Multi-vrf CE/vrf lite Instances

I'm currently looking at deploying vrf lite on our ce's but I'm unable to locate the limitations on how many instances can be run. I realise that the low-end ce's (1700, 2600) the limitation is 5 instances. Is there any other CE related devices that can run more instances, if so, how many and what devices?
Regards
Mark

Hi,
The 5 instances restriction comes from the "Designing MPLS Extensions for Customer Edge Routers" Product bulletin. The following script from that document is:
Conclusions
In order to ensure that their data is kept private while traveling across a Service Provider’s network, customers are presented many VPN options to suit their needs. This paper has focused on one particular type of VPNs: MPLS-VPNs. A general description was outlined for MPLS-VPNs in order to discuss the new feature in Cisco IOS release 12.2: Multi-VRF CE.
Multi-VRF CE extends limited PE functionality to CE devices by allowing the traditional LAN network behind a CE router to be segmented into separate VRFs. With this feature, the CE router is now able to segment their LAN traffic into a maximum of 5 separate VRFs.
So, I'm not sure whether this is just a standard feature set for all models, or this particular feature has been upgraded to support more vrfs, which as you say, will require the appropriate capacity.
Regards
Mark

Similar Messages

  • Native Multi-VRF-Lite Design with EIGRP Question

    Hello,
    we think about to implement a VRF-Lite design (no MPLS and MBGP) in our campus network (10,000 ports, 20x 6500Sup720, 400x L2-Switches). MPLS is from our point of view oversized for our requirements. We need only a segmentation from different departments. Our IGP is eigrp.
    In the latest IOS-Release for the cat6500 (12.2.18SXD) is finally a VRF-Lite support for EIGRP inside.
    We could test successful a design with different VRFs in our lab, the division workes fine. But we didn't found a way to implement shared service. These are in our case DHCP, DNS, InternerAccess and some others. We thought about a redistribution between our global EIGRP routing table and the EIGRP-vrf tables, but we didn't found a way to do this.
    How can we do this?
    Thanks

    Use a crossover cable to connect a port belonging to the global routing table to a port belonging to a VRF. This way you can leak EIGRP routes from the global routing table into the VRF (through that physical connection). The drawback is that you use 2 ports (that could instead be used for other things...).
    Another way to this, would be to use static routing; use ip route vrf VRF x.x.x.x m.m.m.m n.n.n.n global to allow traffic to go from the VRF into the global routing table.
    Hope that helps...

  • AAA Authentication and VRF-Lite

    Hi!
    I've run into a strange problem, when using AAA Radius authentication and VRF-Lite.
    The setting is as follows. A /31 linknet is setup between PE and CE (7206/g1 and C1812), where PE sub-if is a part of an MPLS VPN, and CE uses VRF-Lite to keep the local services seperated (where more than one VPN is used..).
    Access to the CE, via telnet, console etc, will be authenticated by our RADIUS servers, based on the following setup:
    --> Config Begins <---
    aaa new-model
    aa group server radius radius-auth
    server x.x.4.23 auth-port 1645 acct-port 1646
    server x.x.7.139 auth-port 1645 acct-port 1646
    aaa authentication login default group radius-auth local
    aaa authentication enable default group radius-auth enable
    radius-server host x.x.4.23 auth-port 1645 acct-port 1646 key <key>
    radius-server host x.x.7.139 auth-port 1645 acct-port 1646 key <key>
    ip radius source-interface <outside-if> vrf 10
    ---> Config Ends <---
    The VRF-Lite instance is configured like this:
    ---> Config Begins <---
    ip vrf 10
    rd 65001:10
    ---> Config Ends <---
    Now - if I remove the VRF-Lite setup, and use global routing on the CE (which is okey for a single-vpn setup), the AAA/RADIUS authentication works just fine. When I enable "ip vrf forwarding 10" on the outside and inside interface, the AAA/RADIUS service is unable to reach the two defined servers.
    I compared the routing table when using VRF-Lite and global routing, and they are identical. All routes are imported via BGP correctly, and the service as a whole works without problems, in other words, the AAA/RADIUS part is the only service not working.

    Just wanted to help future people as some of the answers I found here were confusing.
    This is all you need from the AAA perspective:
    aaa new-model
    aaa group server radius RADIUS-VRF-X
    server-private 192.168.1.10 auth-port 1812 acct-port 1813 key 7 003632222D6E3839240475
    ip vrf forwarding X
    aaa authentication login default group RADIUS-VRF-X local
    aaa authorization exec default group X local if-authenticated
    Per VRF AAA reference:
    http://www.cisco.com/c/en/us/td/docs/ios/12_2/12_2b/12_2b4/feature/guide/12b_perv.html#wp1024168

  • How many VRF-Lite Routing Instances can a 6509-E with a 720-Sup module run?

    I know that in a 4500 style switch it supports a maximum of 64 VRF-lite routing instances. However what is the maximum amount of VRF-Lite routing instances can a 6509-E switch support with a Sup-720 sup module?

    Sup 720  supports 1024 VRF Lites
    see table-1 in this link:
    http://www.cisco.com/c/en/us/products/collateral/switches/catalyst-6500-series-switches/product_data_sheet09186a0080159856.html
    HTH

  • Multi-VRF CE or VRF-Lite support on 1800/2800

    Can anyone please confirm whether ISR 1800 and 2800 series devices support Multi-VRF CE functionality and which IOS release should be used?
    I could not find any document which is explicitly mentioning the above for the mentioned boxes.
    Actually my Purchase Order has been held up due to this... ;-)
    Thanks...

    Yes, they both do. For specific IOS version required, please refer to the Cisco IOS features navigator:
    http://tools.cisco.com/ITDIT/CFN/jsp/index.jsp
    Hope this helps,

  • Extending VRF-lite to 6500??

    Hello,
    I have a simple scenario, where there is a 6500 connected to a router (ISP end), which we have planned to implement vrf-lite on.... there are basically 2 VLANs on the LAN, one production and one guest... we need to isolate the routing table instances between the production and guest.. we have planned to configure trunk between the 6500 and PE router at the ISP end. 6500 acts as a CE here.
    Now, I want to extend the VRF information from the PE to the 6500 CE, since the layer 3 VLANs terminate on the 6500. i will define the same VRF information on the 6500 and isolate VRF routing tables for the guest/production vlan on the LAN also.. I know we will require to configure VRF, RD, BGP etc on the PE router and do a "ip vrf forwarding" on the subinterface of the router. What is the configuration required on the 6500 to extend the VRF-lite information to the end vlans ????? does anyone have any sample configs or links to which i can refer ?
    Raj

    Well,
    first a sample config (not from a 6500, but you should be able to get the idea):
    ip vrf Cust1
    rd 65000:1
    ip vrf Cust2
    rd 65000:2
    interface FastEthernet0/0.100
    encapsulation dot1Q 100
    ip vrf forwarding Cust1
    ip address 10.1.1.1 255.255.255.252
    interface FastEthernet0/0.200
    encapsulation dot1Q 200
    ip vrf forwarding Cust1
    ip address 10.1.2.1 255.255.255.252
    interface FastEthernet0/0.300
    encapsulation dot1Q 300
    ip vrf forwarding Cust2
    ip address 10.20.1.1 255.255.255.252
    interface FastEthernet0/0.333
    encapsulation dot1Q 333
    ip vrf forwarding Cust2
    ip address 10.1.1.1 255.255.255.252
    !On a 6500 you could also have:
    interface vlan 400
    ip vrf forwarding Cust2
    ip address 10.1.123.1 255.255.255.252
    router rip
    address-family ipv4 vrf Cust1
    version 2
    network 10.0.0.0
    no auto-summary
    exit-address-family
    address-family ipv4 vrf Cust2
    version 2
    network 10.0.0.0
    no auto-summary
    exit-address-family
    The separation in the control plane (routing etc.) is achieved through the normal VRF configuration. Overlapping IPs and such are supported by having separate IP routing tables per VRF and VRF aware routing protocols like RIP, OSPF, etc.
    In the data plane traffic is sorted by layer2 encapsulation. In the example above, the dot1Q VLAN tag will deliver the same functionality as the MPLS VPN labels. If f.e. an IP packet with destination 10.1.1.1 arrives, the VLAN tag 100 or 333 will allow the VRF-lite CE to determine, whether it belongs to Cust1 or Cust2. The same differentation will take place for traffic from the CE to the PE. So the PE config is practically the same, BUT in addition MP-BGP and route-targets and MPLS towards the core is used.
    So no MPLS is needed on the VRF-lite CE router, no labels will be used, hence VRF-lite.
    The PE will not be the PHP LSR in the MPLS sense, because it is the LAST router in the MPLS network.
    Instead of the FastEthernet also VLAN interfaces can be used. The number of interfaces per VRF or the number of VRFs are limited by memory.
    Hope this helps! Please use the rating system.
    Regards, Martin

  • Vrf-lite (extranet solution)

    Hi,
    I have a requirement of an extranet solution (ASP model) where many customer will be connected to a central site. The spoke sites do not talk to each other, not even through the central site. One option is to use 1 VRF at the central site and import routes from all other spokes sites (different RD and RT at the spopke sites). This has been rules out. so now my other alternative is to use multiple vrf on a single access link (ethernet in this case) between the CE and PE. I was thinking of using vrf-lite at the central site, but few concepts I am not clear about.
    1) can i get away without using vrf-lite on the central site. PE configures individual vrf for each 1.q interface, but CE just uses 1.q without any vrf. For start I am going to have only two/three sites, so I can either map the subinterface to a separate LAN port or i could do .1q on a single LAN int and map it to the WAN subinterface. Maybe this is not the best solution,but I do not want to go for an unnecessary solution.
    2) what are the advantages and disadvantages of using vrf-lite vs no vrf (if it is possible) in this scenario.
    Attached is a diagram.
    thanks,
    Arana

    Jon,
    I am back with some reading on vrf lite. I am pasting a sample configure that I picked up from another post. I noticed that there is no 'network' statement or 'redistribute static'. My questions:
    1) If I am running BGP with PE, what is the normal pratice to advertise my routers per vrf?
    2) In the LAN do I run separate OSPF or EIGRP instances per VRF (per subinterface)? what is the best way?
    3) If I have static route to other LAN routers then I will be using 'redistribute static' right? Do I have to be specific about which static route I should redistribute to that vrf. If not how does the router know which static route to redistribute to which vrf.
    I have attached a diagram. The below sample does not map to my diagram.
    frame-relay switching
    interface serial0/0/0
    encapsulation frame-relay
    interface serial0/0/0.1 point-to-point
    ip vrf forwarding A
    ip address x.x.x.x x.x.x.x
    frame-relay interface-dlci 100
    interface serial0/0/0
    encapsulation frame-relay
    interface serial0/0/0.2 point-to-point
    ip vrf forwarding B
    ip address y.y.y.y y.y.y.y
    frame-relay interface-dlci 101
    And So on for further interfaces.
    router bgp 1
    no synchronization
    bgp log-neighbor-changes
    no auto-summary
    address-family ipv4 vrf A
    neighbor x.x.x.x remote-as x
    no synchronization
    exit-address-family
    address-family ipv4 vrf B
    neighbor y.y.y.y remote-as y
    no synchronization
    exit-address-family
    Vikram,
    As long as we all can share/learn/solve problems, it is perfectly fine. I don't think I qualify to give you any advise but here is what I have found in another post that might be of interest to you.
    In your post you mentioned that you do not think you can run MP-BGP between the two switch through the FW. In another post I had got an indication that you can run LDP between two PE's using GRE tunnel. In your scenario you are going throuhg a FW and in that particular post the PEs are separated by a third service provider. So if you are open to explore this might be a solution for you.
    Hope this piece of information helps.
    thanks,
    Arana

  • What is VRF-Lite

    Can anyone explain what is the difference between VRF and VRF Lite. What is the main purpose/application of VRF Lite?
    Thanks in advance
    AK

    Vrf-lite is a leaner cut down version of MPLS-VRF.
    Where in MPLS-VRF you need labels for VPN traffic switching, you dont need labels in VRF-lite.
    VRF-lite mainly relies on routing using multiple virtual routing instances created for each vrf for switching traffic. There is no label switching for VRF-lite.
    Since there is no label switching, you need to populate VRF's on every hop on your network. For example |Lan--PE1---PE2---PE3--Lan|
    PE1 has 2 vrf's connected to a local lan, to route these VRF's to the other end(PE3), you will need to have dedicated interfaces(or subinterfaces on each hop and enable routing instances for each VRF on each hop.
    But with MPLS-VRF you need to just enable the VRF's on PE1 and PE3 with MPBGP and Label Switching enabled.
    So the advantage of VRF-Lite is to have virtualization of your sub-networks a smaller scale. If you have a big network, you may very well consider implementing MPLS (even though you may be an enterprise).
    HTH-Cheers,
    Swaroop

  • Need help on VRF lite

    I have implement VRF lite feature for one of the customer...it's working fine..But i m not so clear of following command ...........Can any one explane the same.
    router ospf 511 vrf abc
    capability vrf-lite <--------What is use of this command..is this is reletaed to BGP to OSPF redistribution..?

    Hi,
    VRF lite converts the router into multiple virtual routers each one with its separated routing table, interfaces and routing protocols.
    The OSPF Support for Multi-VRF on CE Routers feature provides the capability of suppressing provider edge (PE) checks that are needed to prevent loops when the PE is performing a mutual redistribution of packets between the OSPF and BGP protocols. When VPN routing and forward (VRF) is used on a router that is not a PE (that is, one that is not running BGP), the checks can be turned off to allow for correct population of the VRF routing table with routes to IP prefixes.
    When the OSPF process is associated with the VRF, several checks are performed when link-state advertisements (LSAs) are received. PE checks are needed to prevent loops when the PE is performing a mutual redistribution between OSPF and BGP interfaces. In some situations, performing PE checks might not be desirable. The concept of VRFs can be used on a router that is not a PE router (that is, a router that is not running BGP). With the capability vrf-lite command, the checks can be turned off to allow correct population of the VRF routing table with routes to IP prefixes.
    This command suppresses the Provider Edge (PE) specific checks on a router when the OSPF process is associated with the VRF.
    HTH, please do rate all helpful posts,
    Mohammed Mahmoud.

  • Multi-VRF support on Catalyst IOS Hybrid

    Hi,
    I have Catalyst 6509/Sup720. I intend to use hybrid sw (CatOS [SP] + IOS [RP]).
    I am planning to configure Multi-VRF feature.
    Is the Multi-VRF feature on hybrid version.? If no, is there a plan to support it in the future.
    I saw this feature supported on Cat IOS system native, but can't seem to find on the hybrid one.
    Thanks
    SSng

    Multi-VRF (VRF-Lite) is not supported in Hybrid mode. I don't think that there are any plans to support it in the future either. You would have to migrate to Native mode.
    Hope this helps,

  • Multi-VRF CE with Private VLANs

    Does anyone know if you can implement a VRF instance on a private vlan? I would assume so, and will lab it out as time permits, but was curious if anyone had tried it/knows one way or the other.

    Since both the platforms support VRF lite and MPLS VPN, you can use Frame-Relay as the encapsulation for sub interfaces with local DLCI switching.
    As the VRF configuration is not media dependent.
    HTH-Cheers,
    Swaroop
    Router 1
    interface Serial0/0
    no ip address
    encapsulation frame-relay
    no keepalive
    !--- This command disables LMI processing.
    interface Serial0/0.1 point-to-point
    !--- A point-to-point subinterface has been created.
    ip address 172.16.120.105 255.255.255.0
    ip vrf forwarding xxx
    frame-relay interface-dlci 101
    !--- DLCI 101 has been assigned to this interface
    Router 2
    interface Serial0/0
    no ip address
    encapsulation frame-relay
    no keepalive
    !--- This command disables LMI processing.
    interface Serial0/0.1 point-to-point
    !--- A point-to-point subinterface has been created.
    ip vrf forwarding xxx
    ip address 172.16.120.120 255.255.255.0
    frame-relay interface-dlci 101
    !--- DLCI 101 has been assigned to this interface

  • OSFP - VRF-Lite - question

    Posted by: p.danielsen - Dec 27, 2006, 5:21am PST
    Hi,
    A brief VRF-Lite question, I want to build a redundant setup using VRF-Lite on some Catalyst6509's, where I want to use OSFP as the IGP, and redistribute it into BGP, for uplink to our edge..
    Some time ago, I heard that there where a limitation on the numbers of OSPF processes the could be used.
    I have around 50 VRF's that I want to convert,
    Any one know if this is a problem ?.
    Thanks in advance
    /Peter

    There is no hard limit on the number of OSPF instances you can have in a VRF context anymore. This limitation has been removed in 12.2(18)SXE.
    Hope this helps,

  • PBR / VRF-lite / 6500 SUP720-10G-3C

    Hello.
    I have to make a config with PBR in a VRF, PBR tied to an IP SLA sensor also ran into the same VRF, is there any restriction regarding this on this supervisor ?

    It is supported
    BTW, your IOS is at least 7 years old.
    VRF-Lite Aware PBR
    Cisco IOS Software Release 12.2(33)SXH1 also introduces the VRF-Lite Aware Policy Based Routing (PBR) feature, which provides the ability to configure PBR on a VPN routing/forwarding instance. This feature allows users to configure VRF on an ingress interface (VRF-Lite) and apply PBR using the Cisco Express Forwarding table for that VRF. VRF-Lite Aware PBR is supported on all Cisco Catalyst 6500 Series Supervisor Engine 720, Cisco Catalyst 6500 Supervisor Engine 32, and ME-6524 products.
    link:
    http://www.cisco.com/c/en/us/products/collateral/switches/catalyst-6500-series-switches/product_bulletin_cisco_catalyst_6500_virtual_switching_system_1440.html
    HTH

  • Question to understand VRF and VRF-lite features

    Hi,
    when I look at METRO switches  Feature list I see that most of them support only "VRF-Lite".
    Does it mean that they can't work with MPLS lables and can't be placed as PE devices in cases  where we need VPN services or any kinf of "Lable-switching" services?
    Which role then does those METRO switches play in a network?

    Hello Konstantin,
    VRF lite is a subset of MPLS L3 VPN features missing MPLS forwarding plane capabilities.
    An end to end dedicated IP path is needed for each VRF, practically a VRF-lite capable device should be connected to a fully capable PE node by using a L2 trunk and dedicating at least two Vlan and two  SVI for each VRF: one towards customer and one towards PE.
    you get a multi VRF CE that can be shared by multiple customers
    a fully capable PE node uses N+1 links for N VRFs, a multiVRF CE requires 2*N logical interfaces for N VRFs
    only one MPLS enabled backbone link is needed for handling traffic of multiple VRFs in a fully capable PE node.
    in metro ethernet VRF lite multi VRF CE are used as feeders sort of satellite of PE nodes to provide an access layer to customers
    Hope to help
    Giuseppe

  • VRF-Lite with 6500 w/ Sup720

    I am working with a customer who would like to utilize path isolation in their network using VRF-Lite. I am currently debating between the use of GRE tunnels vs. VLANs between 3 core switches they currently have in place today. This is going to be overlay network on top of what they currently have. The core is all L2 today with 802.1q trunks between each of 3 cores in a ring topology. Closets are single homed into the core throughout.
    My question is regarding GRE vs. VLANs. Currently, we are looking at having to deploy 12 VRFs to support 12 seperate network types they would like to isolate. The Access layer switches will trunk to the cores where the core will apply VRFs to specific VLANs based on their role.
    Which is going to be a more scalable solution from a performance and adminstration standpoint. GRE, VLANs, or MPLS?
    Currently the GRE implementation is going to require that we configure many loopbacks and tunnels on each core in order to get the VRFs talking to each other in each core. The VLAN approach will require 24 VLANs per core (assuming we would go with PTP vs Multipoint for routing inside the VRF).
    Any thoughts on which way to proceed? From what i have read GRE is more appropriate when you have multiple hops between VRF tables, which in this case we do not. I am just concerned with loopbacks,tunnels, and then routing on top of that the GRE solution will lack scalability as they add more VRFs. A PTP VLAN will pose a similar problem without the need for loopbacks which should simplify the solution.
    Can we use MPLS here and just do PE to PE MPLS and still get the VRF segmentation we need between cores?
    I would like eventually migrate the entire core to L3 completely but today we are stuck with having to support legacy networks (DEC/LAT/SNA) and have to keep some L2 in place.
    Whats the best approach here?

    Shine,
    I actually ended up with basically the same design you are talking about here except that I ended up adding a couple 6500 +FWSM and NAC L3/L2 CAM/CAS into the mix.
    Here is the high level overview
    1. Every Closet had a minimum of 6 VLANs - unique to the stack or closet switch - Subnets were created for each VLAN as well - no spanning of L2 VLANs across switch stacks.
    2. VLANs were assigned for - Voice, Data, LWAPP VLAN, Guest/Unauthorized, Switch/Device Management, and at least 1 special purpose VLAN - (Lab, Building Controls, Security, etc).
    3. Then we trunked all the VLANs back to 1 of 3 cores - 6509s with Sup-720s
    4. Each Core 6509 was configured for each L2 VLAN with a L3 SVI (The VLANs configured here were not configured on any other cores - we didn't have available fiber runs to do any type of redundant pathing across multiple cores so it wasn't valid in this design to configure VLAN SVIs on more than one core).
    5. Each L3 SVI was assigned to the appropriate VRF based on use - Voice, Data, LWAPP, etc
    6. Spanning-Tree Roots for all VLANs trunked to a core were specific to that core - they did not trunk between Cores - no loops
    7. Each Core was connected via a L2 Trunk that carried Point to Point VLANs for VRFs traffic - We had an EIGRP AS assigned to each VRF on the link - so we had 6 VRFs and 6 EIGRP AS per trunk.
    8. This design occurred on each core x2 as it connected to the other cores in a triangle core fashion.
    9. Each of the Cores had a trunk to to 6500 with a FWSM configured - VRF/L3 PTP VLAN design continued here as well
    10. The 6500+FWSM was configured with multiple SVIs and VRFs - we had to issue mult-vlan mode on the FWSM to get it to work.
    11. Layer 2 NAC was configured with VLAN translation coming into the Core 6500/FWSM for Wireless in L2 InBand Mode - the L3 SVIs were configured on the clean side of the NAC CAM so traffic was pulled through the CAM from from the dirty side - where the controller mapped host SSIDs to appropriate VLANs. We only had to configure a couple host VLANs here - Guest and Private so this was not much of an issue - Private was NAC enabled, Guest VLAN/SVI was mapped to a DMZ on the firewall
    12. For Layer 3 NAC we justed used an out of band CAM configurations with ACLs on the Unauthorized VLAN
    It worked like a charm.
    If I had to do it all over again I would go with MPLS/BGP for more scalability. Configuring trunks between the cores and then having the mulitple EIGRP AS/PTP VLANs works well in networks this small but it doesn't scale indefinately. It sounds like your network is quite large. I would look into MPLS between a set of at least 3-4 Core PE/CE devices. Do you plan on building a pure MPLS core for tagged switched traffic only? Is your campus and link make up significant enough to benefit from such a flexible design?

Maybe you are looking for