Could MPLS L3 VPN forward packet which CE configure VRF Lite?

Similar Messages

• MPLS L3 VPNs

  I need to implement Hub and Spoke MPLS L3 VPN. Scenario is we are
  implementing 30 VPNs on one Router i.e. 10720 in single VRF and with same
  RD. How can I implement Hub and Spoke in this case?

  When you want to have an MPLS/vpn hub and spoke topology, the HUB-PE router will need to have 2 vrf's. One which we can call 'from-spokes' and another 'to-spokes'. In the first one, we will have the routes that are being received from the spokes. In the other one, we will have the routes that will be advertised to the spokes; in this one we will certainly NOT have the routes to the other spokes. The HUB-PE needs to have 2 interfaces or sub-interfaces connected towards the CE site. One interface will be in "from-spokes" VRF and the other one will be in "to-spokes VRF. That way the traffic coming from one spoke will always go to the CE via one vrf interface, then come back from the CE via the other vrf interface and sent out towards the other spoke. This is the general overview of a Hub-spoke mpls-vpn topology

• MPLS L2 VPN

  Hi,
  What is L2 MPLS VPN & how to configure it end-to-end, What are the diffrence with L3 VPN
  What is vrflite & what is the pros/cons of the same
  Br/Subhojit                  

  In a MPLS L3 VPN the service provider carries the route for the customer. The network is not transparent meaning that layer 2 traffic such as broadcast and control plane traffic like CDP/LACP/STP etc is not carried for the customer.
  There are different L2 VPNS such as Ethernet over MPLS (EoMPLS) and Virtual Private LAN Service (VPLS).
  EoMPLS is a point to point layer 2 service which does no MAC learning and it is transparent to the customer meaning that the customer can connect two switches together over the "cloud".
  VPLS is a multipoint to multipoint technology. Essentially to the customer the provider network looks like a big switch. Several sites can be connected together and traffic here is also transparent.
  Because these are layer 2 services the customer would be responsible themselves for providing routing in the network.
  VRF lite is a form of L3 VPN but it's not running MPLS. Instead it uses VLANs to separate customer traffic. The cons are that it requires more configuration, is less scalable and needs peering in multiple VRFs compared to just peering in the VPNv4 address family.
  Daniel Dib
  CCIE #37149
  Please rate helpful posts.

• VPN Forwarder issue in IE 8/9, unable to install, prompt hides behind "Connect Popup"

  Hey!
  We have as SSL Porta running on a Cisco ASA 5505l that some of our external customers are using, and some of them are using IE 8/9
  The thing is, the first time a new customer login on the portal and clicks one a RDP object they have to install the Cisco SSL VPN Forwarder, but are unable to to so because the Remote Desktop window ends up on top.
  If you click connect you just end up back on the start page of the portal, and the install bar for the forwarder disappears.
  If you click cancel, you just get a 404 error, (if you're fast, like 2 seconds, you might be able to install the forwarder)
  This is a ASA 5505 running 9.1.1 and ASDM 7.1.1.52 and latest RDP plugin (09112012)
  The same thing happened with a RDP plugin from 2009, ASA version 8.4.1 and ASDM 6.4.9
  It works if you use java, or any other browser (also java of course), but we want this to be a seamless as possible, and many users are still stuck with IE unfortunately.
  Any ideas?
  IE8
  IE9

  Yeah, we did, and it's still the same.
  But it's kinda random, on one machine you can cancel the connect prompt and then install the forwarder, but on another, you get a 404 when you cancel the connect prompt.

• Dial-In access to VRF Lite (MPLS VPN)

  Hi,
  I'm trying to implement a solution, that gives opportunity to dial-in to some specific customers VPN (VRF Lite)
  Configuration of NAS is done using cisco.com guide and seems OK. NAS is using RADIUS to authenticate users, and if authenticated, RADIUS sends a specific users virtual-profile configuration to NAS. So far everything seems OK. I can dial-in, succesfuly authenticate against RADIUS and download the virtual-profile configration (DEBUG is pasted below).
  BUT, even there is a command "virtual-profile aaa", and RADIUS sends all info, Virtual-Access interface isn't created or it is created without any configuration.
  Maybe this is happening because I'm using dialer-profile ? Some cisco documentation says that if there are dialer-profiles configured, virtual-profile configuration cann't be downloaded from AAA ???
  Here is debug, You can see RADIUS to NAS communication:
  Aug 24 07:59:59: %LINK-3-UPDOWN: Interface Serial2/0:26, changed state to up
  Aug 24 08:00:00: RADIUS(000000A1): Storing nasport 20026 in rad_db
  Aug 24 08:00:00: RADIUS(000000A1): Config NAS IP: 0.0.0.0
  Aug 24 08:00:00: RADIUS/ENCODE(000000A1): acct_session_id: 247
  Aug 24 08:00:00: RADIUS(000000A1): sending
  Aug 24 08:00:00: RADIUS/ENCODE: Best Local IP-Address xxx.xxx.xxx.xxx for Radius-Server xxx.xxx.xxx.xxx
  Aug 24 08:00:00: RADIUS(000000A1): Send Access-Request to xxx.xxx.xxx.xxx:1645 id 21646/40, len 113
  Aug 24 08:00:00: RADIUS: authenticator C9 98 61 51 0F FF 0F C8 - FA A2 3E C1 5E 80 13 0E
  Aug 24 08:00:00: RADIUS: Framed-Protocol [7] 6 PPP [1]
  Aug 24 08:00:00: RADIUS: User-Name [1] 6 "vrft"
  Aug 24 08:00:00: RADIUS: CHAP-Password [3] 19 *
  Aug 24 08:00:00: RADIUS: Vendor, Cisco [26] 20
  Aug 24 08:00:00: RADIUS: cisco-nas-port [2] 14 "Serial2/0:26"
  Aug 24 08:00:00: RADIUS: NAS-Port [5] 6 20026
  Aug 24 08:00:00: RADIUS: NAS-Port-Type [61] 6 ISDN [2]
  Aug 24 08:00:00: RADIUS: Calling-Station-Id [31] 9 "xxxxxxx"
  Aug 24 08:00:00: RADIUS: Called-Station-Id [30] 9 "xxxxxxx"
  Aug 24 08:00:00: RADIUS: Service-Type [6] 6 Framed [2]
  Aug 24 08:00:00: RADIUS: NAS-IP-Address [4] 6 xxx.xxx.xxx.xxx
  Aug 24 08:00:00: RADIUS: Received from id 21646/40 xxx.xxx.xxx.xxx:1645, Access-Accept, len 277
  Aug 24 08:00:00: RADIUS: authenticator 8D E7 52 2A 4B 72 88 9E - B8 85 38 CF 70 4A B7 79
  Aug 24 08:00:00: RADIUS: Service-Type [6] 6 Framed [2]
  Aug 24 08:00:00: RADIUS: Framed-Protocol [7] 6 PPP [1]
  Aug 24 08:00:00: RADIUS: Framed-IP-Address [8] 6 10.10.8.5
  Aug 24 08:00:00: RADIUS: Framed-IP-Netmask [9] 6 255.255.255.240
  Aug 24 08:00:00: RADIUS: Framed-Compression [13] 6 VJ TCP/IP Header Compressi[1]
  Aug 24 08:00:00: RADIUS: Vendor, Cisco [26] 54
  Aug 24 08:00:00: RADIUS: Cisco AVpair [1] 48 "lcp:interface-config#1= ip vrf forwarding test"
  Aug 24 08:00:00: RADIUS: Vendor, Cisco [26] 68
  Aug 24 08:00:00: RADIUS: Cisco AVpair [1] 62 "lcp:interface-config#2= ip address 10.10.8.1 255.255.255.240"
  Aug 24 08:00:00: RADIUS: Vendor, Cisco [26] 50
  Aug 24 08:00:00: RADIUS: Cisco AVpair [1] 44 "lcp:interface-config#3= description horray"
  Aug 24 08:00:00: RADIUS: Vendor, Cisco [26] 49
  Aug 24 08:00:00: RADIUS: Cisco AVpair [1] 43 "lcp:interface-config#4= encapsulation ppp"
  Aug 24 08:00:00: RADIUS: Framed-Routing [10] 6 0
  Aug 24 08:00:00: RADIUS(000000A1): Received from id 21646/40
  Aug 24 08:00:00: %ISDN-6-CONNECT: Interface Serial2/0:26 is now connected to xxxxxxx vrft
  Aug 24 08:00:00: %LINK-3-UPDOWN: Interface Serial2/0:26, changed state to down
  Please let me know if any other information is required.

  Besides, as I see, virtual-access interface's description is as configured on RADIUS, but all other configuration is from virtual-template. Why? Even if there are no overlapping configuration strings in Vtemplate and on AAA (like ip address etc), configuration string received from RADIUS isn't getting added to virtual-access interface configuration.

• Need a "display filter" to find http packet which contains a specific word

  hi friends
  in my test lab, i have deployed a web server.
  in default website folder (wwwroot) i have a text file named myfile.txt within which i have written some words, for example the word "computer".
  i started capturing traffic via Microsoft network monitor
  now via my client's browser, i browse this address   http://myserver/myfile.txt & my text file contents are shown within IE.
  now i need a display filter in Microsoft network monitor which find this packet for me ( i meani need to find the single http packet which contains the word "computer".
  i spent a lot of times but it didn't result.
  any help please?
  thanks in advance

  You can use the ContainsBin plugin and there's an example in the library under Search Frame.  For example the following looks for the word FONT.
  ContainsBin(FrameData, ASCII, "FONT")
  Also, just to let you know, we released Message Analyzer (http://blogs.technet.com/MessageAnalyzer), which also has this capability and a lot of other things that might help, such as regex expressions.
  Paul

• HI. I HAVE ALREADY MEMEBRSHIP for one app in creative cloud. I want to upgrade it to be complete membership . first I could not cancel my old one . second i pay for the second one, third i could not download the indesign cc ( which i need right now becaus

  HI. I HAVE ALREADY MEMEBRSHIP for one app in creative cloud. I want to upgrade it to be complete membership . first I could not cancel my old one . second i pay for the second one, third i could not download the indesign cc ( which i need right now because they ask for serial number) . I have already cs6 products. is that technical problem in adobe or what ?

  Log out of your Cloud account... Restart your computer... Log in to your paid Cloud account
  -Sign in help http://helpx.adobe.com/x-productkb/policy-pricing/account-password-sign-faq.html
  Cancel http://helpx.adobe.com/x-productkb/policy-pricing/return-cancel-or-change-order.html
  -or by telephone http://helpx.adobe.com/x-productkb/global/phone-support-orders.html
  Ask for serial number http://forums.adobe.com/thread/1234635 has a FAQ link

• RasClient:dialed a connection named "VPN Connection Name " which has failed. The error code returned on failure is 789 on windows 8.1

  Hello,
  i am trying to connect to my corporation VPN Server " ISA 2006" using windows 8.1 client built in VPN,  but its returned the following error:
   Event ID 20227: dialed a connection named "VPN connection Name" which has failed. The error code returned on failure is 789.
  VPN connection is working fine with windows XP and windows 7 with no issue , this error is only appear when try to connect to using windows 8 client machine.
  this error is shows only on windows 8.1 client , same procedures used to enroll the certificate from internal CA " IPsec Type" is followed .
  below are the  ISA server specifications:
  VPN Server : ISA 2006.
  windows Server version 2003. 
  appreciate your quick help and reply .
  Thanks

  Thanks for your reply.
  i would like to add another point for this case, that when we are trying to enroll a certificate from internal CA web enrollment directly using windows 8 " internet explorer 11"  , its install a certificate without Digital
  Signature and non-repudiation in key usage property, then when try to connect , its will give the above error 789 ..
  when try to enroll a certificate into windows 7 " internet explorer 10" and then export and import  this certificate into windows 8.1 machine "with the name of
  windows 8.1 machine" into windows 8.1 machine, the VPN is working normally and without issue.
  The properties of the Certificate are difference between windows 7 machine and windows 8 machine is key usage missing the Digital Signature and non-repudiation properties when enroll
  from windows  8.1 " internet explorer 11", this is in fact because of
  we don't have an option for key usage " both" when subment a certificate on web enrollment page from windows 8 machine ,, the only option available is exchange "
  no signature and both option available "
  i believe that there is something wrong when using windows 8.1 internet explorer 11 so its gave a certificate with wrong key usage property .
  appreciate your quick help in this .
  thanks

• Is there any way I can cancel the update to ios 8? My iphone is in the stage of having to connect to iTunes to finish the update. I don't have iTunes on a computer so I could never back my phone up which I didn't know you had to. Help!

  Is there any way I can cancel the update to ios 8? My iphone is in the stage of having to connect to iTunes to finish the update. I don't have iTunes on a computer so I could never back my phone up which I didn't know you had to. Help!

  If your phone is in recovery mode (You see the iTunes graphic on the phone), you MUST connect the device to a computer and restore the operating system.  There is no supported way to get around it.  The device had a problem installing the update and it crashed.  Sorry.

• HT1688 How i could find my I phone 4s which is stolen , and how i get copy of my photos that i stored in i phone it'self ?

  Hi
  please ,How i could find my I phone 4s which is stolen , and how i  could get copy of my photos that i have stored in i phone it'self ?

  Your only chance is with the Find My iPhone option with a free Apple iCloud account.
  Were you accessing an iCloud account on your iPhone with Find My iPhone turned on with the account settings?
  iCloud also includes a PhotoStream feature which can stream the photos in the Camera Roll to your computer as well as to other iOS devices.
  If not being used and you didn't import the photos with your computer as with any other digtial camera nor update your iPhone's backup since the photos were captured, the photos are gone unless your iPhone is re-covered as is.

• MPLS IP-VPN compatibility

  Hi, we've lots of members running on 2 Cisco 2611 with HA configured (HSRP, ISDN backup, etc). There is 2 scenarios here as follow:
  i. 2 units of 2611 routers with each 2611 have a dedicated LL, one connected to HQ, the other connected to DR.
  ii. 2 units of 2611 routers with only one have a dedicated LL, the other provide ISDN DDR when the LL on the other failed.
  iii. 1 unit of 2611 routers with trunking to a 2950 switch, have a dedicated LL and ISDN DDR.
  For the first scenario, when the members having 2 dedicated LL, normally it is from different telco providers. Now there's one single telco offering us the chance to upgrade to MPLS IP-VPN for an interesting rate. What I'm wondering is, can it work that way?
  I have my 6509s with Sup720 at both HQ and DR, I have a good vendor all the while, if part of the members start to accept the MPLS-VPN, is there any integration problem? The HA configured will still work?
  The thing that worried me most is the core layer part, since the member get the router through a router distribution from the core router in EIGRP, and the ISDN DDR will redistribute the static when the ISDN is active. How MPLS fit into my network?

  Hello,
  In principle everything can work. The dessign in question has one leased line (or ISDN) to the HQ and another path through a MPLS VPN. The issue you will have to deal with is to carefully design your dynamic routing. In case you have EIGRP, then an internal route will always be prefered over an external route. It is most likely to get external routes through the MPLS VPN - depending on implementation details.
  Thus you might have the problem of proper primary/backup path selection and also with routing loops. The underlying reason for both is the redistribution in MP-BGP at the MPLS PE router.
  You need to get more details on the implementation in the SP network to avoid any pitfalls. EIGRP supports backdoors in an MPLS VPN environment, but the question is, whether your telco does as well.
  So it might work, but careful routing design is a must and involves you and the telco. HA is still possible, ISDN backup is possible as well. Depending on your specific implementation details you might need some route tagging and redistribution filters implemented by yourself or the telco to avoid the aforementioned problems.
  Hope this helps! Please rate all posts.
  Regards, Martin

• Mpls and Vpn

  Would like to know if you can specify a general static route with mpls.  I have three sites in a hub and spoke. Spoke A is linked to the hub site via a site vpn to a hub site isr.  Spoke B is linked to the hub via mpls to a standalone mpls isr.  I can’t get from spoke A to B and from spoke B to A.  The mpls isp tells me that I cannot do this because spoke A’s local subnet is not part of the mpls peering(and is on another isp).  Don’t have a lot of familiarity with mpls but  I am wondering why you cannot do a static route of the form: ip route <spoke A lan> <mask> <hub site isr> in either of the mpls isr’s? 

  Hi,
  So:
  B --- mpls ----- HUB ---- vpn ---- A.
  HUB connects to A and B, right?
  I do not see any problem on doing a static route like you said on the client vrf (client from isp point of view).
  Maybe they are afraid of backdoor route on the mpls (not the case) or there are some conflicts between mpls management ip addressing and spoke A lan.
  I have various similar configurations in mpls with static routes, ospf , rip and bgp without any problems and using different isps.
  Ask your mpls isp what is the reason to not create that static? Instead you can ask to make default to a router in your management.
  Regards,
  Pedro Lereno

• My ipod touch has got a frozen white screen have tried all advice nothing comes on screen i have restored it but still nothing could it be the touch screen which was replaced around a month ago ?

  my ipod has a frozen white screen i have gone through all the holding buttons procedures and reset on laptop but still nothing,could it be the touch screen which was replaced around a month ago but has worked fine till now

  Couold be related tot he sscreen replacment
  Try:
  - iOS: Not responding or does not turn on
  - Also try DFU mode after try recovery mode
  How to put iPod touch / iPhone into DFU mode « Karthik's scribblings
  - If not successful and you can't fully turn the iOS device fully off, let the battery fully drain. After charging for an least an hour try the above again.
  - Try on another computer                            
  - If still not successful that usually indicates a hardware problem. I would take it back to where the screen was replaced.

• MPLS / vrf-lite

  Hi
  We currently use a BT MPLS network and use BGP on our CE router to peer with the providers PE routers. Currently we only use one VPN for production across the MPLS network.
  We are now looking to give access from some of our MPLS sites to a test environment housed in our data centre. We need to do this on a pc by pc basis.
  At the moment the plan is to add a Test VPN within the MPLS network. All sites will be a member of the production VPN and those sites that also need access to test environment will be a member of the Test vpn.
  This will segregate the traffic over the WAN but the issue i now have is how to segregate the traffic once it leaves the PE router. The link between the CE and PE router is just a layer 3 link so the VPN separation
  has disappeared by now. I don't mind the traffic not being separated in terms of VPN's on the CE to PE link but i need to segregate the traffic once it leaves the CE router and enters our LAN.
  So finally the questions
  1) Is there a way to keep the separation at a VPN level on the CE -> PE link. As i say i don't mind not having it but if there is a way i would be interested.
  2) More importantly i have done some limited reading on VRF-lite and was wondering before i go further if that would allow me to segregate the traffic internally within the LAN. Our Lan's in major buildings usually consist
  of 4500 at the access-layer and 6500 as distribtion/core. What i would ideally like to do is ensure that only users within the site who need to access the test environment can ie. by adding a site to the TEST vpn this does
  not mean that all users within the site should be able to get to it.
  I could
  i) Use PBR together with access-list and potentially firewalls
  ii) use vrf-lite to segregate the traffic.
  So is this a good application for vrf-lite or have i missed the point of it ?. if not can anyone suggest a better way ?
  Many thanks
  Jon

  Joseph/Anantha
  Thanks to both of you for your replies. If i could just query your expertise a little more.
  Attached is a visio of a site that i would like to be able to access both the Test and Production VPN's. The key thing to note is that we are routing from the access-layer down to the distribution 6500 switches.
  Now on the 4500 i can have 2 separate VRF's, one for the Prod VPN and one for the Test VPN. I can then assign different vlan interfaces into the relevant vrf.
  Am i right in my assumptions so far ?
  The problem i am having in taking this further is that a L3 interface can only be in one VRF and as the connections from the 4500 to the 6500 are L3 uplinks i can't allocate the L3 link into 2 separate vrf's (nor would it make sense to do so).
  I am not in a position to change the L3 links to L2 links which would solve part of the problem as the vlan interfaces would then be on the 6500 and i could allocate these interfaces into separate VRF's.
  So is there any way, bearing in mind that i need to keep L3 links from the access-layer, that i can segregate the routing tables on the 6500 and 7200 router.
  If i can't do this then i don't see the advantage of trying to use VRF-lite because the 6500/7200 and 3800 will all have one routing table with both Test and Prod routes in in it and this means without route filtering these routes will get propogated by the 3800 to our remote sites.
  If i have to revert to route-filtering i may as well not bother with vrf-lite ?
  Jon

• Serial interfaces, ip vrf forwarding, and PBR with set vrf

  I am doing some work with VRF-lite but I am having some trouble with serial interfaces. I have a PE router with a serial interface where I want to take incoming traffic and using policy-based routing send the traffic to the appropriate VRF. I want to assign the serial interface itself to be in one of those VRFs, not the global routing table. Eventually, I also want to overlap the VPNs/VRFs to send traffic going out the serial interface through the VRF assigned to the serial interface. Initially, it looks something like this:
  ip vrf VRF1
  rd 65000:3
  route-target export 65000:3
  ip vrf VRF2
  rd 65000:18
  route-target import 65000:3
  ip route vrf VRF1 10.90.51.0 255.255.255.0 192.168.11.18
  interface Serial0/0/0
  ip vrf forwarding VRF1
  ip address 192.168.11.17 255.255.255.252
  router bgp 65000
  no synchronization
  bgp log-neighbor-changes
  no auto-summary
  address-family ipv4 vrf VRF1
  redistribute static
  no auto-summary
  no synchronization
  exit-address-family
  ip access-list extended remote-source
  permit ip 10.90.0.0 0.0.255.255 any
  route-map SERIAL-INCOMING permit 100
  match ip address remote-source
  set vrf VRF2
  But if I try to turn on the policy based routing at the serial interface, I get an error:
  Router(conf)#interface Serial0/0/0
  Router(config-if)#ip policy route-map SERIAL-INCOMING
  % Can not apply route-map SERIAL-INCOMING to this interface
  % Either remove 'set vrf' from route-map or unconfigure 'ip vrf forward'
  I can sort of get around the problem by using an "ip vrf receive" instead of "ip vrf forward", but unfortunately, that leaves my Serial interface in the global table which isn't what I wanted.
  What troubles me is that I can do this without any problems on an Ethernet interface. Are there any known issues with "ip vrf forward" and using PBR and "set vrf" on Serial interfaces, or have I configured something wrong?
  If I stick with the "ip vrf receive", how can I force the physical Serial interface into the appropriate VRF?
  Thanks.
  Clarke Morledge
  College of William and Mary

  Upon further investigation....
  The serial interface issue was a red herring. It just so happens that every other time I've done this it has been on a flavor of 12.2x on a 6500/7600 where this feature is supported. The only systems I have with Serial interfaces are 1841s.
  The problem with the 1841 is that most of the code revisions out there do not support this feature. It was only added to the regular code train with the recent release of 12.2(24)T. I tested with 12.2(24)T1 and you are now able to use "ip vrf forwarding" on all interfaces along with a PBR route-map that uses the "set vrf" option.
  Thanks, Laurent, for pointing me towards the TAC on this.
  Clarke Morledge
  College of William and Mary