MPLS VRFs and DMVPN

Similar Messages

• VRF and MPLS

  Is it possible to connect a CE via vrf to a PE (ISP) running full MPLS?

  I believe the support for MPLS is there for 3750-Metro range. If you have a Cat 3750 then MPLS is not supported.
  But you can although configure MultiVRF CE as described in an earlier post in this thread.
  You can run a layer 2 trunk to your next-hop Full MPLS PE and, create dot1q subinterfaces on both sides for the required number of VRF's. There shouldnt be any performance issues as far as i know with this setup.
  In fact not carrying your IBGP to your aggregation edges (CE's) you have a leaner network, which is the way to go for enterprises trying to virtualize their network.
  Here is a reference link for configuration sample.
  http://www.cisco.com/en/US/tech/tk828/technologies_white_paper0900aecd8012033f.shtml
  HTH-Cheers,
  Swaroop

• Should Wireless be in its own MPLS VRF?

  Hi,
  I already have an answer I like on this one, "YES!".
  Unfortunately I don't live in Mike-land while I'm at work. I need some reference architectures or authoritative security guides that explain why this is a best-practice, (at least where MPLS VRF's are available for use).
  My short list of reasons is:
  - More refined segementation
  - Easier standardization practices and associated documentation for tier I/IIs support staffs
  - Easier to trouble-shoot when route tables are differentiated, (wireless VRF's and wired VRF's)
  - Easier to observe and isolate traffic, (at firewall or router) in case of security breach
  ...I could go on.
  Any good documentation on this out there?  I can't find much.
  Any help appreciated,
  M.

  As Malcolm says, don't partition. You have a relatively small drive and partitioning will cramp OSX which needs a lot of free disk space to run optimally. The only reason I can see to put OSX on its own partition is if you want to have multiple copies on a computer. The other reason to partition is for convenience in making backups but that's going beyond your immediate question.

• Sourced Based VRFs and IPSEC

  Hi All,
  I have 2 questions.
  1) Does Cisco Router 7600 with SUP720 3BXL supports VRF Selection based on Source IP Address [Layer 3 VPNs]?
  2) We have various clients reaching a Router and we want to forward them to a their company's VRFs, based on their source address (Given by Radius or Statically). Now, Ideally, we want to give to the customer's H.Q. the option to connect to this router using Leased Lines (or Frame Relays) or by using IPSEC (over the internet). Is this possible? Can traffic from an access server arrive to an interface and based on the source, the user will be either forwarded to a VRF or an IPSEC?
  Regards.
  Regards.

  Hello,
  a solution to xour problem could be to have a VRF aware access server and place the customers into their respective VRF right away (the feature is called Multi-VRF aka VRF-lite). IPSec and Dialer interfaces are possible. Based on authentication you could define the VRF and by having a dot1Q trunk to the 7600 which operates as the MPLS PE.
  A second option is to have the trunk to the 7600, VLANs in different VRFs and to do PBR into different VLANs on the CE router/access server.
  Hope this helps! please rate all posts.
  Regards, Martin

• QoS MPLS VRFs

  Hi guys,
  we are creating a new  MPLS cloud with the following VRFs: VRF- Voice, VRF- Data and VRF - Citrix.
  My question is: is VRF traffic indepedent from other VRFs (talking about QoS) or I have to request to my MPLS provider to apply QoS?
  I would like to have 3 Levels of QoS: Voice, Citrix and Data (that matches with the VRFs).
  So it is QoS needed on the MPLS Provider side to increase my traffic performance for voice and Citrix?
  Thank you very much for your help.
  Jordi

  Hi Jordi
  You will need to have QOS configured for all the VRFs separately because of two main reasons:
  1. Creating a VRF doesn't guarantee that you will get priority.
  2. After the traffic enters the Service Provider backbone its all MPLS traffic and many customers share the same backbone, so to have an effective treatment of your traffic you will need to define proper QOS.
  Regads
  Vivek

• MPLS VRF Routes Leaking

  I am designing network to deploy MPLS L3 VPN services for 2000+ branch locations of 1 customer.
  Cisco 7600 series router is used as PE along with FWSM that points towards Global Routing Table (Internet Gateway).
  Customer is requiring the access for internet along with VPN services to all the 2000+ locations.
  What is the best solution to prefer that meets the requirements & also avoids the security loopholes ?

  you could do one of the following ways to implement Internet access for L3 MPLS VPN
  1. using a separate PE interface in global routing table: in this case the FWSM and an interface in the PE/PEs will require to be in the the global routing table to have the Internet access and then you can inject that route to the VRF/VRFs
  2. Internet access using route leaking between VRFs and the global route table: by using this method you will need to configure a static default route with a next hop as an Internet gateway in your case the FWSM, reachable through the global routing table, this VRF default route need to be injected/redistributed in  the PE-CE routing (MP-BGP) to provide the outbound Internet connectivity to your  VRFs.
  inbound traffic from Internet will require either NATed VRF or a static routes from the global routing table points to the VRF interface
  3. the other method is the used of shared service: with this method you need to put the Internet service FWSM in its own VRF then you can control the import and export between the Internet VRF and other VRFs through import/export of the VRFs route-target values
  good luck
  if helpful Rate

• Full internet routes in MPLS-VRF

  hi~ all
  I just have some confused , whether it's good way load full internet routes in MPLS VRF , which there's no any service routing in core network but topology routing . but there's dual upstream ISP connecting ASBR , I'm afraid if I load these two full internet routes into VRF on 7600 , is it possible ? does it take so long time for loading routes in VRF ?
  could someone give me some proposal about it or some experience about internet routes in VRF , thanks.

  Its not a good practise to load all the internet rouetes in the vrf. Do use vrf leaking. For this create a vrf of named internet which will be loaded with the default route and export that route with the rd and mport that route in your particular vrf. With this you will be having only 1 route in the vrf.
  regards
  shivlu

• MPLS VRF Management

  Hi,
  After upgrading the network to MPLS, i have some problems about the management Ps and PEs routers. I want to use "VRF Management" to manage these devices but i have no infomation how to config it.
  - For PEs i think i should use the second loopback to add to VRF admin;
  - For Ps no solution.
  Please show me some links or example useful.
  Thanks for your help

  Hi,
  To access P routers from a VRF environment you can use two scenarios:
  1) connect a P router interface to the PE in the Mgmt VRF
  2) use packet leaking.
  For managing other dveices in different VRFs:
  3) central service VPN
  Option 1) is giving you plain IP connectivity into the core and you could also connect your Mgmt LAN directly to the core. The advantage of a direct connection: you do not rely on VRF related features to be configured correctly on the access PE to connect to P (and PE) routers.
  An example: if someone deletes the Mgmt VRF, all IP addresses on all VRF interfaces in that VRF will be removed. You might end up with no connectivity even to the PE, where the "accident" happened.
  Option 2) allows access to the global routing table through a VRF. The configuration could look like this:
  ip vrf Mgmt
  rd 65000:161
  export map MgmtLAN
  route-target import 65000:162
  interface Serial0/0
  description to a P router
  ip address 10.1.1.1 255.255.255.252
  interface Serial 0/1
  description to the Mgmt LAN
  ip vrf forwarding Mgmt
  ip address 192.168.1.1 255.255.255.252
  ip route vrf Mgmt 10.1.1.0 255.255.255.0 10.1.1.2 global
  ! Assuming the core IP adresses for management are from 10.1.1.0/24 this will send packets arriving in the VRF to the P routers
  ip route 192.168.161.0/24 Serial0/1
  ! assuming the Mgmt LAN is 192.168.161.0/24 this will forward packets arriving from the P routers to the Mgmt LAN behind Serial0/1
  Option 3) central service VPN for managing devices in different VRFs
  ip vrf Mgmt
  rd 65000:161
  export map MgmtLAN
  route-target import 65000:162
  ip vrf Customer
  rd 65000:666
  route-target export 65000:666
  route-target import 65000:666 !normal customer RTs
  route-target import 65000:161 ! this will import the Mgmt LAN network
  export map MgmtLoopbacks
  ! this will ensure only management IPs will be imported into the Mgmt VRF and not all customer routes from all VRFs.
  interface Loopback161
  description PE Mgmt IP
  ip vrf forwarding Mgmt
  ip address 10.1.2.123 255.255.255.255
  interface Serial 0/1
  description to the Mgmt LAN
  ip vrf forwarding Mgmt
  ip address 192.168.1.1 255.255.255.252
  route-map MgmtLAN
  match ip address 1
  set extcommunity rt 65000:161
  route-map MgmtLoopbacks
  match ip address 2
  set extcommunity rt 65000:162 additive
  access-list 1 permit host 192.168.161.0
  !Only announce the Mgmt LAN
  access-list 2 permit host 192.168.162.1
  access-list 2 permit host 192.168.162.2
  access-list 2 permit host 192.168.162.3
  ! list the Loopback IPs of devices to manage
  From a routing point of view you would need to make sure to route all required IPs with BGP and IGP in the Mgmt environment, as well as the core.
  Hope this helps! Please use the rating system.
  Regards, Martin

• MPLS Vrf opsf interfaces not working

  P/PE router VRF ospf interfaces unable to receive or advertised routing to and from CE router.
  Config attahced.
  Routes from PE VRF nortel shld be forwarded to CE router
  So are routes from CE 50.50.50.0 network
  Any ideas?

  Hello,
  Looks to me as if you did not start the ospf process in the VRF. So adjust the config according to:
  interface Serial2/0
  description MPLS VRF 1:1 connection to Cisco 2611 PPP
  ip vrf forwarding nortel
  ip address 200.0.30.1 255.255.255.0
  encapsulation ppp
  clock rate 128000
  interface FastEthernet4/0
  description MPLS connection for vrf Nortel 1:1
  ip vrf forwarding nortel
  ip address 70.70.70.1 255.255.255.0
  duplex auto
  speed auto
  no router ospf 1
  router ospf 1 vrf nortel
  network 200.0.30.0 0.0.0.255 area 0
  network 70.70.70.1 0.0.0.0 area 0 !In case you want OSPF over this interface as well
  With the current config I would assume that you do not see an OSPF adjacency on the CE.
  Hope this helps! Please rate all posts.
  Regards, Martin

• EIGRP authentication in named mode breaks vrf aware DMVPN

  Hi Friends,
  I build a vrf aware DMVPN, and advertise the GRE ip in EIGRP named mode. All works well till I enable authentication in af-interface tunnel 0.
  Once I enable the authentication "hmac-sha256'', it breaks the crypto and DMVPN.
  Any advice on whats the solution to bring the crypto and DMVPN up with EIGRP authentication in named mode ?
  Regards
  rYs

  Hi,
  I attached the config I did, till I apply the authentication in EIGRP,
  once I applied the below config, the dmvpn will break
  ""router eigrp EIGRP
  add ipv4 autonom 45678
  af-interface tu0
  authentication mode hmac-sha256 KEY""
  See any more configs I need to add in the crypto to make the dmvpn  up.
  Thanks

• MPLS trace and Ping

  How to make trace and ping are available in MPLS PE router? Can I ping or trace a customer IP from the PE router?

  This functionality has been available since 12.0(27)S.
  http://www.cisco.com/en/US/products/ps6017/products_feature_guide09186a008041805b.html
  Please refer to the Cisco Feature Navigator to find out which other IOS releases and platforms it is supported on:
  Check for this specific feature:
  MPLS LSP Ping/Traceroute and AToM VCCV
  Cisco Feature Navigator:
  http://tools.cisco.com/ITDIT/CFN/jsp/index.jsp
  As to your other question, you can generally ping and traceroute to the customer network from the PE provided that the address you are using for the ping/traceroute is present in the VRF of the specific PE. This would exclude MPLS ping and traceroute thoug, if this is what you are asking.
  Hope this helps,

• Vrf aware dmvpn with ipsec profile breaks while enabling authentication in EIGRP named mode

  Hi Friends,
  I build a vrf aware dmvpn using IPSec profile and I got the DMVPN and IPSec crypto as UP and able to do advertise using EIGRP.
  But the crypto and DMVPN breaks while I enabled the authentication in EIGRP named mode.
  Once i remove the authentication, it works fine.
  Any advice, how to solve this issue ? Any crypto commands need to add to make this work ?
  Regards
  Riyas Rasheed

  Hi,
  I attached the config I did, till I apply the authentication in EIGRP,
  once I applied the below config, the dmvpn will break
  ""router eigrp EIGRP
  add ipv4 autonom 45678
  af-interface tu0
  authentication mode hmac-sha256 KEY""
  See any more configs I need to add in the crypto to make the dmvpn  up.
  Thanks

• Question to understand VRF and VRF-lite features

  Hi,
  when I look at METRO switches  Feature list I see that most of them support only "VRF-Lite".
  Does it mean that they can't work with MPLS lables and can't be placed as PE devices in cases  where we need VPN services or any kinf of "Lable-switching" services?
  Which role then does those METRO switches play in a network?

  Hello Konstantin,
  VRF lite is a subset of MPLS L3 VPN features missing MPLS forwarding plane capabilities.
  An end to end dedicated IP path is needed for each VRF, practically a VRF-lite capable device should be connected to a fully capable PE node by using a L2 trunk and dedicating at least two Vlan and two  SVI for each VRF: one towards customer and one towards PE.
  you get a multi VRF CE that can be shared by multiple customers
  a fully capable PE node uses N+1 links for N VRFs, a multiVRF CE requires 2*N logical interfaces for N VRFs
  only one MPLS enabled backbone link is needed for handling traffic of multiple VRFs in a fully capable PE node.
  in metro ethernet VRF lite multi VRF CE are used as feeders sort of satellite of PE nodes to provide an access layer to customers
  Hope to help
  Giuseppe

• MPLS / vrf-lite

  Hi
  We currently use a BT MPLS network and use BGP on our CE router to peer with the providers PE routers. Currently we only use one VPN for production across the MPLS network.
  We are now looking to give access from some of our MPLS sites to a test environment housed in our data centre. We need to do this on a pc by pc basis.
  At the moment the plan is to add a Test VPN within the MPLS network. All sites will be a member of the production VPN and those sites that also need access to test environment will be a member of the Test vpn.
  This will segregate the traffic over the WAN but the issue i now have is how to segregate the traffic once it leaves the PE router. The link between the CE and PE router is just a layer 3 link so the VPN separation
  has disappeared by now. I don't mind the traffic not being separated in terms of VPN's on the CE to PE link but i need to segregate the traffic once it leaves the CE router and enters our LAN.
  So finally the questions
  1) Is there a way to keep the separation at a VPN level on the CE -> PE link. As i say i don't mind not having it but if there is a way i would be interested.
  2) More importantly i have done some limited reading on VRF-lite and was wondering before i go further if that would allow me to segregate the traffic internally within the LAN. Our Lan's in major buildings usually consist
  of 4500 at the access-layer and 6500 as distribtion/core. What i would ideally like to do is ensure that only users within the site who need to access the test environment can ie. by adding a site to the TEST vpn this does
  not mean that all users within the site should be able to get to it.
  I could
  i) Use PBR together with access-list and potentially firewalls
  ii) use vrf-lite to segregate the traffic.
  So is this a good application for vrf-lite or have i missed the point of it ?. if not can anyone suggest a better way ?
  Many thanks
  Jon

  Joseph/Anantha
  Thanks to both of you for your replies. If i could just query your expertise a little more.
  Attached is a visio of a site that i would like to be able to access both the Test and Production VPN's. The key thing to note is that we are routing from the access-layer down to the distribution 6500 switches.
  Now on the 4500 i can have 2 separate VRF's, one for the Prod VPN and one for the Test VPN. I can then assign different vlan interfaces into the relevant vrf.
  Am i right in my assumptions so far ?
  The problem i am having in taking this further is that a L3 interface can only be in one VRF and as the connections from the 4500 to the 6500 are L3 uplinks i can't allocate the L3 link into 2 separate vrf's (nor would it make sense to do so).
  I am not in a position to change the L3 links to L2 links which would solve part of the problem as the vlan interfaces would then be on the 6500 and i could allocate these interfaces into separate VRF's.
  So is there any way, bearing in mind that i need to keep L3 links from the access-layer, that i can segregate the routing tables on the 6500 and 7200 router.
  If i can't do this then i don't see the advantage of trying to use VRF-lite because the 6500/7200 and 3800 will all have one routing table with both Test and Prod routes in in it and this means without route filtering these routes will get propogated by the 3800 to our remote sites.
  If i have to revert to route-filtering i may as well not bother with vrf-lite ?
  Jon

• Performance end to end testing and comparison between MPLS VPN and VPLS VPN

  Hi,
  I am student of MSc Network Security and as for my project which is " Comparison between MPLS L3 VPN and VPLS VPN, performance monitoring by end to end testing " I have heard a lot of buzz about VPLS as becoming NGN, I wanted to exppore that and produce a comparison report of which technology is better. To accomplish this I am using GNS3, with respect to the MPLS L3 VPN lab setup that is not a problem but I am stuck at the VPLS part how to setup that ? I have searched but unable to find any cost effective mean, even it is not possible in the university lab as we dont have 7600 series
  I would appreciate any support, guidence, advice.
  Thanks
  Shahbaz

  Hi Shahbaz,
  I am not completely sure I understand your request.
  MPLS VPN and VPLS are 2 technologies meant to address to different needs, L3 VPN as opposed as L2 VPN. Not completely sure how you would compare them in terms of performance. Would you compare the performance of a F1 racing car with a Rally racing car?
  From the ISP point of view there is little difference (if we don't want to consider the specific inherent peculiarities of each technology) , as in the very basic scenarios we can boil down to the following basic operations for both:
  Ingress PE impose 2 labels (at least)
  Core Ps swap top most MPLS label
  Egress PE removes last label exposing underlying packet or frame.
  So whether the LSRs deal with underlying L2 frames or L3 IP packets there is no real difference in terms of performance (actually the P routers don't even notice any difference).
  About simulators, I am not aware of anyone able to simulate a L2 VPN (AtoM or VPLS).
  Riccardo