GRE with VRF on MPLS/VPN

Similar Messages

• Filtering methods inside a VRF in MPLS VPN

  Hi,
  we have a network with MPLS VPN and several VRFs involved.
  Inside a certain VRF I need to avoid that two particular networks can talk to each other.
  Can you give me a hint of what can be a solution to implement this ?
  Thanks
  Regards
  Marco

  Hi Marco,
  To prevent connectivity between two networks where a MPLS VPN is involved you can apply the same methods as in a "normal" router network. Just think of the complete MPLS VPN (PE to PE) as being one big "router simulator".
  You could either implement ACLs on the interfaces connecting to the PE or filter routing updates between sites - depending on your topology. When filtering routing updates seems the way to go, you should also have a look into selective import or export. With the help of a route-map one can selectively insert single networks into a VPN by selectively attaching route-targets to BGP updates.
  Regards, Martin

• Dial-In access to VRF Lite (MPLS VPN)

  Hi,
  I'm trying to implement a solution, that gives opportunity to dial-in to some specific customers VPN (VRF Lite)
  Configuration of NAS is done using cisco.com guide and seems OK. NAS is using RADIUS to authenticate users, and if authenticated, RADIUS sends a specific users virtual-profile configuration to NAS. So far everything seems OK. I can dial-in, succesfuly authenticate against RADIUS and download the virtual-profile configration (DEBUG is pasted below).
  BUT, even there is a command "virtual-profile aaa", and RADIUS sends all info, Virtual-Access interface isn't created or it is created without any configuration.
  Maybe this is happening because I'm using dialer-profile ? Some cisco documentation says that if there are dialer-profiles configured, virtual-profile configuration cann't be downloaded from AAA ???
  Here is debug, You can see RADIUS to NAS communication:
  Aug 24 07:59:59: %LINK-3-UPDOWN: Interface Serial2/0:26, changed state to up
  Aug 24 08:00:00: RADIUS(000000A1): Storing nasport 20026 in rad_db
  Aug 24 08:00:00: RADIUS(000000A1): Config NAS IP: 0.0.0.0
  Aug 24 08:00:00: RADIUS/ENCODE(000000A1): acct_session_id: 247
  Aug 24 08:00:00: RADIUS(000000A1): sending
  Aug 24 08:00:00: RADIUS/ENCODE: Best Local IP-Address xxx.xxx.xxx.xxx for Radius-Server xxx.xxx.xxx.xxx
  Aug 24 08:00:00: RADIUS(000000A1): Send Access-Request to xxx.xxx.xxx.xxx:1645 id 21646/40, len 113
  Aug 24 08:00:00: RADIUS: authenticator C9 98 61 51 0F FF 0F C8 - FA A2 3E C1 5E 80 13 0E
  Aug 24 08:00:00: RADIUS: Framed-Protocol [7] 6 PPP [1]
  Aug 24 08:00:00: RADIUS: User-Name [1] 6 "vrft"
  Aug 24 08:00:00: RADIUS: CHAP-Password [3] 19 *
  Aug 24 08:00:00: RADIUS: Vendor, Cisco [26] 20
  Aug 24 08:00:00: RADIUS: cisco-nas-port [2] 14 "Serial2/0:26"
  Aug 24 08:00:00: RADIUS: NAS-Port [5] 6 20026
  Aug 24 08:00:00: RADIUS: NAS-Port-Type [61] 6 ISDN [2]
  Aug 24 08:00:00: RADIUS: Calling-Station-Id [31] 9 "xxxxxxx"
  Aug 24 08:00:00: RADIUS: Called-Station-Id [30] 9 "xxxxxxx"
  Aug 24 08:00:00: RADIUS: Service-Type [6] 6 Framed [2]
  Aug 24 08:00:00: RADIUS: NAS-IP-Address [4] 6 xxx.xxx.xxx.xxx
  Aug 24 08:00:00: RADIUS: Received from id 21646/40 xxx.xxx.xxx.xxx:1645, Access-Accept, len 277
  Aug 24 08:00:00: RADIUS: authenticator 8D E7 52 2A 4B 72 88 9E - B8 85 38 CF 70 4A B7 79
  Aug 24 08:00:00: RADIUS: Service-Type [6] 6 Framed [2]
  Aug 24 08:00:00: RADIUS: Framed-Protocol [7] 6 PPP [1]
  Aug 24 08:00:00: RADIUS: Framed-IP-Address [8] 6 10.10.8.5
  Aug 24 08:00:00: RADIUS: Framed-IP-Netmask [9] 6 255.255.255.240
  Aug 24 08:00:00: RADIUS: Framed-Compression [13] 6 VJ TCP/IP Header Compressi[1]
  Aug 24 08:00:00: RADIUS: Vendor, Cisco [26] 54
  Aug 24 08:00:00: RADIUS: Cisco AVpair [1] 48 "lcp:interface-config#1= ip vrf forwarding test"
  Aug 24 08:00:00: RADIUS: Vendor, Cisco [26] 68
  Aug 24 08:00:00: RADIUS: Cisco AVpair [1] 62 "lcp:interface-config#2= ip address 10.10.8.1 255.255.255.240"
  Aug 24 08:00:00: RADIUS: Vendor, Cisco [26] 50
  Aug 24 08:00:00: RADIUS: Cisco AVpair [1] 44 "lcp:interface-config#3= description horray"
  Aug 24 08:00:00: RADIUS: Vendor, Cisco [26] 49
  Aug 24 08:00:00: RADIUS: Cisco AVpair [1] 43 "lcp:interface-config#4= encapsulation ppp"
  Aug 24 08:00:00: RADIUS: Framed-Routing [10] 6 0
  Aug 24 08:00:00: RADIUS(000000A1): Received from id 21646/40
  Aug 24 08:00:00: %ISDN-6-CONNECT: Interface Serial2/0:26 is now connected to xxxxxxx vrft
  Aug 24 08:00:00: %LINK-3-UPDOWN: Interface Serial2/0:26, changed state to down
  Please let me know if any other information is required.

  Besides, as I see, virtual-access interface's description is as configured on RADIUS, but all other configuration is from virtual-template. Why? Even if there are no overlapping configuration strings in Vtemplate and on AAA (like ip address etc), configuration string received from RADIUS isn't getting added to virtual-access interface configuration.

• Central Site Internet Connectivity for MPLS VPN User

  What are the solutions of Central site Internet connectivity for a MPLS VPN user, and what is the best practice?

  Hello,
  Since you mentioned that Internet Access should be through a central site, it is clear that all customer sites (except the central) will somehow have a default (static/dynamic) to reach the central site via the normal VPN path for unknown destinations. Any firewall that might be needed, would be placed at the central site (at least). So, the issue is how the central site accesses the Internet.
  Various methods exist to provide Internet Access to an MPLS VPN. I am not sure if any one of them is considered the best. Each method has its pros and cons, and since you have to balance various factors, those factors might conflict at some point. It is hard to get simplicity, optimal routing, maximum degree of security (no matter how you define "security"), reduced memory demands and cover any other special requirements (such as possibility for overlapping between customer addresses) from a single solution. Probably the most secure VPN is the one which is not open to the Internet. If you open it to the Internet, some holes also open inevitably.
  One method is to create a separate Internet_Access VPN and have other VPNs create an extranet with that Internet_Access VPN. This method is said to be very secure (at least in terms of backbone exposure). However, if full routing is a requirement, the increased memory demands of this solution might lead you to prefer to keep the internet routing table in the Global Routing Table (GRT). You might have full routing in the GRT of PEs and Ps or in PEs only (second is probably better).
  Some names for solutions that exist are: static default routing, dynamic default routing, separate BGP session between PE and CE (via separate interface, subinterface or tunnel), extranet with internet VRF (mentioned earlier), extranet with internet VRF + VRF-aware NAT.
  The choice will depend on the requirements of your environment. I cannot possibly describe all methods here and I do not know of a public document that does. If you need an analysis of MPLS VPN security, you may want to take a look at Michael Behringer's great book with M.Morrow "MPLS VPN Security". Another book that describes solutions is "MPLS and VPN Architectures" by Ivan Pepelnjak. There is a Networkers session on MPLS VPNs that lists solutions. There is also a relevant document in CCO:
  http://www.cisco.com/en/US/tech/tk436/tk428/technologies_configuration_example09186a00801445fb.shtml (covering static default routing option).
  Kind Regards,
  M.

• GRE keepalives with VRF

  GRE keeplives enabled under tunnel interfaces will put the line protocol of tunnel to down... I have tested this in LAB !!!
  why is it so , what is the workaround to use keepalives with VRF ........

  Hello,
  It is caused by the way how the GRE keepalives work. I suggest reading these two documents first:
  http://www.cisco.com/en/US/tech/tk827/tk369/technologies_tech_note09186a008048cffc.shtml
  http://www.cisco.com/en/US/tech/tk827/tk369/technologies_tech_note09186a008040a17c.shtml
  In short, a router sending keepalive in essence constructs an IP packet whose source is the remote endpoint and recipient is the router itself. It then encapsulates it using GRE and attaches another IP header to it with the send being itself and destination being the remote end. This packet will be sent to the remote end, there it will be decapsulated and afterwards it will be routed as usual, thereby returning the inner IP packet back to the original sender.
  Obviously, this keepalive mechanism is not integrated with the VRF feature. The keepalive packet may arrive at the remote endpoint but after it is decapsulated the association with the receiving Tunnel interface is obviously lost and the remote endpoint tries to route that packet back using the global routing table, not the VRF in which the tunnel resides. This in turn causes the keepalive packet to never return.
  I am unfortunately not aware of any backup keepalive mechanism for this, apart of running routing protocols over the tunnel with more aggresive hello and dead intervals.
  Best regards,
  Peter

• L3 MPLS-VPN with ATM Interfaces

  Hi
  I tacked a L3 MPLS-VPN from a MPLS service provider.My VPN have three points.
  In first point, I have a PA-A3-OC3 over cisco router 7206. how can I config to place PVC1/2 into VPN?

  You need that pvc to be under a separate sub-interface and then you can configure "ip vrf for " under that sub-interface.
  Hope this helps,

• MPLS, GRE (with no IPSEC) & Dynamic Routing

  Good day my friends!
  Just wondering if any of you could help shed some light on how I would do something. We are switching over from a Point to Point connection between sites to an MPLS one. I have read that Multicast is not permitted across MPLS, so after terminating the MPLS circuits into our network, I created some GRE Tunnels to allow for Multicast (for Dynamic routing as well as Music on Hold)... Everything went well, other then all traffic between the sites is going over the Tunnel interfaces. I would prefer that only multicast traffic go over the GRE tunnel and all other traffic traverse the MPLS without GRE Encapsulation.
  I attempted to do this by doing the following... I wrote an access list indicating Multicast source addresses, then created a route map and did a match ip address acl and set interface to tunnel. then I applied that route map to the vlan (although it doesn't give me the option for direction on the 6509 switch) that the single interface is a member of. That interface goes to the router provided by the service provider. I did the same in the other site as well (2811 router, appied to the interface). What have I done wrong so far?
  We run EIGRP and I did inject the tunnel ip addresses into eigrp, after which traffic started going across it (the tunnel). I need to make sure that routing can find a path via MPLS in EIGRP outside of GRE, and for that all I have done so far is create static routes (on our 6509 and 2811 devices that the MPLS terminates to) with the destination subnet being in the other site between the qwest router and our router (Did that at both sites). I havent created any static routes for remote sites internal subnets because I would like EIGRP to do that, I don't want to rely on Static routes for routing between sites as far as our internal routing.
  So I guess, my question is 2 fold:
  What else do I need to do to get EIGRP to know about the path between sites over MPLS besides through the GRE tunnel?
  How would you control traffic so only Multicast traversed the GRE tunnel where all other traffic would go over MPLS natively?
  Any help you could lend would be very much appriciated!

  Thanks for the reply Laurent!
  Ok, so I just got off the phone our SP and they said they do not support Multicast transport over MPLS... so your assumption is correct...
  I see, so it sounds like I want to stay away from allowing all traffic to traverse between sites over MPLS via GRE... I never considered the issue with scaling when using GRE for all traffic. Good to know!
  While I was on the phone with our SP, I talked with them about routing protocol's they support via MPLS, to which they responded with BGP as really the only option.
  FYI, this is our current WAN arrangement between 2 of the sites:
  Site A>Cisco 2811>Adtran Router (SP provided)>PE-PESite B
  Site A>Cisco 2811 (same as above)>Adtran Router (SP provided)>PE-PESite B
  The SP suggested we run OSPF between our hardware and the Adtran routers and then 2-way redistribute subnets between EIGRP to OSPF and then from OSPF to BGP as follows:
  EIGRP ran inside Site A and B
  OSPF running on outside facing interface on 2811 and 6509
  OSPF running on inside interfaces on Adtran routers
  Private AS BGP running on Adtran with Public AS neighbor to PE device
  This should work, but wouldn't it work for me to just configure BGP on our 2811 and have a IBGP adjacency between it and the Adtran Router and then filter what routes are redistributed from and to IBGP on our 2811 into EIGRP? If this would work, does one design have any advantages over the other? It seems like the EIGRP to OSPF to BGP idea has to many moving parts...
  My objective is to allow all devices in all locations (4 MPLS sites) to route dynamically, verses relying on static routes.
  Regarding the Tunnel config's... I see... Excellent example. OK, so it sounds and looks like I would first configure each site with the routing protocol solution, then, implement GRE with per the example provided, and that would accomplish Multicast over GRE and everything else over MPLS! Thanks alot Laurent!
  So what would you recommend regarding the routing protocol structure?

• MPLS TE with MPLS VPN

  Hi there,
  I'm looking for some basic configuration to turn on mpls te over existing mpls vpn. Worried to effect mpls vpn customers.
  Perhaps a link would be great!
  thanks in advance.
  maher

  There is many scenarios involving TE and MPLS VPN.
  If you have MPLS TE from ingress to egress PE, the lsp used to go from one PE to the other is signalled using RSVP instead of LDP/TDP.
  If you configure TE between the core routers then you need to runn LDP/TDP on the tunnel interface for LDP to learn labels via that pseudo interface. This second scenario involves that at some point up to 3 labels (TE lsp label, IGP label, service label) might be applied to the MPLS packets instead of your regular 2 label (IGP label, service label).
  Hope this helps,

• Selective Route Import/Export in MPLS VPN

  Champs
  I have multiple brach locations and 3 DC locations.DC locations host my internal applications , DC's  also have central Internet breakout for the region. My requirement is to have full mesh MPLS-VPN but at same time brach location Internet access should be from nearest IDC in the region  if nearest IDC is not availalbe it should go to second nearest DC for internet.I have decided which are primary and seconday DC for Internet breakout. How can this be achieved in MPLS-VPN scenario.Logically i feel , i have to announce specific LAN subnet and default route(with different BGP attribute like AS Path)  from all 3 DCs. Spokes in the specific region should be able to import default route  from primary DC and secondary DCs only  using some route filter?
  Regards
  V

  Hello Aaron,
  the route example works for all routers except the one, where the VRF vpn2 is configured. What you can do for management purposes is either to connect through a neighbor router using packet leaking or configure another Loopback into VRF vpn2.
  The last option (and my recommendation) is to establish another separate IP connection from your NMS to the MPLS core. Once VRFs are failing (for whatever reason, f.e. erroneously deleted) you might just not get connectivity to your backbone anymore to repair what went wrong.
  So I would create an "interconnection router" with an interface in the VRF vpn2 and one interface in global IP routing table. This way you will still be able to access PEs, even if VRFs or MBGP is gone.
  Hope this helps! Please rate all posts.
  Regards, Martin

• Redundant access from MPLS VPN to global routing table

  Several our customers have MPLS VPNs deployed over our infrastructure. Part of them requires access to Internet (global routing table in our case).
  As I'm not aware of any methods how to dynamicaly import/export routes between VRF/Global routing tables, at the moment there are static routes configured - one inside VRF pointing to global next hop, another one in global routing table, pointing to interface inside VRF.
  Task is to configure redundant access to Internet. By redundancy I mean using several exit points (primary and backup), what physically represents separate boxes.
  Here comes tricky part - both global static routes (on both boxes, meaning) are valid and reachable in all cases - no matter if specific prefix is reachable in VRF or not. What I'd like to achieve is that specific static route becomes valid only if specific prefix is reachable inside VRF. Yea, sounds like dynamic routing :), I know
  OK, hope U got the idea. Any solutions/recommendations ? Running all Internet routing inside VRF isn't an option, at least for now :(

  Hi Andris,
  I did not mean to have a VRF on the CE. The CE would have both PVCs in the global routing table - his ONLY routing table in fact. One PVC would be used to announce routes into the customer specific VPN (VRF configured on the PE). The other PVC would allow for internet access through the PE (global IP routing table on the PE).
  dot1q will be ok as well.
  This way the CE can be a normal BGP peer to the PE, i.e. there is no MPLS VPN involved here. This allows all options of customer-ISP connectivity.
  Example:
  PE config:
  interface Serial0/0
  encapsulation frame-relay
  interface Serial0/0.1 point-to-point
  description customer VPN access
  ip vrf customer
  ip address 10.1.1.1 255.255.255.252
  interface Serial0/0.2 point-to-point
  description customer Internet access
  ip address 192.168.1.1 255.255.255.252
  router rip
  address-family ipv4 vrf customer
  version 2
  network 10.0.0.0
  no auto-summary
  redistribute bgp 65000 metric 5
  router bgp 65000
  neighbor 192.168.1.2 remote-as 65001
  address-family ipv4 vrf customer
  redistribute rip
  CE config:
  interface Serial0/0
  encapsulation frame-relay
  interface Serial0.1 point-to-point
  description VPN access
  ip address 10.1.1.2 255.255.255.252
  interface Serial0.2 point-to-point
  description Internet access
  ip address 192.168.1.2 255.255.255.252
  router bgp 65001
  neighbor 192.168.1.1 remote-as 65000
  router rip
  version 2
  network 10.0.0.0
  no auto-summary
  Of course you can replace RIP with whatever is suitable for you. And don´t sue me when you do not apply required BGP filters for internet access... ;-)
  The other option ("mini internet") would be feasible as well. Just make sure your BGP filters are NEVER messed up and additionally apply a limit on the numbers of prefixes in your VRF mini-internet.
  Regards
  Martin

• Managing Route-Map based MPLS VPN

  1) How to derive the VPN information of the MPLS VPN configured using route-maps? As I understand, stitching route-maps information to derive VPN is complex as it is difficult to derive & correlate the filters tied to each of the route-maps that are tied to a VRF :(
  2) Is there any MIB to get from the MIB
  a) Route-maps tied to each VRF
  b) What is the filter associated with each route-map?
  c) Definition of each of the above filter
  It would have been nice if the route-maps' name had global-significance within AS, so that we could have treated route-maps, pretty much like the route-tragets. Alas, I doubt it is :(
  It should be noted here that if the MPLS VPN is configured using route targets, the VPN information derivation is fairly straight forward throught MplsVpn MIB.
  So, the question is what is the simplest way to derive the MPLS VPN info given that they are configured using route-maps in BGP for labelled-route-distribution & for the pkt association with the VRFs.
  Thanks,
  Suresh R

  Each CE in a customer VPN is also added to the management VPN by selecting the Join the management VPN option in the service request user interface.
  The function of the management route map is to allow only the routes to the specific CE into the management VPN. The Cisco IOS supports only one export route map and one import route map per VRF.
  http://www.cisco.com/en/US/products/sw/netmgtsw/ps4748/products_user_guide_chapter09186a0080353ac3.html

• How can I find the all path available for a MPLS VPN in SP network

  How can I find the all path available for a MPLS VPN in SP network between PE to PE and CE to CE?

  Hi There
  If we need to find all the available paths for a remote CE from a local PE it will depend upon whether its a RR or non-RR design. If the MP-iBGP deisgn is non-RR  the below vrf specific command
  sh ip bgp vpnv4 vrf "vrf_name"  will show us the MP-iBGP RT for that particular VPN. It will show us the next hop. Checking the route for same in the Global RT will show us the path(s) available for same ( load-balancing considered) .Then we can do a trace using the Local PE MP-iBGP loopback as source to remote PE's MP-iBGP loopback to get the physical Hops involved.
  However if the design is RR-based there might be complications involved when the RR is in the forwarding path ie we have NHS being set to RR-MP-iBGP loopback and the  trace using the Local PE MP-iBGP loopback as source to remote PE's MP-iBGP loopback will get us the physical Hops involved.
  If we have redundant RRs being used with NHS being set then the output of sh ip bgp vpnv4 vrf "vrf_name" will show us two different available paths for the remote CE destination but just one being used.
  RR-based design with no NHS being used will always to cater to single path for the remote CE detsination.
  So in any case the actual path used for the remote CE connectivity would be a single unless we are using load-balancing.
  Hope this helps you a bit on your requirement
  Thanks & Regards
  Vaibhava Varma

• MPLS VPNs - Latency

  Hello All,
  I have a MPLS VPN setup for one of my sites. We have a 10M pipe (Ethernet handoff) from the MPLS SP, and it is divided into 3 VRFs.
  6M - Corp traffic
  2M - VRF1
  2M - VRF2
  The users are facing lot of slowness while trying to access application on VRF1. I can see the utilization on the VRF1 is almost 60% of it's total capacity (2M). Yesterday when trying to ping across to the VRF1 Peer in the MPLS cloud, I was getting a Max response time of 930ms.
  xxxxx#sh int FastEthernet0/3/0.1221
  FastEthernet0/3/0.1221 is up, line protocol is up
    Hardware is FastEthernet, address is 503d.e531.f9ed (bia 503d.e531.f9ed)
    Description: xxxxx
    Internet address is x.x.x.x/30
    MTU 1500 bytes, BW 2000 Kbit, DLY 1000 usec,
       reliability 255/255, txload 71/255, rxload 151/255
    Encapsulation 802.1Q Virtual LAN, Vlan ID  1221.
    ARP type: ARPA, ARP Timeout 04:00:00
    Last clearing of "show interface" counters never
  I also see a lot of Output drops on the physical interface Fa0/3/0. Before going to the service provider, can you please tell me if this can be an issue with the way QoS is configured on these VRFs?
  xxxxxxx#sh int FastEthernet0/3/0 | inc drops
    Input queue: 0/75/0/0 (size/max/drops/flushes); Total output drops: 3665
  Appreciate your help.
  Thanks
  Mikey

  Hi Kishore,
  Thanks for the clarification. Let me speak to the service provider and see if we can sort out the Output drops issue.
  I had a few more queries.
  1) Will output drops also contribute to the latency here?
  2) The show int fa0/3/0.1221 output below only shows the load on the physical interface (fa0/3/0) and not of that particuar interface.Right?
  xxxxxx#sh int fa0/3/0.1221 | inc load
       reliability 255/255, txload 49/255, rxload 94/255
  xxxxx#sh int fa0/3/0 | inc load
       reliability 255/255, txload 49/255, rxload 94/255
  I can try and enable IP accounting on that sub-interface (VRF) and see the load. Thoughts?
  3) As you said, if the 2M gets maxed out I would see latency as the shaper is getting fully utilized. But I don't see that on the interface load as mentioned above? I have pasted the ping response during the time load output was taken. I can;t read much into the policy map output, but does it talk anything about 2M being fully utilized and hence packets getting dropped.
  xxxxxxx#ping vrf ABC x.x.x.x re 1000
  Type escape sequence to abort.
  Sending 1000, 100-byte ICMP Echos to x.x.x.x, timeout is 2 seconds:
  Success rate is 99 percent (997/1000), round-trip min/avg/max = 12/216/1972 ms
  xxxx#sh policy-map interface fa0/3/0.1221
  FastEthernet0/3/0.1221
    Service-policy output: ABC
      Class-map: class-default (match-any)
        114998 packets, 36909265 bytes
        5 minute offered rate 11000 bps, drop rate 0 bps
        Match: any
        Traffic Shaping
             Target/Average   Byte   Sustain   Excess    Interval  Increment
               Rate           Limit  bits/int  bits/int  (ms)      (bytes)
            2000000/2000000   12500  50000     50000     25        6250
          Adapt  Queue     Packets   Bytes     Packets   Bytes     Shaping
          Active Depth                         Delayed   Delayed   Active
          -      0         114998    36909265  1667      2329112   no
  Thanks
  Mikey

• MPLS VPN support for VPNv6

  All,
  which routers and IOS has MPLS VPN support for VPNv6?
  regards
  Devang Patel

  Hello Devang,
  in the feature navigator look for the 6VPE feature for example a C7609 with sup720 3BXL and IOS 12.2(33)SxHa2 has the vpnv6 address-family.
  see for example
  http://www.cisco.com/en/US/docs/ios/ipv6/configuration/guide/ip6-ov_mpls_6vpe.html
  you still need an MPLS/Ipv4 core or an ipv4 core if using GRE tunnels:
  Table 1 Feature Information for Implementing IPv6 VPN over MPLS
  Feature Name Releases Feature Information
  IPv6 VPN over MPLS (6VPE)
  12.2(28)SB
  12.2(33)SRB
  12.4(20)T
  The IPv6 VPN (6VPE) over a MPLS IPv4 core infrastructure feature allows ISPs to offer IPv6 VPN services to their customers.
  This entire document provides information about this feature.
  MPLS VPN 6VPE support over IP tunnels
  12.2(33)
  SRB1
  This feature allows the use of IPv4 GRE tunnels to provide IPv6 VPN over MPLS functionality to reach the BGP next hop.
  This following sections provide information about this feature:
  •6VPE Over GRE Tunnels
  Hope to help
  Giuseppe

• Unable proxy ping using CISCO-PING-MIB in MPLS VPN ?

  using CISCO-PING-MIB in MPLS VPN ?
  In CISCO-PING-MIB.my document, wu can use the CISCO-PING-MIB to
  Proxy ping the hosts in the MPLS VPN (vrf).
  But when i do it, router will return the message:
  errstat =12; errindex = 1(ciscoPingProtocol).
  If Router isn't configed vrf, can proxy ping.
  If set the error vrf name in snmp packet,
  errstat=10; errindex=8(vrfname)
  Do Cisco Support Proxy ping with vrf???

  sorry, i don't use unix station, i program to send snmp messages.
  parameters:
  ciscoPingProtocol = 1(IP);
  ciscoPingAddress =x.x.x.x;
  ciscoPingPacketCount=
  ciscoPingPacketSize=
  ciscoPingPacketTimeout=
  ciscoPingDelay=
  ciscoPingEntryStatus=4;
  ciscoPingVrfName="vpn1";
  The parameters is right, because when i don't use ciscoPingVrfName, i can
  ping the address.
  But i set the ciscoPingVrfName="vpn1", the error is received.
  thanks.