Multi VRF CE and CoS/QoS

Similar Messages

• Multi-vrf ce and ospf domain-tag

  I have configured an mpls vpn between two customer's sites. In every site I have installed two cat35xx with a multi-vrf ce.
  I have a multi access ospf neighbour ship to the customer equipments and a bgp session to mpls backbone.
  The ospf routes are redistributed on bpg and vice versa.
  On ospf process can I use domain-tag to prevent routing loop?
  How can i do to verify the domain-tag's functionality in this architecture?
  I've tried to configure domain-tag but the ospf database contains all tagged routes but how can i be confident that these routes'll not be announce back to mpls backbone through bgp session between catalyst 35xx and Pe?
  Is the the domain-tag functionality supported with vrf-lite?
  Thanks in advance

  Hi Martin,
  I've ospf process running only on catalyst 3550 with vrf-lite, the ospf routes are announced to the PE through bgp session configured between the catalyst 3550 and the PE.
  Does the vrf-lite support the same functionalities of native PE-CE ospf in the mpls vpn, as domain-tag?
  Thanks in advance
  B.

• Multi-VRF CE

  Hi,
  I need to know whether we can use the Cisco 2610 router as Multi-VRF C.E. which will be connected to the Cisco 3745 P.E. router (existing) via 786K Serial Connections.
  I need to configure two VRF's (IT & SOM)on the Cisco 2610 (Multi-VRF CE) and Cisco 3745 (P.E.) for the two VPNs.
  Can someone please let me know whether this is a workable solutions?
  Your help is very much appreciated.
  Thanks,

  Hi,
  What is somewhat strange is your statement: "we are using the default encapsulation on the serial interface (i.e. HDLC)".
  Multi-VRF is depending on two things. First the control plane is separated, i.e. you have one separate routing context per VRF. Second you need at least a separate interface per VRF. One interface can only belong to one VRF. You can check this with "sh ip vrf interface" or with "show ip route VRF ". If there is no output then your VRF has no interface and thus no BGP session can be established. In other words: a VRF is much like a separate router - unless it has an interface there will be no communication possible.
  In your case Frame relay would be the natural choice. An example config with two VRFs could look like this:
  ip vrf VRF1
  rd 65000:1
  ip vrf VRF2
  rd 65000:2
  interface Serial0/0
  no ip address
  encapsulation frame-relay
  no keepalive
  interface Serial0/0.100
  ip vrf forwarding VRF1
  ip address 10.1.1.1 255.255.255.252
  frame-relay interface-dlci 100
  interface Serial0/0.200
  ip vrf forwarding VRF1
  ip address 10.2.2.1 255.255.255.252
  frame-relay interface-dlci 200
  router bgp 65000
  address-family ipv4 vrf VRF1
  neighbor 10.1.1.2 remote-as 65100
  no auto-summary
  no synchronization
  exit-address-family
  address-family ipv4 vrf VRF2
  neighbor 10.2.2.2 remote-as 65100
  no auto-summary
  no synchronization
  exit-address-family
  The IPs, interfaces, AS numbers, additional commands etc. need to be adjusted to your environment.
  Hope this helps! Please use the rating system.
  Regards, Martin

• Question about 3750 mls qos map dscp-output-q and cos-output-q

  1. If a egress packet has both Cos and Dscp setting, which map should this packet used to put into queue?
  2. The 3750 is doing ip route. After the packet is routed, will the packet keep the DSCP and COS? Or it will just keep the DSCP and using the dscp-cos map to create a new COS.

  Apologies for the confusion with the terminalogy.
  The question is where you have configured the trust boundaries, do you necessarily trust the DSCP value prior to being routed across your network?
  Therefore, although you have explicity trusted the DSCP value, do you still trust the value at the remote peer.
  For example, you connect into an MPLS with QoS enabled, you know that the values you are trusting are correct within your network, however at the remote peer/branch they could be remarked by the provider. Therefore do you 'believe' the values, or do you simply not trust them and then reclassify on ingress.
  Regards
  Allan.
  Hope this makes sense..

• QoS - can u trust dscp and cos?

  Hello,
  is it possible to trust DSCP and COS at the same time?
  If so, which one wins?

  G'day,
  It does not really make sense to trust both DSCP and CoS at the same time. You configure your switch to trust one or none of these.
  As an example, if you did have the capability to trust both DSCP and CoS, imagine what would happen if you received a frame with DSCP EF and CoS 0 ? You would be faced with a conflicting situation ... if you trusted CoS, you would give a potentially high-priority packet lesser service. Whereas if you trusted DSCP, you could end up giving a potentially low-priority packet voice-like service... So the option of trusting both is not allowed.
  Hope that helps - pls rate the post if it does.
  Paresh

• 6PE on Multi-VRF PE Routers?

  I am investigating mechanisms to allow the  migration of an IPv4/MPLS network, carrying VPNs, to use IPv6. I have a core of P routers,  running IOS 12.4, connecting to PE routers, also running 12.4. I am  using OSPF as the IGP, with iBGP in the core. I have static routing  defined between the PEs and the CEs, mostly because it's simple and not  the area of interest. I have two CE routers, one on VRF "Red" and one on  VRF "Blue", on each PE. I can exchange IPv4 data between the CEs on VRF  Red, and between the CEs on VRF Blue, but not between Red and  Blue....what I am describing here is pretty much a standard, multi-VPN  MPLS installation.Now I want to update the network to support  IPv4 and IPv6. I based my changes on 6PE, so added config to the PEs  only to enable IPv6 (with IPv6 addresses added to the CEs and the CE-PE  links), and I can now see from "sho bgp ipv6 uni" that the PEs are  learning unicast prefixes from MP-ibgp, and "sho ipv6 cef  <address> det" shows the forwarding table is being built, so I'm  happy that the IPv6 addresses are advertised correctly on each PE.Now  here's the problem. I can't exchange IPv6 data (I know 6PE doesn't  handle ICMP well, so I'm using telnet rather than ping between CEs to  test, but whereas telnet to an IPv4 address works, telnet to an IPv6   address doesnt). I'm running VRFs, and I want to allow them to operate  for IPv6 as well as IPv4, but I don't think they are, and lots of  documentation suggest that I should be entering something like the  following in my PEs:
  ip vrf Red
  rd 1:100
  route-target export 1:100
  route target import 1:100
  address-family ipv4
  exit-address-family
  address-family ipv6
  exit-address-familyIOS  12.4 won't accept the "address-family" statements in that context, but I  can't see another way to get the vrf to accept both address  families....Have I got the commands completely wrong, or is the  "address family" syntax in the vrf context only available in IOS XR, or  some special version of IOS?Any comments or suggestions would be most welcome!Jim

  Well, that was interesting! Laurent is quite correct, the document gives the necessary information.....BUT, you have to be very picky about the IOS you use, and on what platform the necesary commands are available....for IOS 12.4, I ended up using T-train versions, which in a production environment may be considered "suboptimal". However, the main thing is that with Laurent's answer, I have got the config I needed. Thanks!

• Multi-VRF on the same device

  Hi, I have a certain design that I am thinking of implementing however need some help to understand the feasability as well as confirm if it is indeed possible to do it. It is sort of like configuring multi-vrf on the same device and leak routes from them into a global routing table. It seems impractical to do it however if I want to limit connectivity between various vlan's on a L3 level without ACL's this seems the better option. Please do correct me if that is not so.
  Design
  A device which has a number of vlan interfaces on the north side let's say a 6500 configured with a number of vlan's. Each vlan has its own vrf. The SVI interfaces are where I apply the ip vrf forwarding XXX command. This device will be like the PE I assume?
  Now I might be running various routing protocols (EIGRP, RIP, Static, BGP) within these vrf's with the devices on the other end that have no idea about vrf's. Since I have a number of routes I have learnt within their own vrf's I want to either export all these routes into the global table or create a global vrf where I can export all these routes.
  The reason being that I want to propogate all these routes to the south side. The south side interface of this PE 6500 is physically connected to a firewall via a L3 point-to-point interface. That firewall's south interface in turns connects to another switch.
  I am going to form a BGP session with between the Top PE 6500 Switch and the bottom switch and I would like to propogate all the routes that I have in their own individual vrf's on the Top 6500 PE switch to the bottom switch via BGP.
  I don't think I can run MP-BGP due to the firewalls being in the physical path. Besides I would like to run a normal BGP IPv4 session between the top and bottom switch to keep it simple and familiar.
  The reason I would like to have every vlan in its own vrf is to limit connectivity between the vlan's without configuring ACL's. It provides a bit more security between the VLAN's.
  What I am not sure about is how the packet forwarding would work or if it would work at all.
  Thx for your help.

  Hi Vikram,
  Firstly, you mentioned that the reason for going down this path is for security between the different VLANs. Have you looked at Private VLANs as another option?
  Certainly leaking routes between different VRFs can be achieved and I would recommend having a 'Shared VRF' that you leak in and out of. Having the Firewall between the PE nodes does present an issue both for BGP as well as LDP peering if you wanted to establish a MP-BGP session. From what you have mentioned above, this solution might over-complicate what you are trying to do.
  Are the network ranges in each VLAN also unique?
  Can the Firewall run IGP? If so, maybe you could run Private VLANs and the use an IGP to propogate the networks through the FW across to your other switch? If you were to establish a BGP session between the switches each side of the FW, the FW would also need to either become a BGP peer or have IGP enabled. Each BGP node would then need to inject the BGP routes into IGP. If this isnt done, the FW will drop traffic as there would not be a suitable route.
  Are the resources through the FW shared or are they also client connected networks?
  Trent Husking

• What target address does IPM select if the target IPSLA device is a multi-VRF CE?

  What target address does IPM select if the target IPSLA device is a multi-VRF CE?
  With IPM 4.2.1 it is not possible to select the correct target IP address when configuring a collector between two multi-VRF devices. It looks as if the primary management address for the target device is used in the collector configuration which, of course, belongs in a different VRF entirely.

  One example, and there may be others, is the (free) DynDNS dynamic DNS service which publishes a domain name for the WAN port of your router which can then be resolved, like all other domain names, to the actual IP address of the WAn port of your router. This service provides a solution to the problem of having a proper domain name in cases where your public IP address changes over time. Unless you pay for a static IP address, virtually all ISPs change your public IP address over time.
  So, you can register for a free DynDNS account at www.dyndns.com and that is how you come up with the User: and Password: information; use whatever User and Password you register at dyndns.com with.
  The first part of the hostname you can define as you wish, subject only to someone else having used it previously, and the remaining parts of the domain name might be "dyndns.org" or one of the other domain names provided by the DynDNS service. So, you could publish, via DynDNS, the name of your public IP address as, for example, joehlam.dyndns.org however you might want something less descriptive or more vague.

• Multi-VRF

  Hi.
  I intend to understand what a multi-vrf is, but the bottm line is, I don't seem to understand them very well.
  I was asked about it and I was surprised that I was not able to find an easy way to explain them.
  If you are to explain what a multi-vrf is, how would you do it?
  What are the basic ups and downs?
  Thanks

  Hello Jayson,
  a Multi-VRF CE is a device that has multiple VRFs and is shared between different customers and is generally owned and managed by the service provider.
  From a technical point of view the multi-VRF CE has a subset of the features of an MPLS PE.
  It has the capability to segregate traffic of different customers and to support address overlapping but:
  there is no support of MPLS forwarding so there are only VRF access links both to the customer both to the real MPLS PE.
  There is no support/need of the MP-BGP for address-family Vpnv4.
  The uplink is usually made with an high speed 802.1Q trunk where each vlan carried is mapped to a different VRF/Customer.
  The customer benefits are the sharing of the CE device and of the high speed uplink(s).
  Scalability is the issue in comparison with a real PE:
  a PE with N VRFs can use N+1 interfaces (N access links + 1 MPLS backbone link)
  a multi VRF CE with N VRFs needs 2*N interfaces (for each VRF one link towards the customer and one towards the SP PE)
  The same is true for the routing relationships: on each VRF a different routing relationship exist with PE (it can be eBGP in VRF or IGP OSPF or EIGRP in VRF) while a real PE has one/two BGP relationships with the RRS and this is enough for all defined VRFs.
  Often a Multi-VRF CE is a multilayer switch that can offer high port density at a cheap price.
  Hope to help
  Giuseppe

• 3745 Multi VRF with modules ??

  Hi,
  Please anyone can tell wheather Gig modules are supported on 3745 and if yes then how many? Also please tell which is the Gig module I could not find on cisco.com.
  And also do the onboard LAN ports support Multi VRF function ?
  Thanks
  NK

  We use VRFLite with the onboard LAN ports and it works just as expected.
  hth
  -birgit

• Multi-vrf CE/vrf lite Instances

  I'm currently looking at deploying vrf lite on our ce's but I'm unable to locate the limitations on how many instances can be run. I realise that the low-end ce's (1700, 2600) the limitation is 5 instances. Is there any other CE related devices that can run more instances, if so, how many and what devices?
  Regards
  Mark

  Hi,
  The 5 instances restriction comes from the "Designing MPLS Extensions for Customer Edge Routers" Product bulletin. The following script from that document is:
  Conclusions
  In order to ensure that their data is kept private while traveling across a Service Provider’s network, customers are presented many VPN options to suit their needs. This paper has focused on one particular type of VPNs: MPLS-VPNs. A general description was outlined for MPLS-VPNs in order to discuss the new feature in Cisco IOS release 12.2: Multi-VRF CE.
  Multi-VRF CE extends limited PE functionality to CE devices by allowing the traditional LAN network behind a CE router to be segmented into separate VRFs. With this feature, the CE router is now able to segment their LAN traffic into a maximum of 5 separate VRFs.
  So, I'm not sure whether this is just a standard feature set for all models, or this particular feature has been upgraded to support more vrfs, which as you say, will require the appropriate capacity.
  Regards
  Mark

• Multi-VRF CE or VRF-Lite support on 1800/2800

  Can anyone please confirm whether ISR 1800 and 2800 series devices support Multi-VRF CE functionality and which IOS release should be used?
  I could not find any document which is explicitly mentioning the above for the mentioned boxes.
  Actually my Purchase Order has been held up due to this... ;-)
  Thanks...

  Yes, they both do. For specific IOS version required, please refer to the Cisco IOS features navigator:
  http://tools.cisco.com/ITDIT/CFN/jsp/index.jsp
  Hope this helps,

• Multi-VRF CE: Number of VRF's

  Are there hard and fast limitations to the number of VRF's you can configure on a given router platform using Multi-VRF CE functionality? Or, are the only limitations those imposed by the available memory, CPU, and available routing processes on a given router.

  There is no hard limit that I know of. As you stated the limitation is rather to resources available on the node itself.
  Hope this helps,

• DSCP and CoS mapping to use uAPSD

  Hi CISCO experts, I'm trying to map some traffic to a DSCP and CoS priority. The fact is that doesn't work.
  Steps:
  1.Set personal filter (myfilter)to forward from specific IP.
  2.Set QoS policy: my_policy --> myfilter-CoS (4).
  3. Add policy to 802.11g.
  When I look up the IP traces DSCP is allways 0x00 (Best Efford).
  If I map DSCP (best efford) to DSCP (vocie) doesnt work either.
  What can I do? Im trying to emulate AC_VO or AC_VE so I can force the uAPSD protocol to work.
  Best regards

  Are you using a Cisco WLAN controller or autonomous AP?
  You would need to ensure that the RTP (voice) packets to the AP has DSCP = EF.
  There is an auto policy in the WLAN controller to map EF to UP6.
  For autonomous, will need to create a QoS policy to do this.
  But you do not want to map DSCP = 0 to UP6!
  This defeats the purpose.
  Will only want RTP packets to be marked as EF.
  See the WLAN SRND and 7921G Deployment Guides for more info.
  http://www.cisco.com/application/pdf/en/us/guest/netsol/ns279/c649/ccmigration_09186a00808d9330.pdf
  http://www.cisco.com/en/US/docs/voice_ip_comm/cuipph/7921g/5_0/english/install/guide/7921dply.pdf

• Bug in Multi-File Search and Replace in RH6?

  I'm using the 6.0 trial, and one thing I want to be able to
  do is to replace the variables I put in using JavaScript with the
  new feature variables in 6.0. So, I went in to multi-file search
  and replace, and searched for:
  <script
  language=JavaScript>document.write(varProduct)</script>
  I copied this code directly from a topic, and pasted it into
  the Search tool.
  I don't even care whether I can successfully copy the code
  from my new variable for use as the replacement text; I'd be happy
  if the multi-file search would simply find all occurrences of my
  original code so I don't miss any during conversion to 6.0.
  It keeps coming up as not found, and this concerns me
  greatly. Has anyone else experienced this? Is it a known bug? Does
  anyone have a workaround?
  Thanks!

  Hi robowriter
  I'm assuming you are using the wondrous little applet known
  as Multi-File Find and Replace.
  Unfortunately, this little beastie is like a cat. It
  frequently has a fussy tummy and loves to hork up furballs. Well,
  not exactly. Really what it does is fail to properly handle
  anything with a line break. So you need a tool that does do this.
  Fortunately, one exists! It is called FAR (Find And Replace). Oddly
  enough, it was also written by a fellow Microsoft Help MVP named
  Rob Chandler. (Rob lives in Australia)
  You can download a trial version of FAR from the FAR page.
  Click here to visit
  the FAR page
  Cheers... Rick