control-VR  10.4.64.108/32

vni-0/1.0   52:54:00:8c:7f:91  up     up     2       SG-MPLS2-Transport-VR  192.168.121.1/24

vni-0/2.0   52:54:00:c6:75:5e  up     up     2       DUN-SubOrg-LAN-VR      192.168.129.1/24