I intend to understand what a multi-vrf is, but the bottm line is, I don't seem to understand them very well.
I was asked about it and I was surprised that I was not able to find an easy way to explain them.
If you are to explain what a multi-vrf is, how would you do it?
What are the basic ups and downs?

Hello Jayson,
a Multi-VRF CE is a device that has multiple VRFs and is shared between different customers and is generally owned and managed by the service provider.
From a technical point of view the multi-VRF CE has a subset of the features of an MPLS PE.
It has the capability to segregate traffic of different customers and to support address overlapping but:
there is no support of MPLS forwarding so there are only VRF access links both to the customer both to the real MPLS PE.
There is no support/need of the MP-BGP for address-family Vpnv4.
The uplink is usually made with an high speed 802.1Q trunk where each vlan carried is mapped to a different VRF/Customer.
The customer benefits are the sharing of the CE device and of the high speed uplink(s).
Scalability is the issue in comparison with a real PE:
a PE with N VRFs can use N+1 interfaces (N access links + 1 MPLS backbone link)
a multi VRF CE with N VRFs needs 2*N interfaces (for each VRF one link towards the customer and one towards the SP PE)
The same is true for the routing relationships: on each VRF a different routing relationship exist with PE (it can be eBGP in VRF or IGP OSPF or EIGRP in VRF) while a real PE has one/two BGP relationships with the RRS and this is enough for all defined VRFs.
Often a Multi-VRF CE is a multilayer switch that can offer high port density at a cheap price.
Hope to help

Similar Messages

  • Multi-VRF on the same device

    Hi, I have a certain design that I am thinking of implementing however need some help to understand the feasability as well as confirm if it is indeed possible to do it. It is sort of like configuring multi-vrf on the same device and leak routes from them into a global routing table. It seems impractical to do it however if I want to limit connectivity between various vlan's on a L3 level without ACL's this seems the better option. Please do correct me if that is not so.
    A device which has a number of vlan interfaces on the north side let's say a 6500 configured with a number of vlan's. Each vlan has its own vrf. The SVI interfaces are where I apply the ip vrf forwarding XXX command. This device will be like the PE I assume?
    Now I might be running various routing protocols (EIGRP, RIP, Static, BGP) within these vrf's with the devices on the other end that have no idea about vrf's. Since I have a number of routes I have learnt within their own vrf's I want to either export all these routes into the global table or create a global vrf where I can export all these routes.
    The reason being that I want to propogate all these routes to the south side. The south side interface of this PE 6500 is physically connected to a firewall via a L3 point-to-point interface. That firewall's south interface in turns connects to another switch.
    I am going to form a BGP session with between the Top PE 6500 Switch and the bottom switch and I would like to propogate all the routes that I have in their own individual vrf's on the Top 6500 PE switch to the bottom switch via BGP.
    I don't think I can run MP-BGP due to the firewalls being in the physical path. Besides I would like to run a normal BGP IPv4 session between the top and bottom switch to keep it simple and familiar.
    The reason I would like to have every vlan in its own vrf is to limit connectivity between the vlan's without configuring ACL's. It provides a bit more security between the VLAN's.
    What I am not sure about is how the packet forwarding would work or if it would work at all.
    Thx for your help.

    Hi Vikram,
    Firstly, you mentioned that the reason for going down this path is for security between the different VLANs. Have you looked at Private VLANs as another option?
    Certainly leaking routes between different VRFs can be achieved and I would recommend having a 'Shared VRF' that you leak in and out of. Having the Firewall between the PE nodes does present an issue both for BGP as well as LDP peering if you wanted to establish a MP-BGP session. From what you have mentioned above, this solution might over-complicate what you are trying to do.
    Are the network ranges in each VLAN also unique?
    Can the Firewall run IGP? If so, maybe you could run Private VLANs and the use an IGP to propogate the networks through the FW across to your other switch? If you were to establish a BGP session between the switches each side of the FW, the FW would also need to either become a BGP peer or have IGP enabled. Each BGP node would then need to inject the BGP routes into IGP. If this isnt done, the FW will drop traffic as there would not be a suitable route.
    Are the resources through the FW shared or are they also client connected networks?
    Trent Husking

  • What target address does IPM select if the target IPSLA device is a multi-VRF CE?

    What target address does IPM select if the target IPSLA device is a multi-VRF CE?
    With IPM 4.2.1 it is not possible to select the correct target IP address when configuring a collector between two multi-VRF devices. It looks as if the primary management address for the target device is used in the collector configuration which, of course, belongs in a different VRF entirely.

    One example, and there may be others, is the (free) DynDNS dynamic DNS service which publishes a domain name for the WAN port of your router which can then be resolved, like all other domain names, to the actual IP address of the WAn port of your router. This service provides a solution to the problem of having a proper domain name in cases where your public IP address changes over time. Unless you pay for a static IP address, virtually all ISPs change your public IP address over time.
    So, you can register for a free DynDNS account at and that is how you come up with the User: and Password: information; use whatever User and Password you register at with.
    The first part of the hostname you can define as you wish, subject only to someone else having used it previously, and the remaining parts of the domain name might be "" or one of the other domain names provided by the DynDNS service. So, you could publish, via DynDNS, the name of your public IP address as, for example, however you might want something less descriptive or more vague.

  • 3745 Multi VRF with modules ??

    Please anyone can tell wheather Gig modules are supported on 3745 and if yes then how many? Also please tell which is the Gig module I could not find on
    And also do the onboard LAN ports support Multi VRF function ?

    We use VRFLite with the onboard LAN ports and it works just as expected.

  • Multi-VRF support on Catalyst IOS Hybrid

    I have Catalyst 6509/Sup720. I intend to use hybrid sw (CatOS [SP] + IOS [RP]).
    I am planning to configure Multi-VRF feature.
    Is the Multi-VRF feature on hybrid version.? If no, is there a plan to support it in the future.
    I saw this feature supported on Cat IOS system native, but can't seem to find on the hybrid one.

    Multi-VRF (VRF-Lite) is not supported in Hybrid mode. I don't think that there are any plans to support it in the future either. You would have to migrate to Native mode.
    Hope this helps,

  • Multi-vrf CE/vrf lite Instances

    I'm currently looking at deploying vrf lite on our ce's but I'm unable to locate the limitations on how many instances can be run. I realise that the low-end ce's (1700, 2600) the limitation is 5 instances. Is there any other CE related devices that can run more instances, if so, how many and what devices?

    The 5 instances restriction comes from the "Designing MPLS Extensions for Customer Edge Routers" Product bulletin. The following script from that document is:
    In order to ensure that their data is kept private while traveling across a Service Provider’s network, customers are presented many VPN options to suit their needs. This paper has focused on one particular type of VPNs: MPLS-VPNs. A general description was outlined for MPLS-VPNs in order to discuss the new feature in Cisco IOS release 12.2: Multi-VRF CE.
    Multi-VRF CE extends limited PE functionality to CE devices by allowing the traditional LAN network behind a CE router to be segmented into separate VRFs. With this feature, the CE router is now able to segment their LAN traffic into a maximum of 5 separate VRFs.
    So, I'm not sure whether this is just a standard feature set for all models, or this particular feature has been upgraded to support more vrfs, which as you say, will require the appropriate capacity.

  • Multi-VRF CE or VRF-Lite support on 1800/2800

    Can anyone please confirm whether ISR 1800 and 2800 series devices support Multi-VRF CE functionality and which IOS release should be used?
    I could not find any document which is explicitly mentioning the above for the mentioned boxes.
    Actually my Purchase Order has been held up due to this... ;-)

    Yes, they both do. For specific IOS version required, please refer to the Cisco IOS features navigator:
    Hope this helps,

  • Multi-VRF CE: Number of VRF's

    Are there hard and fast limitations to the number of VRF's you can configure on a given router platform using Multi-VRF CE functionality? Or, are the only limitations those imposed by the available memory, CPU, and available routing processes on a given router.

    There is no hard limit that I know of. As you stated the limitation is rather to resources available on the node itself.
    Hope this helps,

  • Multi VRF CE and CoS/QoS

    Looking for some details on do's and dont's for Multi-VRF CE. Also wondering how CoS/QoS is supported. If I want to do CBWFQ on the CE that is supporting Multi-VRF CE can I do it per subinterface to have a policy per VRF?

    It depends on what platform you are using. The 7200 and 7300 do not support CBWFQ on sub-interfaces right now. Ive heard September this year but wont hold my breath. The 12k supports it but only on the E3 card not the 10portgigE4+ card.

  • Multi-VRF CE

    I need to know whether we can use the Cisco 2610 router as Multi-VRF C.E. which will be connected to the Cisco 3745 P.E. router (existing) via 786K Serial Connections.
    I need to configure two VRF's (IT & SOM)on the Cisco 2610 (Multi-VRF CE) and Cisco 3745 (P.E.) for the two VPNs.
    Can someone please let me know whether this is a workable solutions?
    Your help is very much appreciated.

    What is somewhat strange is your statement: "we are using the default encapsulation on the serial interface (i.e. HDLC)".
    Multi-VRF is depending on two things. First the control plane is separated, i.e. you have one separate routing context per VRF. Second you need at least a separate interface per VRF. One interface can only belong to one VRF. You can check this with "sh ip vrf interface" or with "show ip route VRF ". If there is no output then your VRF has no interface and thus no BGP session can be established. In other words: a VRF is much like a separate router - unless it has an interface there will be no communication possible.
    In your case Frame relay would be the natural choice. An example config with two VRFs could look like this:
    ip vrf VRF1
    rd 65000:1
    ip vrf VRF2
    rd 65000:2
    interface Serial0/0
    no ip address
    encapsulation frame-relay
    no keepalive
    interface Serial0/0.100
    ip vrf forwarding VRF1
    ip address
    frame-relay interface-dlci 100
    interface Serial0/0.200
    ip vrf forwarding VRF1
    ip address
    frame-relay interface-dlci 200
    router bgp 65000
    address-family ipv4 vrf VRF1
    neighbor remote-as 65100
    no auto-summary
    no synchronization
    address-family ipv4 vrf VRF2
    neighbor remote-as 65100
    no auto-summary
    no synchronization
    The IPs, interfaces, AS numbers, additional commands etc. need to be adjusted to your environment.
    Hope this helps! Please use the rating system.
    Regards, Martin

  • How to apply multi-vrf ce feature in mpls vpn envrionment?

    Hi,Could u give me some web link about multi-vrf ce feature?Thanks a lot.

    Here's an example on a CAT4500:
    Hope this helps,

  • Multi-vrf ce and ospf domain-tag

    I have configured an mpls vpn between two customer's sites. In every site I have installed two cat35xx with a multi-vrf ce.
    I have a multi access ospf neighbour ship to the customer equipments and a bgp session to mpls backbone.
    The ospf routes are redistributed on bpg and vice versa.
    On ospf process can I use domain-tag to prevent routing loop?
    How can i do to verify the domain-tag's functionality in this architecture?
    I've tried to configure domain-tag but the ospf database contains all tagged routes but how can i be confident that these routes'll not be announce back to mpls backbone through bgp session between catalyst 35xx and Pe?
    Is the the domain-tag functionality supported with vrf-lite?
    Thanks in advance

    Hi Martin,
    I've ospf process running only on catalyst 3550 with vrf-lite, the ospf routes are announced to the PE through bgp session configured between the catalyst 3550 and the PE.
    Does the vrf-lite support the same functionalities of native PE-CE ospf in the mpls vpn, as domain-tag?
    Thanks in advance

  • 6PE on Multi-VRF PE Routers?

    I am investigating mechanisms to allow the  migration of an IPv4/MPLS network, carrying VPNs, to use IPv6. I have a core of P routers,  running IOS 12.4, connecting to PE routers, also running 12.4. I am  using OSPF as the IGP, with iBGP in the core. I have static routing  defined between the PEs and the CEs, mostly because it's simple and not  the area of interest. I have two CE routers, one on VRF "Red" and one on  VRF "Blue", on each PE. I can exchange IPv4 data between the CEs on VRF  Red, and between the CEs on VRF Blue, but not between Red and  Blue....what I am describing here is pretty much a standard, multi-VPN  MPLS installation.Now I want to update the network to support  IPv4 and IPv6. I based my changes on 6PE, so added config to the PEs  only to enable IPv6 (with IPv6 addresses added to the CEs and the CE-PE  links), and I can now see from "sho bgp ipv6 uni" that the PEs are  learning unicast prefixes from MP-ibgp, and "sho ipv6 cef  <address> det" shows the forwarding table is being built, so I'm  happy that the IPv6 addresses are advertised correctly on each PE.Now  here's the problem. I can't exchange IPv6 data (I know 6PE doesn't  handle ICMP well, so I'm using telnet rather than ping between CEs to  test, but whereas telnet to an IPv4 address works, telnet to an IPv6   address doesnt). I'm running VRFs, and I want to allow them to operate  for IPv6 as well as IPv4, but I don't think they are, and lots of  documentation suggest that I should be entering something like the  following in my PEs:
    ip vrf Red
    rd 1:100
    route-target export 1:100
    route target import 1:100
    address-family ipv4
    address-family ipv6
    exit-address-familyIOS  12.4 won't accept the "address-family" statements in that context, but I  can't see another way to get the vrf to accept both address  families....Have I got the commands completely wrong, or is the  "address family" syntax in the vrf context only available in IOS XR, or  some special version of IOS?Any comments or suggestions would be most welcome!Jim

    Well, that was interesting! Laurent is quite correct, the document gives the necessary information.....BUT, you have to be very picky about the IOS you use, and on what platform the necesary commands are available....for IOS 12.4, I ended up using T-train versions, which in a production environment may be considered "suboptimal". However, the main thing is that with Laurent's answer, I have got the config I needed. Thanks!

  • Internet Connectivity for Multi - vrfs

    Hi all,
    Some help needed with the scenario below;
    Am currently migrating our legacy IP network to MPLS.we have been able to migrate 3 seperate networks into their respective vrfs and currently only left with the internet segment which used to connect to these 3 networks via a Cisco 535 firewall.
    Problem is, i have created an internet vrf and intend to export a default route within the internet vrf into the other vrfs.Which should work fine for traffic leaving these networks to the internet.
    Problem is : how to handle traffic comming from the internet to these respective vrfs without having to import those routes into the internet vrf?
    Why do i want this ? Currently inter-vrf traffic is via a FWSM only and would like to keep it that way. No leaking of routes from one vrf to the other.If i do import the 3 vrfs into the internet vrf, it will leak one vrf route to the other !
    Any help ?

    one way would be to create a VLAN subinterface per VRF in the PIX. This way all traffic to the internet would be directed towards the firewall and there you could easily control/block inter-VRF traffic.
    Or you create one internet interface in the FWSM and control access there.
    Regards, Martin

  • Native Multi-VRF-Lite Design with EIGRP Question

    we think about to implement a VRF-Lite design (no MPLS and MBGP) in our campus network (10,000 ports, 20x 6500Sup720, 400x L2-Switches). MPLS is from our point of view oversized for our requirements. We need only a segmentation from different departments. Our IGP is eigrp.
    In the latest IOS-Release for the cat6500 (12.2.18SXD) is finally a VRF-Lite support for EIGRP inside.
    We could test successful a design with different VRFs in our lab, the division workes fine. But we didn't found a way to implement shared service. These are in our case DHCP, DNS, InternerAccess and some others. We thought about a redistribution between our global EIGRP routing table and the EIGRP-vrf tables, but we didn't found a way to do this.
    How can we do this?

    Use a crossover cable to connect a port belonging to the global routing table to a port belonging to a VRF. This way you can leak EIGRP routes from the global routing table into the VRF (through that physical connection). The drawback is that you use 2 ports (that could instead be used for other things...).
    Another way to this, would be to use static routing; use ip route vrf VRF x.x.x.x m.m.m.m n.n.n.n global to allow traffic to go from the VRF into the global routing table.
    Hope that helps...

Maybe you are looking for

  • Movies and music vanished from iPhone 3Gs

    Hello! I discovered today that mysteriously, all of my movies and music vanished from my iPhone 3Gs. I have not recently synced my phone or updated the software. My iMac is currently on a FedEx truck being shipped out west for a month long vacation s

  • Merge files or redist installer for Crystal Reports 2011

    I cannot find packages for merge files or installer for the redistribution files for Crystal Reports 2011. I have found them only for older versions. In the download section there is somewhere a hint that they are at a different position but no infor

  • OTL Self Service Customisation Question

    I am currently going through our implementation of OTL and I am looking to make a few changes, I have a reasonable grasp of most of it and how it all fits together but I can't for the life of me figure out one thing. In the ldt files for the entry/re

  • Font issue with SWF

    Fonts do not display as set when exporting xlf to swf. Any ideas? Many many thanks

  • I want thunderbird to run in the background when i call the default email client

    I have software that sends emails out for reports. The software calls the default mail client (Thunderbird) and sends the email. However this opens Thunderbird and gets in the way. Is there anyway that this could send the email without opening Thunde