Hub and Spoke
The site of the central access control device is the Hub site, and the sites of other users are Spoke sites. At the Hub site, the device accessing the VPN backbone network is the Hub-CE, and at the Spoke site, the device accessing the VPN backbone network is the Spoke-CE. On the VPN backbone network, the device accessing the Hub site is the Hub-PE, and that accessing the Spoke site is the Spoke-PE.
The Spoke site needs to advertise its routes to the Hub site and further to other Spoke sites through the Hub site. Routes cannot be directly advertised among Spoke sites. The Hub site controls the communications among Spoke sites in a centralized manner.
In this networking, two VPN Targets are required. One indicates Hub, and the other indicates Spoke.
- Spoke-PE, the PE connecting to the Spoke site: Export Target is Spoke, and Import Target is Hub.
- Hub-PE, the PE connecting the Hub site: Two interfaces or sub-interfaces are required on the Hub-PE. One receives routes from the Spoke-PE, with the Import Target of the VPN instance as Spoke; the other advertises routes to the Spoke-PE, with the Export Target of the VPN instance as Hub.
- The Hub-PE can receive the VPN-IPv4 routes advertised by all Spoke-PEs;
- The VPN-IPv4 routes advertised by the Hub-PE can be received by all Spoke-PEs;
- The Hub-PE advertises the routes learned from Spoke-PEs to the Spoke-CE and the routes learned from the Hub-CE to all Spoke-PEs. Thus, the mutual access among Spoke sites can be realized through the Hub site.
- The Import Target of a Spoke-PE is different from the Export Target of any other Spoke-PE. Thus, VPN-IPv4 routes are not advertised directly between any two Spoke-PEs, and Spoke sites cannot directly access each other.
Figure 2 shows the communications data transmission path between Site1 and Site2 in Figure 1 (the arrows show the data transmission direction).
