MPLS VRF configuartion on CE router

I have following Secinario.
CE1----PE1---P---PE2---CE1
---CE2
From PE2 to CE2 there two links.
Customer want VRF configuartion on the CE2 router on one link.
I have confirgured the VRF in between PE2 and CE2 on one link.Also configured Rd and RT parameter in the VRF.
I am useing BGP as routing protocol in between PE and CE.Can you please let me know should i have to configure MP-BGP in between PE2 and CE2 to carry RD and RT values from CE2 to PE2 ?

only if you extending MPLS VPN down to your CE. MP-BGP propgates VPNv4 updates tagged with a VPN label among PE routers only.
Normally an IGP protocol such as OSPF is used between PE-CE. You can configure OSPF in the VRF associated with the VPN and associate the interface connected to the CE with the VRF. OSPF routes can then propagate from a CE to a PE when an OSPF adjacency has formed between the two routers. OSPF adds routes to the VRF's forwarding table at the PE side with routes learned from the CE.
see this http://www.juniper.net/techpubs/software/erx/erx50x/swconfig-routing-vol2/html/bgp-mpls-vpns-config5.html

Similar Messages

  • MPLS VRF Routes Leaking

    I am designing network to deploy MPLS L3 VPN services for 2000+ branch locations of 1 customer.
    Cisco 7600 series router is used as PE along with FWSM that points towards Global Routing Table (Internet Gateway).
    Customer is requiring the access for internet along with VPN services to all the 2000+ locations.
    What is the best solution to prefer that meets the requirements & also avoids the security loopholes ?

    you could do one of the following ways to implement Internet access for L3 MPLS VPN
    1. using a separate PE interface in global routing table: in this case the FWSM and an interface in the PE/PEs will require to be in the the global routing table to have the Internet access and then you can inject that route to the VRF/VRFs
    2. Internet access using route leaking between VRFs and the global route table: by using this method you will need to configure a static default route with a next hop as an Internet gateway in your case the FWSM, reachable through the global routing table, this VRF default route need to be injected/redistributed in  the PE-CE routing (MP-BGP) to provide the outbound Internet connectivity to your  VRFs.
    inbound traffic from Internet will require either NATed VRF or a static routes from the global routing table points to the VRF interface
    3. the other method is the used of shared service: with this method you need to put the Internet service FWSM in its own VRF then you can control the import and export between the Internet VRF and other VRFs through import/export of the VRFs route-target values
    good luck
    if helpful Rate

  • Full internet routes in MPLS-VRF

    hi~ all
    I just have some confused , whether it's good way load full internet routes in MPLS VRF , which there's no any service routing in core network but topology routing . but there's dual upstream ISP connecting ASBR , I'm afraid if I load these two full internet routes into VRF on 7600 , is it possible ? does it take so long time for loading routes in VRF ?
    could someone give me some proposal about it or some experience about internet routes in VRF , thanks.

    Its not a good practise to load all the internet rouetes in the vrf. Do use vrf leaking. For this create a vrf of named internet which will be loaded with the default route and export that route with the rd and mport that route in your particular vrf. With this you will be having only 1 route in the vrf.
    regards
    shivlu

  • Use of TFTP to upgrade CE XR router via mgmt vrf from PE XR router

    I have a few CE routers that require an extra module loading.
    These routers have no access to the default vrf on a core router, they can only be accessed for management via that vrf.
    Is there any way to upload via TFTP (or any other protocol) an image file from one of the core routers to the CE?
    I cannot find a way of instructing the client (CE) router to specify a VRF in the copy tftp command string. On the CE I have configured the tftp client to use the management vrf, but every copy attempt results in `no route to host' messages.
    The routers are all ASR9000 running 4.3.0 code.
    Initally these were configured using the default vrf and the copy process worked fine, but not when using another vrf.

    hi,
    You would need to specify the management vrf. Example of copying a tar file to harddisk on the asr9k,
    then untarring it, and installing:
    a)copy ftp://user:[email protected];Mgmt_VRF/tftpboot/xr/423/ASR9K-iosxr-px-k9-4.2.3.tar harddisk:/sw/423
    b)cd harddisk:/sw/423 then type “run”
    c) tar –xvf ASR9K-iosxr-px-k9-4.2.3.tar   (to untar the tar image)
    d) admin install add source harddisk:/sw/423 asr9k-mini-px.pie-4.2.3 asr9k-mgbl-px.pie-4.2.3 asr9k-k9sec-px.pie-4.2.3 asr9k-mcast-px.pie-4.2.3 asr9k-mpls-px.pie-4.2.3 asr9k-fpd-px.pie-4.2.3 activate sync prompt-level none   (note the spaces!!)
    Note: if you don’t have a management VRF, then the Mgmt_VRF CLI is not needed
    hth,
    david

  • Should Wireless be in its own MPLS VRF?

    Hi,
    I already have an answer I like on this one, "YES!".
    Unfortunately I don't live in Mike-land while I'm at work. I need some reference architectures or authoritative security guides that explain why this is a best-practice, (at least where MPLS VRF's are available for use).
    My short list of reasons is:
    - More refined segementation
    - Easier standardization practices and associated documentation for tier I/IIs support staffs
    - Easier to trouble-shoot when route tables are differentiated, (wireless VRF's and wired VRF's)
    - Easier to observe and isolate traffic, (at firewall or router) in case of security breach
    ...I could go on.
    Any good documentation on this out there?  I can't find much.
    Any help appreciated,
    M.

    As Malcolm says, don't partition. You have a relatively small drive and partitioning will cramp OSX which needs a lot of free disk space to run optimally. The only reason I can see to put OSX on its own partition is if you want to have multiple copies on a computer. The other reason to partition is for convenience in making backups but that's going beyond your immediate question.

  • MPLS - How are external/internal routes distinguished?

    Hi all
    I was setting up an MPLS environment and wanted to get some more information about how MPLS VPN's work. Basically I have three sites connected to the MPLS cloud. Site A runs EIGRP on the customer side and Site B runs OSPF on the customer side. Site C is the one in question. The way I have it designed, Sites A and C have full visability into one another and sites B and C have full visibility into one another. When I configure site C with eigrp, all proper routes are seen, but the OSPF routes from site B are seen as EIGRP external routes. When I switch site C to OSPF, EIGRP routes from site A are seen as OSPF External type 2 routes. I guess my ultimate question is, How does the PE router at site C know the originating protocol? All the routes it receives are from BGP. Does a certain attribute carry this? If so, is this feature specific to Cisco gear or an RFC standard? Thanks in advance for all your help. I can include configs if that would help, below I'll show you my RD and RT's for each VRF and the routing tables of the CE router at Site C before and after the change.
    Site A
    ip vrf a
    rd 1:111
    route-target export 1:100
    route-target import 1:101
    Site B
    ip vrf c
    rd 3:333
    route-target export 3:301
    route-target import 1:101
    Site C
    ip vrf a
    rd 1:111
    route-target export 1:101
    route-target import 1:100
    route-target import 3:301
    Change from EIGRP to OSPF
    Gateway of last resort is not set
         6.0.0.0/32 is subnetted, 1 subnets
    D       6.6.6.6 [90/435200] via 10.2.1.1, 00:05:26, Ethernet0/0
         7.0.0.0/32 is subnetted, 1 subnets
    C       7.7.7.7 is directly connected, Loopback1
         8.0.0.0/32 is subnetted, 1 subnets
    D EX    8.8.8.8 [170/2560025856] via 10.2.1.1, 00:02:13, Ethernet0/0
    D EX 111.0.0.0/8 [170/2560025856] via 10.2.1.1, 00:02:13, Ethernet0/0
         10.0.0.0/8 is variably subnetted, 4 subnets, 2 masks
    C       10.2.1.0/24 is directly connected, Ethernet0/0
    D       10.1.1.0/24 [90/307200] via 10.2.1.1, 00:05:56, Ethernet0/0
    D       10.20.0.0/16 [90/435200] via 10.2.1.1, 00:05:56, Ethernet0/0
    C       10.77.0.0/16 is directly connected, Loopback2
    D EX 192.168.1.0/24 [170/2560025856] via 10.2.1.1, 00:02:43, Ethernet0/0
    R7(config)#no router eigrp 22
    *Mar  1 02:10:20.747: %DUAL-5-NBRCHANGE: IP-EIGRP(0) 22: Neighbor 10.2.1.1 (Ethernet0/0) is
    down: interface down
    R7(config)#router ospf 3
    R7(config-router)#network 10.0.0.0 0.255.255.255 area 0
    R7(config-router)#network 7.7.7.7 0.255.255.255 area 0
    R7(config-router)#end
    R7#show ip route
    Codes: C - connected, S - static, R - RIP, M - mobile, B - BGP
           D - EIGRP, EX - EIGRP external, O - OSPF, IA - OSPF inter area
           N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2
           E1 - OSPF external type 1, E2 - OSPF external type 2
           i - IS-IS, su - IS-IS summary, L1 - IS-IS level-1, L2 - IS-IS level-2
           ia - IS-IS inter area, * - candidate default, U - per-user static route
           o - ODR, P - periodic downloaded static route
    Gateway of last resort is not set
         6.0.0.0/32 is subnetted, 1 subnets
    O E2    6.6.6.6 [110/409600] via 10.2.1.1, 00:00:27, Ethernet0/0
         7.0.0.0/32 is subnetted, 1 subnets
    C       7.7.7.7 is directly connected, Loopback1
         8.0.0.0/32 is subnetted, 1 subnets
    O IA    8.8.8.8 [110/21] via 10.2.1.1, 00:00:27, Ethernet0/0
    O IA 111.0.0.0/8 [110/21] via 10.2.1.1, 00:00:27, Ethernet0/0
         10.0.0.0/8 is variably subnetted, 4 subnets, 2 masks
    C       10.2.1.0/24 is directly connected, Ethernet0/0
    O E2    10.1.1.0/24 [110/1] via 10.2.1.1, 00:00:26, Ethernet0/0
    O E2    10.20.0.0/16 [110/409600] via 10.2.1.1, 00:00:26, Ethernet0/0
    C       10.77.0.0/16 is directly connected, Loopback2
    O IA 192.168.1.0/24 [110/11] via 10.2.1.1, 00:00:26, Ethernet0/0
    R7#trace 6.6.6.6
    Type escape sequence to abort.
    Tracing the route to 6.6.6.6
      1 10.2.1.1 652 msec 396 msec 192 msec
      2 40.1.1.9 [MPLS: Labels 18/24 Exp 0] 2264 msec 2640 msec 2532 msec
      3 30.1.1.3 [MPLS: Labels 18/24 Exp 0] 2320 msec *  *
      4 10.1.1.1 [MPLS: Label 24 Exp 0] 1816 msec 1792 msec 2148 msec
      5 10.1.1.2 1940 msec *  2200 msec
    R7#

    Hello Edward,
    I see nothing strange in the results you have posted. They are completely natural to the process of carrying customer routes over MPLS L3 VPN.
    You know yourself that the customer routes are carried between PE routers using BGP, and from PE towards CE, these routes are redistributed from BGP into the particular routing protocol running between PE and CE. Each of these routing protocols automatically marks redistributed networks as external networks. For OSPF, this is a normal part of the open protocol specification - that routes injected into OSPF via redistribution shall be represented as external routes (and carried in LSA-5). Similarly, when you redistribute into EIGRP from a different routing protocol, these routes will be carried by EIGRP as external networks. So what you see here is natural and normal. Even if all sites ran the same routing protocol (EIGRP or OSPF), one site would see networks from other sites as external routes.
    In fact, there are extensions to BGP using extended community attributes that try to preserve the original nature of the redistributed routes. The prerequisite is that all sites run the same IGP, either OSPF or EIGRP. In that case, EIGRP routes carried over MPLS can be made look like internal routes although they are redistributed, and OSPF will make the routes appear as inter-area routes, not as external routes. There is even a modification to OSPF allowing you to see other sites as intra-area routes (though this requires configuring so-called OSPF sham links between PEs). All of this is done because an internal network is always preferred to an external network. This causes trouble if there is a backup link directly interconnecting two sites, bypassing the MPLS cloud. As the routing protocol run over this link advertises all networks as internal, this link would always be preferred to the MPLS VPN which is exactly the opposite of what you want to do.
    Please feel welcome to ask further!
    Best regards,
    Peter

  • Carrying CLNS inside MPLS VRF

    Is there a way to carry CLNS traffic inside MPLS VRF?

    To configure a router running Intermediate System-to-Intermediate System (IS-IS) so that it floods Multiprotocol Label Switching (MPLS) traffic engineering (TE) link information into the indicated IS-IS level, use the mpls traffic-eng command in router configuration mode

  • MPLS Vrf opsf interfaces not working

    P/PE router VRF ospf interfaces unable to receive or advertised routing to and from CE router.
    Config attahced.
    Routes from PE VRF nortel shld be forwarded to CE router
    So are routes from CE 50.50.50.0 network
    Any ideas?

    Hello,
    Looks to me as if you did not start the ospf process in the VRF. So adjust the config according to:
    interface Serial2/0
    description MPLS VRF 1:1 connection to Cisco 2611 PPP
    ip vrf forwarding nortel
    ip address 200.0.30.1 255.255.255.0
    encapsulation ppp
    clock rate 128000
    interface FastEthernet4/0
    description MPLS connection for vrf Nortel 1:1
    ip vrf forwarding nortel
    ip address 70.70.70.1 255.255.255.0
    duplex auto
    speed auto
    no router ospf 1
    router ospf 1 vrf nortel
    network 200.0.30.0 0.0.0.255 area 0
    network 70.70.70.1 0.0.0.0 area 0 !In case you want OSPF over this interface as well
    With the current config I would assume that you do not see an OSPF adjacency on the CE.
    Hope this helps! Please rate all posts.
    Regards, Martin

  • MPLS VRFs and DMVPN

    Hello,
    we try to build a DMVPN Solution and try to integrate this solution into our MPLS network.
    Can anybody give me some informations about DMVPN and MPLS VRF configuration.
    Thanks
    Peer

    Try this link, might help http://www.cisco.com/en/US/products/sw/iosswrel/ps1839/products_feature_guide09186a0080110ba1.html

  • MPLS VRFs hanging routes

    Hi all,
    We've a cell-based MPLS network (based on BPX 8600/LSC 7200 acting as the P and MGXs with RPMs acting as the PEs and connected with E3s to the BPX).
    On those PEs...we're running MPLS VPNs for our customers and there're 2 PEs acting as Route Reflectors for all the other PEs for reflecting the MP-BGP routes for the VRFs.
    The problem is that with any RPM reloads or any interface flapping or without any reason....all of a sudden we found that a VRF customer that has for example 2 branches....one of them connected to POPX and the other branch connected to POPY complaining that there's no connectivity bet the 2 branches although when issuing the command " sh ip route vrf Customer AAA " on the PE of POPX we found that the IBGP routes of the other branch are present in its VRF routing table.....but still the 2 branches cannot ping each other.
    The same problem may be repeated for all VRF customers connected bet those 2 POPs and aren't solved except when issuing the command on the PE of POP X "clear ip route (lpbk add of the PE in POPY)"
    After that command....everything is OK and the 2 branches can ping each other without problems.
    After some investigation...we found that this problem is due to an LSC bug....the suspected bugs were CSCea21665 and CSCea74222 and the workaround for those bugs are "clear ip route (Remote PE lpbk add)"
    As listed in those bugs also that the fix for them is in IOS 12.2(15)T05 and higher....so we upgraded our LSC from ver 12.2(8)T4 to the latest
    12.2(19).
    Unfortunately we found that the problem is not yet solved and still the same syptoms appers for the VRFs.....and that mean that upgrading the IOS ver for the LSc is not enough and there's a step yet missing for avoiding that fatal problem.
    So has anyone faced this problem before ??? and if yes what were the steps done to avoid it other than the famous workaround "clear ip route (Remote PE lpbk add)"???

    Mohamed,
    I red your problem, because I'm interested on all the WAN switching staff.
    Look at bug CSCea21665 on CCO, the fix is not integrated in 12.2 main line, so you have to go to one of the following minimum IOS 12.2(15)T05, 12.2(17.6)S, 12.3(1.9), 12.3(1.9)T, 12.0(25.3)S01, 12.2(11)T09, 12.2(15)ZK, 12.3(2.3)B, 12.2(15)ZK01.
    Look at Bug CSCea74222, it's fixed in
    12.2(15)T03, 12.3(1.5), 12.3(1.5)T, 12.2(17.3)S, 12.2(15)ZK, 12.3(2.3)B
    From that two bugs, do not use 12.2 main line, the fix is not integrated.
    Don't use 12.3, it's to new ;-))
    I would recommend 12.2(15)T05 or higher, that means 12.2(15)T07
    Than you shouldn't see the problem again.
    regards
    Dietmar

  • L3 mpls network with out P router, all PE to PE plus daisy chainging

    Guys, is it possible to run a core l3 MPLS network over 7600s and 3800s with out any P routers? The reason i aak is because of the particular situation where we will have to daisy chain PE routers due to lack of fiber.
    any thoughts?

    As martin says absolutley limited problems with this it will work a charm UNTIL yo urun into scaling issues. You are daisy chaining all the PEs which would also suggest to me that you are daisy chaining your RRs. In an mpls network the RR's have enough state to handle to keep them busy enough without also having to deal with passing labels about the network. Also you will have any cisco account team breaking down your door putting the fear of god into you for not having at least 2 P routers ;-). So yes you can indeed run it like you say but the lifetime of your network will be very limited indeed. If your not an SP then dont be concerned - unless you are an enterprise with 10000000s routes then id start to worry. Oh they (cisco) also state that PEs also have enough to do in their life without passing labelled packets about the place. sit and think about what your poor PE is having to do daily it could be 100 vrfs routing tables, which in turn means layer 3 lookups to find out where the packet has to go, qos, multicast, bgp, ospf, rip, eigrp, your own internal IGP, TE tunnels, RSVP - this poor router has enough to do without also adding transit traffic. ;-)

  • IOS Upgrade originating from a MPLS VRF

    What is equivalant MPLS "copy tftp flash" command to copy an image from a TFTP server located in a VRF? I can't get the router to pull IOS images unless the TFTP server is located in the Global Routing Table. I do realize this may be a stupid question btw... :)

    Martin,
    You are correct that the "ip tftp source-interface" command will get it to work but only for images integrating CSCea89507.
    Use the following link to find out in which images this DDTS is integrated:
    http://www.cisco.com/cgi-bin/Support/Bugtool/onebug.pl?bugid=CSCea89507
    Hope this helps,

  • Extending a MPLS VRF from a local to a remote location

    I am building a L3 MPLS network in our configuration center in Chicago.  The challenge at hand is that during user acceptance testing of all applications a group of individual will need to travel from So. Florida to Chicago and our management would like to test some/all these applications remotely.  What will be the best way to extend the VRF from one location to another.  My original thought is to request a dark fiber from the service provider and extend the CE device to our lab. 
    Any ideas....

    If you use this fiber and configure the interface of router in Chicago Center to belong a VRF the traffic work, only for this VRF. However you will not be extending your domain MPLS until the other point. Ideally, is necessary all sets to participate in the infrastructure domain and thus can configure any MPLS VPNs as necessary.
    tks,
    Fábio

  • TACACS aware MPLS VRF

    Hello,
    we are building MPLS VPN network that includes CE routers with ISDN BRI backup to MPLS VPN core, using L2TP dial-in access. Domain authentication and user authentication for CE routers are done at RADIUS server, through AV pairs which place the CE router in proper VRF.
    Question is: could this be achieved with TACACS server as well? Could TACACS server place CE routers in proper VRF? If this is not supported, is there a plan to support it?
    Thanks a lot for your help!

    Going by what I know, vrf is configured on PE. The CE doesn't have any knowledge of vrf. Am I missing something?

  • MPLS / VRF

    Hello,
    how is it possible that VRF can be routed from one site to another site by the core routers?
    It is clear that the VRF must be configured and each interface is to be assigned.
    In addition, the IGP / redistribution between PE-CE and MP-BGP is to be configured.
    I found the following configurations in the documentation to configure the PE-Routers in the Core:
    (Configuring MP-BGP):
    PE 1:
    router bgp 1
    x.x.x.x neighbor remote-as 1
    x.x.x.x neighbor update-source loopback0
    address-family vpnv4
    neighbor x.x.x.x activate
    x.x.x.x neighbor send-community Both
    exit-address family
    PE 2:
    router bgp 1
    x.x.x.x neighbor remote-as 1
    x.x.x.x neighbor update-source loopback0
    address-family vpnv4
    neighbor x.x.x.x activate
    x.x.x.x neighbor send-community Both
    exit-address family
    What additional commands are required that a router from one location can ping a router to another location in the same VRF successful?
    Thanks for your help!

    Hello, 
    From the above configuration it looks like that you have configured MP-BGP. This is important for VRF to VRF communication over MPLS enabled backbone (MPLS VPN) since  MP-BGP propagates virtual routing and forwarding (VRF) reachability information to all members of a VPN community. MP-BGP peering must be configured on all PE devices within a VPN community. 
    Below are 2 links which clearly suggests what all things are required for VRF to VRF communication and reason for it. 
    http://www.cisco.com/c/en/us/td/docs/ios-xml/ios/mp_l3_vpns/configuration/15-mt/mp-l3-vpns-15-mt-book/mp-bgp-mpls-vpn.html
    http://www.cisco.com/c/en/us/support/docs/multiprotocol-label-switching-mpls/mpls/13733-mpls-vpn-basic.html
    HTH,
    Nikhil 

Maybe you are looking for