Full internet routes in MPLS-VRF

Similar Messages

• Internet routes - Global or VRF

  Hi. We are implementing an upgrade to a MPLS-VPN Core. We are doing this for a Telco Service Provider which also has Internet offering. We are deciding whether to put the full internet routes in a VRF or into the global roouting table.
  Can anyone give us the pros and cons on this dilemma?
  Initially, our design was to put the Internet in a VRF. The MPLS-VPN is intended to be a multiservice core offering eventually VOIP, VPLS , eoMPLS, etc. The core consists of GSR12406 P routers, 7606sUP720 PE, and 7200-NPEG1 PEs.
  Thanks.
  bing

  Hi, thanks for the response. I have additional questions.
  1. would there be any security issue when i have full internet routes in my global routing table while i have VPN customer ( i.e. EoMPLS, L3VPN ) in my VRFs?
  2. When i use CSC - this means that my "Internet" becomes my Customer Carrier (ISP) although this is really owned by the same company. I would have to use BGP between the PE and the CE ( Internet routers) for scalability. I need this because i need to use the PE to participate in BGP routing, since we own this anyway. This would mean that i would have Internet routes ( whether full or selective routes) in my "Internet" VRF. is this understanding correct?
  3. related to #2, if i use CSC and i have 2 Internet PoPs belonging to the same AS number which traverses a CSC, i would have to use AS-override functionality. ( e.g. if my Internet AS is 100, and my CSC AS number is 300, i would have to traverse this path: PoP#1 AS100 - AS300 - PoP#2 AS100). When i do a traceroute, i will see AS300 as part of the path. Would there be a way to hide the AS number of the CSC? - so that it will not appear in the traceroute.
  Thanks.
  Bing

• Full internet routing in an internet MPLS VPN

  Is it possible and advisable to run the full internet routing table in a seperate MPLS VRF. A default route is not an option
  With kind regards,
  Mike

  Hi,
  It is not advisable to have full Internet Routing table in a vrf.It is possible that you may run out of memory since different routers have different vrf routes holding capacity.e.g if you are using 12000 series and you have only one vrf configured then you can hold the entire Internet routing table in one vrf.
  Which router you have ? Is it 12000 ?How many vrfs you have ? How many routes have you per vrf ?
  You need to consider the above questions before making the decision.
  -Waris

• Trouble getting internet route table distributet in a VRF

  Hi every one ..
  I'm have some trouble getting distributed the internet routing table between PE routers ...
  CE1 og PE1 works fine, BGP routes all internet routes are shown i en route table, but distributing between PE1 and PE2 is now working .. any one having a clue !!.
  My gold is to move internet access into it's oven VRF, and away from the global routing table
  In the MPLS core aim running the same AS number as our official AS, that we use for peering to the internet..
  snap of configurations
  ***CE1***
  router bgp 65534
  neighbor 172.31.61.55 remote-as 65534
  neighbor 172.31.61.55 description PE-1
  neighbor 172.31.61.55 shutdown
  neighbor 172.31.61.55 update-source Loopback0
  neighbor 172.31.61.55 next-hop-self
  ***MPLS PE1***
  ip vrf NET-INTERNET
  rd 65534:10051
  route-target export 65534:10051
  route-target import 65534:10051
  interface Port-channel1.35
  encapsulation dot1Q 35
  ip vrf forwarding NET-INTERNET
  ip address 172.31.61.55 255.255.255.224
  mpls label protocol ldp
  tag-switching mtu 1546
  tag-switching ip
  router bgp 65534
  neighbor 192.168.0.146 remote-as 65534
  neighbor 192.168.0.146 description PE2
  neighbor 192.168.0.146 update-source Loopback0
  neighbor 192.168.0.146 version 4
  neighbor 192.168.0.146 next-hop-self
  address-family vpnv4
  neighbor 192.168.0.146 activate
  neighbor 192.168.0.146 send-community both
  exit-address-family
  address-family ipv4 vrf NET-INTERNET
  neighbor 172.31.1.2 remote-as 65534
  neighbor 172.31.1.2 activate
  neighbor 172.31.1.2 description CE1
  no auto-summary
  no synchronization
  exit-address-family
  ***MPLS PE2***
  ip vrf NET-INTERNET
  rd 65534:10051
  route-target export 65534:10051
  route-target import 65534:10051
  interface Port-channel1.67
  encapsulation dot1Q 67
  ip vrf forwarding NET-INTERNET
  ip address 172.31.254.1 255.255.255.252
  mpls label protocol ldp
  tag-switching mtu 1546
  tag-switching ip
  router bgp 65534
  neighbor 192.168.0.132 remote-as 65534
  neighbor 192.168.0.132 description PE1
  neighbor 192.168.0.132 update-source Loopback0
  neighbor 192.168.0.132 version 4
  address-family ipv4 vrf NET-INTERNET
  neighbor 172.31.254.2 remote-as 65534
  neighbor 172.31.254.2 activate
  Best regards
  /Peter

  For VPN routes to be exchanged between the two PEs, you first need to configure VPNv4 address family on each one of the PEs.
  Carrying the full Internet routing table over VPNv4 will work but it is not very scalable since all PE routers have to hold the full Internet routing table in the VRF context in addition to potentially full Internet routing table in the global routing table. If you want to exchange full Internet routing table between the two CEs, it would be preferable to use something Carrier Supporting Carrier (CSC).
  Please refer to the following URL for additional information on CSC:
  http://www.cisco.com/univercd/cc/td/doc/product/software/ios120/120newft/120limit/120s/120s23/fscscl23.htm
  Hope this helps,

• MPLS VRF Routes Leaking

  I am designing network to deploy MPLS L3 VPN services for 2000+ branch locations of 1 customer.
  Cisco 7600 series router is used as PE along with FWSM that points towards Global Routing Table (Internet Gateway).
  Customer is requiring the access for internet along with VPN services to all the 2000+ locations.
  What is the best solution to prefer that meets the requirements & also avoids the security loopholes ?

  you could do one of the following ways to implement Internet access for L3 MPLS VPN
  1. using a separate PE interface in global routing table: in this case the FWSM and an interface in the PE/PEs will require to be in the the global routing table to have the Internet access and then you can inject that route to the VRF/VRFs
  2. Internet access using route leaking between VRFs and the global route table: by using this method you will need to configure a static default route with a next hop as an Internet gateway in your case the FWSM, reachable through the global routing table, this VRF default route need to be injected/redistributed in  the PE-CE routing (MP-BGP) to provide the outbound Internet connectivity to your  VRFs.
  inbound traffic from Internet will require either NATed VRF or a static routes from the global routing table points to the VRF interface
  3. the other method is the used of shared service: with this method you need to put the Internet service FWSM in its own VRF then you can control the import and export between the Internet VRF and other VRFs through import/export of the VRFs route-target values
  good luck
  if helpful Rate

• MPLS VRFs hanging routes

  Hi all,
  We've a cell-based MPLS network (based on BPX 8600/LSC 7200 acting as the P and MGXs with RPMs acting as the PEs and connected with E3s to the BPX).
  On those PEs...we're running MPLS VPNs for our customers and there're 2 PEs acting as Route Reflectors for all the other PEs for reflecting the MP-BGP routes for the VRFs.
  The problem is that with any RPM reloads or any interface flapping or without any reason....all of a sudden we found that a VRF customer that has for example 2 branches....one of them connected to POPX and the other branch connected to POPY complaining that there's no connectivity bet the 2 branches although when issuing the command " sh ip route vrf Customer AAA " on the PE of POPX we found that the IBGP routes of the other branch are present in its VRF routing table.....but still the 2 branches cannot ping each other.
  The same problem may be repeated for all VRF customers connected bet those 2 POPs and aren't solved except when issuing the command on the PE of POP X "clear ip route (lpbk add of the PE in POPY)"
  After that command....everything is OK and the 2 branches can ping each other without problems.
  After some investigation...we found that this problem is due to an LSC bug....the suspected bugs were CSCea21665 and CSCea74222 and the workaround for those bugs are "clear ip route (Remote PE lpbk add)"
  As listed in those bugs also that the fix for them is in IOS 12.2(15)T05 and higher....so we upgraded our LSC from ver 12.2(8)T4 to the latest
  12.2(19).
  Unfortunately we found that the problem is not yet solved and still the same syptoms appers for the VRFs.....and that mean that upgrading the IOS ver for the LSc is not enough and there's a step yet missing for avoiding that fatal problem.
  So has anyone faced this problem before ??? and if yes what were the steps done to avoid it other than the famous workaround "clear ip route (Remote PE lpbk add)"???

  Mohamed,
  I red your problem, because I'm interested on all the WAN switching staff.
  Look at bug CSCea21665 on CCO, the fix is not integrated in 12.2 main line, so you have to go to one of the following minimum IOS 12.2(15)T05, 12.2(17.6)S, 12.3(1.9), 12.3(1.9)T, 12.0(25.3)S01, 12.2(11)T09, 12.2(15)ZK, 12.3(2.3)B, 12.2(15)ZK01.
  Look at Bug CSCea74222, it's fixed in
  12.2(15)T03, 12.3(1.5), 12.3(1.5)T, 12.2(17.3)S, 12.2(15)ZK, 12.3(2.3)B
  From that two bugs, do not use 12.2 main line, the fix is not integrated.
  Don't use 12.3, it's to new ;-))
  I would recommend 12.2(15)T05 or higher, that means 12.2(15)T07
  Than you shouldn't see the problem again.
  regards
  Dietmar

• MPLS VRF configuartion on CE router

  I have following Secinario.
  CE1----PE1---P---PE2---CE1
  ---CE2
  From PE2 to CE2 there two links.
  Customer want VRF configuartion on the CE2 router on one link.
  I have confirgured the VRF in between PE2 and CE2 on one link.Also configured Rd and RT parameter in the VRF.
  I am useing BGP as routing protocol in between PE and CE.Can you please let me know should i have to configure MP-BGP in between PE2 and CE2 to carry RD and RT values from CE2 to PE2 ?

  only if you extending MPLS VPN down to your CE. MP-BGP propgates VPNv4 updates tagged with a VPN label among PE routers only.
  Normally an IGP protocol such as OSPF is used between PE-CE. You can configure OSPF in the VRF associated with the VPN and associate the interface connected to the CE with the VRF. OSPF routes can then propagate from a CE to a PE when an OSPF adjacency has formed between the two routers. OSPF adds routes to the VRF's forwarding table at the PE side with routes learned from the CE.
  see this http://www.juniper.net/techpubs/software/erx/erx50x/swconfig-routing-vol2/html/bgp-mpls-vpns-config5.html

• Central Site Internet Connectivity for MPLS VPN User

  What are the solutions of Central site Internet connectivity for a MPLS VPN user, and what is the best practice?

  Hello,
  Since you mentioned that Internet Access should be through a central site, it is clear that all customer sites (except the central) will somehow have a default (static/dynamic) to reach the central site via the normal VPN path for unknown destinations. Any firewall that might be needed, would be placed at the central site (at least). So, the issue is how the central site accesses the Internet.
  Various methods exist to provide Internet Access to an MPLS VPN. I am not sure if any one of them is considered the best. Each method has its pros and cons, and since you have to balance various factors, those factors might conflict at some point. It is hard to get simplicity, optimal routing, maximum degree of security (no matter how you define "security"), reduced memory demands and cover any other special requirements (such as possibility for overlapping between customer addresses) from a single solution. Probably the most secure VPN is the one which is not open to the Internet. If you open it to the Internet, some holes also open inevitably.
  One method is to create a separate Internet_Access VPN and have other VPNs create an extranet with that Internet_Access VPN. This method is said to be very secure (at least in terms of backbone exposure). However, if full routing is a requirement, the increased memory demands of this solution might lead you to prefer to keep the internet routing table in the Global Routing Table (GRT). You might have full routing in the GRT of PEs and Ps or in PEs only (second is probably better).
  Some names for solutions that exist are: static default routing, dynamic default routing, separate BGP session between PE and CE (via separate interface, subinterface or tunnel), extranet with internet VRF (mentioned earlier), extranet with internet VRF + VRF-aware NAT.
  The choice will depend on the requirements of your environment. I cannot possibly describe all methods here and I do not know of a public document that does. If you need an analysis of MPLS VPN security, you may want to take a look at Michael Behringer's great book with M.Morrow "MPLS VPN Security". Another book that describes solutions is "MPLS and VPN Architectures" by Ivan Pepelnjak. There is a Networkers session on MPLS VPNs that lists solutions. There is also a relevant document in CCO:
  http://www.cisco.com/en/US/tech/tk436/tk428/technologies_configuration_example09186a00801445fb.shtml (covering static default routing option).
  Kind Regards,
  M.

• Internet Connectivity for Multi - vrfs

  Hi all,
  Some help needed with the scenario below;
  Am currently migrating our legacy IP network to MPLS.we have been able to migrate 3 seperate networks into their respective vrfs and currently only left with the internet segment which used to connect to these 3 networks via a Cisco 535 firewall.
  Problem is, i have created an internet vrf and intend to export a default route within the internet vrf into the other vrfs.Which should work fine for traffic leaving these networks to the internet.
  Problem is : how to handle traffic comming from the internet to these respective vrfs without having to import those routes into the internet vrf?
  Why do i want this ? Currently inter-vrf traffic is via a FWSM only and would like to keep it that way. No leaking of routes from one vrf to the other.If i do import the 3 vrfs into the internet vrf, it will leak one vrf route to the other !
  Any help ?

  Well,
  one way would be to create a VLAN subinterface per VRF in the PIX. This way all traffic to the internet would be directed towards the firewall and there you could easily control/block inter-VRF traffic.
  Or you create one internet interface in the FWSM and control access there.
  Regards, Martin

• Inject BGP Default Routes into Multiple VRF before Best Path Selection

  Hello, 
  I have the following setup:
  Multiple Border Routers with eBGP sessions to external AS. We receive a default route from this multiple AS to keep the Table manageable. We noticed an important part of our traffic was been SW routed instead of CEF when we had the Full Internet table. Router Resources came to the ground when we changed to a default. 
  Now I want to separate this default routes into different VRF. Attached is the Diagram. 
  My question is,  the multiple default route all go into the BGP Table. The BGP table then select the best route and place it on the RIB and then to the FIB. 
  I want to redistribute the different Route on the BGP table prior to the Best path selection algorithm and placed on the RIB. 
  How can I achieve this?

  Hi,
  Redistribution of multiple routes to same prefix is not possible. Even if you have configured BGP multipath and all different bgp routes got installed into routing table, during redistribution only route will be redistributed. 
  Also would like to understand the requirement of redistributing multiple BGP routes in to IGP. As per your diagram, 3 different eBGP sessions are on three different routers, so you can prefer eBGP route over iBGP received from other routers and can distribute eBGP route to IGP from each router. Thus you will have three different default routes in to IGP in core.
  Please don't forget to rate this post if it has been helpful
  - Akash

• BGP Session drops when loading routes into a VRF

  I've configured a small MPLS network with 4 P routers (ASR 1002s) 4 PE routers (6509s) and two Cisco 7206s as route reflectors.  I'm using OSPF as the routing protocol on the PE-CE interfaces and have sham links configured between PE routers.  I currently have two VRFs configured on this network, one is working fine, and there are approximately 150 routes in this VRF. 
  The second vrf is configured, it also has ospf sham links configured, neighbors up, etc.
  The problem I have is that when I bring up the first PE-CE link and load about 7000 routes into the second vrf my BGP sessions between the other PEs and route-reflectors start timing out.  I do show the vpnv4 routes show up in the route-reflectors "sh ip bgp vpnv4 rd 14017:2" I believe the debug outputs below indicate the issue is in the route-reflectors, but was curious if anyone else had seen this issue.  The BGP peering IP address for one of the route-reflectors is 10.2.0.7 and one of the session dropping PEs is 10.2.0.13.
  Normal output from "unloaded" debug ip bgp vpnv4 unicast keepalives:
  Route-reflector output:
  May 16 09:35:31   2329: May 16 09:35:30.718 CDT: BGP: ses global 10.2.0.13 (0xA0519C0:1) Keep alive timer fired.
  May 16 09:35:31   2330: May 16 09:35:30.718 CDT: BGP: 10.2.0.13 KEEPALIVE requested (bgp_keepalive_timer_expired)
  May 16 09:35:31   2331: May 16 09:35:30.718 CDT: BGP: ses global 10.2.0.13 (0xA0519C0:1) service keepalive IO request.
  May 16 09:35:31   2332: May 16 09:35:30.718 CDT: BGP: 10.2.0.13 KEEPALIVE write request serviced in BGP_IO
  PE output:
  May 16 09:35:38.421 CDT: BGP: 10.2.0.7 KEEPALIVE requested (bgp_keepalive_timer_expired)
  May 16 09:35:38.421 CDT: BGP: 10.2.0.7 KEEPALIVE sent
  Route-reflector output:
  May 16 09:35:39   2341: May 16 09:35:38.427 CDT: BGP: 10.2.0.13 received KEEPALIVE, length (excl. header) 0
  Same output but during a "loaded" condition:
  Route-reflector output:
  May 15 20:41:31   774: May 15 20:41:31.015 CDT: BGP: ses global 10.2.0.13 (0xA091324:1) Keep alive timer fired.
  May 15 20:41:31   775: May 15 20:41:31.015 CDT: BGP: 10.2.0.13 KEEPALIVE requested (bgp_keepalive_timer_expired)
  May 15 20:41:31   778: May 15 20:41:31.015 CDT: BGP: ses global 10.2.0.13 (0xA091324:1) service keepalive IO request.
  May 15 20:42:29   793: May 15 20:42:28.363 CDT: BGP: ses global 10.2.0.13 (0xA091324:1) Keep alive timer fired.
  May 15 20:42:29   794: May 15 20:42:28.363 CDT: BGP: 10.2.0.13 KEEPALIVE requested (bgp_keepalive_timer_expired)
  May 15 20:43:23   805: May 15 20:43:22.638 CDT: BGP: ses global 10.2.0.13 (0xA091324:1) Keep alive timer fired.
  May 15 20:43:23   806: May 15 20:43:22.638 CDT: BGP: 10.2.0.13 KEEPALIVE requested (bgp_keepalive_timer_expired)
  May 15 20:43:33   813: May 15 20:43:33.934 CDT: %BGP-3-NOTIFICATION: received from neighbor 10.2.0.13 4/0 (hold time expired) 0 bytes
  PE output:
  May 15 20:43:33.927 CDT: %BGP-3-NOTIFICATION: sent to neighbor 10.2.0.7 4/0 (hold time expired) 0 bytes
  May 15 20:43:33.927 CDT: %BGP-5-ADJCHANGE: neighbor 10.2.0.7 Down BGP Notification sent
  Route-reflector output:
  May 15 20:43:34   814: May 15 20:43:33.934 CDT: %BGP-5-ADJCHANGE: neighbor 10.2.0.13 Down BGP Notification received
  It appears to me that we are missing "BGP: 10.2.0.13 KEEPALIVE write request serviced in BGP_IO"
  For full disclosure there are other BGP keep-alive events going on to the other PEs at this time, some passing, some failing.
  route-reflector info:
  route-reflector1#sh inv
  NAME: "Chassis", DESCR: "Cisco 7206VXR, 6-slot chassis"
  PID: CISCO7206VXR      , VID:    , SN: 37050753
  NAME: "NPE-G2 0", DESCR: "Cisco 7200 Series Network Processing Engine NPE-G2"
  PID: NPE-G2            , VID: V03 , SN: JAF1410AADM
  NAME: "disk2", DESCR: "256MB Compact Flash Disk for NPE-G2"
  PID: MEM-NPE-G2-FLD256 , VID:    , SN:
  NAME: "Power Supply 1", DESCR: "Cisco 7200 AC Power Supply"
  PID: PWR-7200-AC       , VID:    , SN:
  NAME: "Power Supply 2", DESCR: "Cisco 7200 AC Power Supply"
  PID: PWR-7200-AC       , VID:    , SN:
  route-reflector1#sh ver
  Cisco IOS Software, 7200 Software (C7200P-ADVIPSERVICESK9-M), Version 15.1(4)M5, RELEASE SOFTWARE (fc1)
  Technical Support: http://www.cisco.com/techsupport
  Copyright (c) 1986-2012 by Cisco Systems, Inc.
  Compiled Tue 04-Sep-12 19:41 by prod_rel_team
  ROM: System Bootstrap, Version 12.4(12.2r)T, RELEASE SOFTWARE (fc1)
  BOOTLDR: Cisco IOS Software, 7200 Software (C7200P-BOOT-M), Version 15.1(4)M5, RELEASE SOFTWARE (fc1)
  route-reflector1 uptime is 15 weeks, 20 hours, 43 minutes
  System returned to ROM by reload at 11:03:48 UTC Thu Jan 31 2013
  System restarted at 12:37:52 CST Thu Jan 31 2013
  System image file is "disk2:c7200p-advipservicesk9-mz.151-4.M5.bin"
  Any thoughts on this problem would be greatly appreciated.

  Hi again,
  did you check this?
  http://www.cisco.com/en/US/tech/tk365/technologies_configuration_example09186a008010a28a.shtml
  I honestly do not remember the defaults in Cisco but I had a very similar issue working with Juniper because of this value was set @ about 4500 prefixes at once.
  Take care
  Alessio
  Sent from Cisco Technical Support iPad App

• Internet Access in MPLS VPN scenario

  Hi,
  I do have topology CE8-PE2(AS 65001)-PE1(AS 65001)-ASBR1(AS1).
  Now PE2 and PE1 both are in same AS and PE1 has ebgp with ASBR1, ASBR1 is my internet router.
  I do have vrf ce on router PE2 and have attached that vrf on PE2 interface where CE8 is connected.
  and all the config are in attachment.
  regards
  Devang

  Hi,
  Some config is missing from the BGP vrf, you have not generated the VPNV4 routes for the vrf, please add on PE2;
  router bg 65001
  address-family ipv4 vrf ce
  red connected
  red static
  can you post ;
  show ip route
  show ip bgp
  From the PE1 & PE2?
  + show ip bg vpn all from PE2 only
  Thanks,
  LR

• Path Selection for Routes Across MPLS Network

  Customer hub site has two CE routers with two links connected to two seperate PE routers in the Carrier's MPLS network. At the customer's remote site one CE router on a single link is connected to PE router in MPLS network.
  How can I configure the CE routers at the hub site to advertised the same network across the MPLS network to the CE router at the remote site? Also, how can I configure the CE router at the remote site to select on of the router as the primary and the other as secondary? Can I use local-preference on the CE router at the remote site to selected on path over the other.
  I'm not sure if this makes any sense. Any help will be appreciated. Thanks

  Even with multiple RDs for VRFs belonging to the same VPN, you still need IBGP multipath, correct? Multiple RDs is just to get around the RR restriction.
  Also, you posted this message a while back:
  "If you have many VPN customers all using the same addresses (most likely rfc1918), the fact that they have different RDs and that the PE prepends the RD to the prefixes exchanged between PEs will make the same prefixes different in the MPLS VPN core
  cust1 advertises 192.168.1.0/24 with RD 1:1 therefore
  VPNv4 prefix is 1:1:192.168.1.0
  cust2 advertises 192.168.1.0/24 with RD 1:2 therefore
  VPNv4 prefix is 1:2:192.168.1.0"
  My test lab does not support the IBGP multipath command, and thus even with different RDs, it still only installs one best path.
  I understand that RD = make unique VPNv4 routes in SP space, and that RT = what to import into the VRF. However, I am having a hard time visualizing the scenario with mutiple RDs for the same VPN for load balancing purposes. I am trying to understand the logic behind it.
  Per your example, if both 1:1 and 1:2 are received by the remote PE, assuming IBGP multipath is enabled, why would the remote PE load balance between the two links? Why would it assume that the hub subnets are reachable via two different PEs, and that it's not two different, isolated VPNs altogether?
  Is it b/c you imported both 1:1 and 1:2 into a VRF at the remote PE?

• Should Wireless be in its own MPLS VRF?

  Hi,
  I already have an answer I like on this one, "YES!".
  Unfortunately I don't live in Mike-land while I'm at work. I need some reference architectures or authoritative security guides that explain why this is a best-practice, (at least where MPLS VRF's are available for use).
  My short list of reasons is:
  - More refined segementation
  - Easier standardization practices and associated documentation for tier I/IIs support staffs
  - Easier to trouble-shoot when route tables are differentiated, (wireless VRF's and wired VRF's)
  - Easier to observe and isolate traffic, (at firewall or router) in case of security breach
  ...I could go on.
  Any good documentation on this out there?  I can't find much.
  Any help appreciated,
  M.

  As Malcolm says, don't partition. You have a relatively small drive and partitioning will cramp OSX which needs a lot of free disk space to run optimally. The only reason I can see to put OSX on its own partition is if you want to have multiple copies on a computer. The other reason to partition is for convenience in making backups but that's going beyond your immediate question.

• BGP routing updates via VRF's fails on PE

  HQ connects to 2 different remote sites via MPLS.
  HQ connects to PE1 via MPLS vrf SITE1
  HQ also connects to PE1 via MPLS vrf SITE2
  WAN1 connects to PE2 via F0/0 vrf SITE1
  WAN2 connects to PE2 via F0/1 vrf SITE2
  HQ sees all prefixes from both remote sites!!
  HQ and WAN1 can successfully ping/trace each other.
  HQ and WAN2 can successfully ping/trace each other.
  WAN1 only sees HQ prefixes
  WAN2 only sees HQ prefixes
  PE1 vrf SITE1 routing table sees HQ and WAN1 prefixes only
  PE1 vrf SITE2 routing table sees HQ and WAN2 prefixes only
  I can see from HQ that HQ is sending the same prefixes to both eBGP PE1 peers.
  (I.E. sh bgp ipv4 uni nei x.x.x.x adv)
  TOPOLOGY:
             /---MPLS--PE2------WAN1
  HQ----PE1--
             \---MPLS--PE2------WAN2
  HQ   AS 10
  WAN1 AS 20
  WAN2 AS 30
  MPLS AS 65535
  On PE1 and PE2
  Under vrf SITE1, I added route-target import from vrf SITE2 and
  Under vrf SITE2, I added route-target import from vrf SITE1 and this did not work at all.
  HQ must remain in 2 different vrf's while the remotes are in different vrf's as well.
  PROBLEM:
  I need to be able to communicate between WAN1 to WAN2 via HQ.
  Anyone know what might fix my problem????, Or can explain what is happening that causes this failure?
  THANKS and BEST REGARDS
  Frank

  Hi Frank
  Looking at your mentioned design above it seems all fine and should work..Just one question did you import the cross-vrf RTs after the normal setup was up and working ' coz in that case I think we would need to soft clear the BGP Process on PE1 to cross import the vrf routes from PE2..But on PE2 it should have worked fine..
  May be as asked by Olivier you can share the configs once to look at it.
  Coming to your second question of
  PROBLEM:
  I need to be able to communicate between WAN1 to WAN2 via HQ.
  This is a case of MPLS Hub and Spoke VPN Services using eBGP as PE-CE..
  Here we need to use 3 VRF with separe export RT for the Hub (HQ-VRF) and Spoke 1(Site 1-VRF) /Spoke 2(Site 2-VRF)
  Hub will import the RT of Spoke 1 and Spoke 2 . SPoke 1/ Spoke 2 will import only HQ RT..
  On PE1 create a default null route under VRF Hub and under BGP addess-family ipv4 vrf HQ-VRF send a default route using below network statement
  network 0.0.0.0
  This will help to achieve the desired traffic flow of WAN1 communicating to WAN2 via HQ..
  Hope this provides some insight to your query.
  Regards
  Varma