Redundant access from MPLS VPN to global routing table

Similar Messages

• VRF Best Practice: LAN only VRF, Mgmt VRF, Global Routing table or VRF?

  I am setting up a routed LAN (not a WAN) environment on two 6500 switches (sup-720). My goal is to create 32 routed environments separated by logical firewalls (multi-context ASA's). So I want a “core” router in each environment, and don't want to buy 32 pairs of 6500's-sorry Cisco.
  Each of these environments are tied together by a core routing environment, running on the same pair of 6500's. No WAN MPLS is going on and I am trying to use VRF for each of the routed environments core router. The management functions of the 6500 shall run off the VRF Core router and ip range (the one that ties all the other VRF's together. Here is a simple diagram:
  VRF1
  ||
  FW1
  ||
  VRFCOR
  ||
  FW2
  ||
  VRF2
  So to go from VRF1 to VRF2, you traverse two firewalls and VRFCOR.
  Several questions related to this design:
  1) Am I nuts to use VRF's in this application?
  2) Is there a better choice than VRF's to do what I want?
  3) Should VRFCOR be the global routing table (IOW, not a VRF)? Or should be its own VRF? Another way to ask this is: Shall a router ever run entirely in VRF tables, or should there be at least one global table in use?
  4) Are there problems with any management protocols on a VRF, such as NTP, AAA, SNMP, LOGGING, TELNET? Or have all those been worked out?
  5) Any other suggestions?
  TIA, Will

  VRF is suited for such kind of an application. Refer to URL http://cisco.com/application/pdf/en/us/guest/netsol/ns171/c649/ccmigration_09186a0080851cc6.pdf to get an idea about the

• Vrf routes into global route table

  Dear All
  I am stuck with a design I am trying to come up with for our EDGE network and looking for ideas from the community.
  It is similar to what is described here:
  http://www.cisco.com/en/US/docs/solutions/Enterprise/Network_Virtualization/ServEdge.html#wp86450http://www.cisco.com/en/US/docs/solutions/Enterprise/Network_Virtualization/ServEdge.html#wp86904
  In short we have a multi-context FWSM at 2 sites creating an EDGE network, each site operate independently. The sites are linked internally in a single routing domain using OSPF. Each of the outside networks are in seperate VRFs, single-tier model.
  I need to find a way to:
  1) link the 2 sites (currently is done with a GRE tunnel between the site vrfs, looking at replacing this with mp-bgp and l3vpn encapsulation)
  2) redistribute routes from each of the vrf into the common global route table (running ospf)
  1 is working nicely with mp-BGP peer between the sites and routes distributed between, however I am stuck on how to achieve 2.
  The only way I can see is to change the global route table to a vrf, then use rt import/export. This is commonly described as shared services. When I did that I got stuck with how to do the BGP peering as the loopback I was using for the peering is inside the new vrf.
  Basically I want dynamic routing from the global route table to learn routes from each of the sites vrf. Then if a particular site's vrf is unavailable, it can pick up the other site's route.
  Am I missing something here? The document linked makes it sound incredibly easy yet I am struggling with how to implement it.
  Any advice is much appreciated

  Hello philip,
  It is really hard to help you, if you do not provide topology where you would like to implement these changes, so just some thoughts to your points:
  2) redistribute routes from each of the vrf into the common global route table (running ospf)
  You can use PE - CE design. VRFs are terminated on PE with all routes you need in respective VRFs. On PE, MP-BGP routes are redistributed into respective VRF's OSPF process . PE is connected with CE via separate physical interface for each VRF or you can use one physical interface with dedicated sub-interface for each VRF. PE is peering with CE using OSPF. All routes end up in CE global routing table.
  Problems with this design ->
  - for each VRF you have to create separate OSPF process on PE and CE, also OSPF process ID has to be unique on PE for each VRF. Also OSPF process ID has to match to establish OSPF neighborship between PE-CE, so on CE you will have to redistribute OSPF routes from each process to your main OSPF process.
  other workarounds ->
  1) instead OSPF you will use as peering protocol BGP between PE-CE, but you still have to redistribute BGP routes to OSPF on CE
  2) you will use different PE to redistribute each VRF -> BGP routes will be redistributed from VRF into OSPF (same process ID as your main OSPF ID). Routes will be advertised via OSPF into CE global routing table.
  You will use on PE per VRF to redistribute routes into OSPF with same process ID as your main process ID. Thanks to different PEs, you can have same OSPF process ID, all these PEs will peer with same CE via OSPF.
  I hope I made my thoughts understandable, cause its quite hard to explain
  When I did that I got stuck with how to do the BGP peering as the loopback I was using for the peering is inside the new vrf.
  This should not be a problem. You can have same IP on all VRF and also global table, so peering can still be done. After BGP routes are exchanged you can leak prefixes from one vrf to another or into global table as you need.
  Best Regards
  Please rate all helpful posts and close solved questions

• Sharing global routing table with vrf for intra-as traffic

  We have a network block of 10.201.0.0/16 which is divided into two subnet 10.201.0.0/18 and 10.201.192.0/18. We are getting a internet feed for each subnet.
  10.201.192.0/18 is in global routing table, and 10.201.0.0/18 is in a vrf-lite green.
  I am thinking doing the following:
  ...........HUB
  VL199/....\VL198
  SPOKE1 SPOKE2
  Hub and spoke are from perspective of vrf green.
  For vrf green in the HUB:
  ip route vrf green 10.201.0.0 255.255 255.192 vlan 199
  ip route vrf green 10.201.64.0 255.255.255.192 vlan198
  SPOKE1
  ip route 0.0.0.0 0.0.0.0 vlan199
  SPOKE2
  ip route 0.0.0.0 0.0.0.0 vlan198
  Suppose we already get the 2 internet feeds to HUB route with vrf green and global routing table. This should get vrf green going.
  But we also have global routing table on the HUB router.
  We would like to have 10.201.0.0/16 communicating with each other, and only keep internet default separated.
  How should we get to 10.201.0.0/18 from global routing table and how should we get to 10.201.192.0/18 from SPOKE[12]?

  In my lab, I have 2 ports configured.
  int gi1/2
  ip vrf forward green
  ip address 10.201.192.253 255.255.255.252
  int gi1/1
  ip address 10.201.192.254 255.255.255.252
  ip route 10.201.0.0 255.255.192.0 gi1/2
  ip route vrf 10.201.192.0 255.255.192.0 gi1/1 10.201.192.254
  This way, from vrf green to global has go through HUB. and vrf greens will also go through greens.
  Is there any other much elegant way for this purpose?

• Centralize internet access in MPLS VPN

  Can i implement Centralize internet access (the Hub CE Router to performs NAT) in cisco MPLS VPN solution?
  If so, is there any example about that? i can't find it at CCO~
  Thanks a lot~

  If you run dynamic routing protocol in PE-CE,like rip2,ospf,bgp,do the following task.
  1:set a default route in HUB CE;and generate the default route under its dynamic protocol.
  2:in other CEs, make sure they can learn this route.
  If you run static route and vrf static route between CE and PE,do the following task.
  1.set default route in HUB CE, and set default route in other CEs.
  2.In all PEs,redistribute the connected and static rotues to address-family ipv4 of customer vrf.
  3.set the customer vrf default route in all PE which connected your all CEs.
  Note: make sure all PEs can reach the GW address of vrf deafult route. GW IP address is the interface of which HUB CE towards PE.
  command: "ip route vrf 0.0.0.0 0.0.0.0 global.
  TRY

• Please Help!! - Ping to and from MPLS/VPN

  I am having strange ping results and cannot understand why. My gut feeling is that this stems from a lack of understanding of the technology.
  First, I have leaked a Vrf subnet into the global vrf so that I can have reachability to some devices in the vrf and the devices themselves can have reachability to services outside of the cloud.
  I know this design is going to seem a little convoluted so bear with me. I have built a model of my providers network whereby the connected routes between the CE and PE are public addresses, the internal routes are private addresses in the 10.0.0.0/8 network. I am running BGP between the PE and CE, and then redistributing static routesinto OSPF for the actual MPLS network routing.
  Then of the backbone (Area 0) of the OSPF network, I have a connection to what I will call my Services network where resources such as DNS/DHCP, Internet, and Call Manager reside.(See diagram).
  What happens is that on the PE that is directly connected to the CE, I cannot ping the network contained in the CE unless I actually specify an interface other than the address of the directly connected interface.
  If I go to the P router I can ping just fine. Even if I go to the Services network I am successful so I know that I have been somewhat successful in leaking the subnet located in the VPN vrf.
  On the flip side, When I am in the CE, I cannot ping to the Services network, or any network that is in the 10.0.0.0/8 space, so I am almost certain there is a routing principle that I am missing here.
  Sorry for the long post, but I am trying to include the pertinent information that I hope will lead to some assistance.

  Lejoe,
  You were correct in discovering that the route was missing from the 3750 metro point back to the connected route between the PE and CE. I added this and I am not able to ping the services network from the CE router. Thanks very much for this. I am glad it was a simple resolution.
  As far as the duplicate address on the 3750 Metro and the PE, the interface on the 3750 was left over from a previous design and is inactive. Thanks for catching as I would need to clean it up regardless.
  You were also correct in saying that if I source the ping from within the vrf, then I am able to ping. However, I thought that I took care of this by leaking the route to the global config. Here is the global ruoting table on the PE router.
  S 68.139.201.28/30 is directly connected, FastEthernet1/0
  C 68.1.1.4/30 is directly connected, FastEthernet0/0
  O IA 68.2.1.4/30 [110/12] via 68.1.1.5, 23:30:42, FastEthernet0/0
  O IA 68.1.2.4/30 [110/2] via 68.1.1.5, 23:30:42, FastEthernet0/0
  O IA 68.1.0.1/32 [110/2] via 68.1.1.5, 23:30:42, FastEthernet0/0
  C 68.1.1.1/32 is directly connected, Loopback0
  O IA 68.0.1.0/30 [110/2] via 68.1.1.5, 23:30:42, FastEthernet0/0
  O IA 68.2.1.1/32 [110/13] via 68.1.1.5, 23:30:42, FastEthernet0/0
  O IA 68.0.2.0/30 [110/3] via 68.1.1.5, 23:30:42, FastEthernet0/0
  O IA 68.2.0.1/32 [110/3] via 68.1.1.5, 23:30:42, FastEthernet0/0
  O IA 68.255.1.0/30 [110/2] via 68.1.1.5, 23:30:42, FastEthernet0/0
  10.0.0.0/16 is subnetted, 1 subnets
  S 10.152.0.0 [1/0] via 68.139.201.30, FastEthernet1/0
  O*E2 0.0.0.0/0 [110/1] via 68.1.1.5, 23:30:42, FastEthernet0/0
  If you take a look at the configs, I have placed the directly connected route into the global table by using a static route on the PE router:
  ip route 68.139.201.28 255.255.255.252 FastEthernet1/0
  I would like to understand why I cannot ping the directly connected route from the PE, especially when it is in the routing table. Would you know why this is?

• Configuring MPLS VPN using static routing

  Hi,
  I am managed to set up a BGP/MPLS VPN in a laboratory using CS3620 routers running IOS 12.2(3) with ISIS. I am thinking of using static routes among the PE and P routers instead of a IGP. Does anyone know if Cisco routers supports static configuration of LSP? I have tried but could not get it work.

  You can very well run MPLS with static routing in the core, as in Cisco we have to meet 2 criterias to have a MPLS forwarding Table.
  1) Creating the LIB
  This thing lies in having LDP neighborship netween two peers and you have Label bindings.
  This is irrespective of what is the best next hop to reach the advertising peers LDP_ID.
  2) Creating the LFIB
  Now after considering all the Label bindings, the LDP_ID which can be reached out an interface
  as a next hop, those Label bindings get installed in the LFIB.
  So considering the above two points, we have to be careful in static routes
  only for interfaces like Ethernet (Multiaccess Segments).
  As in CEF when you give a static route pointing to an Ethernet Interface, CEF creates a
  GLean Adjacency (Meaning there could be multiple hosts as the next hop on this segement, and it will glean for the right next-hop)
  Now you may observe that when you give a static route only pointing to an Ethernet interface,
  you LDP adjacency may come up and you may exchange the bindings with each other. But the Label Forarding Table is not created. This is bcos of this being a Multiaccess interface. And you have
  Glean For it. If its a Normal WAN interface like Serial or POS, then there is no problem of
  GLean and you would have a Valid Cached Adjacency.
  So to avoid probelems with Ethernet interfaces you can simply specify the next-hop-ip address.
  For Eg: ip route 10.10.31.250 255.255.255.255 10.10.31.226 (Without the Interface)
  ip route 10.10.31.250 255.255.255.255 fa0/0 10.10.31.226 (Or with the Interface)
  Only Difference in both is in the first one it has to do a recursive lookup for the outgoing interface. Otherwise both work well. And you can have static routes in your network
  running MPLS.
  And doing this CEF would would work as it should and you would have a Valid Cached Adjacency.
  So this is applicable for Cisco devices which use CEF, including 6500 with SUP720.
  HTH-Cheers,
  Swaroop

• Problem ! Calling report6 from forms6(run_product()) using global temporary table.

  Requirement :
  To generate stock movement report for certain selected items.
  Background :
  A Form is created with data block (tmp_item_master - a global temporary table)
  when_new_form_instance :
  inserting into tmp_item_master from item_master and then execute_query on tmp_item_master block.
  User selects certain items using check box provided.
  Now tmp_item_master is updated for ch_select_flag_yn = 'Y' for selected items
  and commit.
  Calling report from form(using run_product()).
  Now the main query in report, is joined with tmp_item_master where ch_select_flag_yn = 'Y'
  Here, we are unable to see the report for any item. As the global temporary table data is not visible in the report session.
  How to resolve this problem ?
  Note : global temporary table created with ON COMMIT PRESERVE ROWS
  Thanking you,
  From praful.
  null

  Hi,
  You are using 'ON Commit Delete Rows' . Instead of Use ' ON COMMIT PRESERVE ROWS'
  The ON COMMIT DELETE ROWS clause indicates that the data should be deleted at the end of the transaction.
  CREATE GLOBAL TEMPORARY TABLE my_temp_table (
  column1 NUMBER,
  column2 NUMBER
  ) ON COMMIT DELETE ROWS;
  In contrast, the ON COMMIT PRESERVE ROWS clause indicates that rows should be preserved until the end of the session.
  CREATE GLOBAL TEMPORARY TABLE my_temp_table (
  column1 NUMBER,
  column2 NUMBER
  ) ON COMMIT PRESERVE ROWS;
  Edited by: Mrucha on Nov 26, 2012 6:06 AM

• Internet Access in MPLS VPN scenario

  Hi,
  I do have topology CE8-PE2(AS 65001)-PE1(AS 65001)-ASBR1(AS1).
  Now PE2 and PE1 both are in same AS and PE1 has ebgp with ASBR1, ASBR1 is my internet router.
  I do have vrf ce on router PE2 and have attached that vrf on PE2 interface where CE8 is connected.
  and all the config are in attachment.
  regards
  Devang

  Hi,
  Some config is missing from the BGP vrf, you have not generated the VPNV4 routes for the vrf, please add on PE2;
  router bg 65001
  address-family ipv4 vrf ce
  red connected
  red static
  can you post ;
  show ip route
  show ip bgp
  From the PE1 & PE2?
  + show ip bg vpn all from PE2 only
  Thanks,
  LR

• Pushing connections from the VPN to the router.

  I am trying to set up a VPN on Snow Leopard Server. What I have now, when one connects to the VPN, the server assigns an IP address to the one who connects and their connection is sent out from the server. Instead of this, I would like the server to push the connection out to the router it is connected to and have the router assign an IP address to the computer and the connection is set out from the router (like the person is actually connect to LAN). How do I set this up?

  when one connects to the VPN, the server assigns an IP address to the one who connects and their connection is sent out from the server
  That's correct - that's how it works.
  I would like the server to push the connection out to the router it is connected to and have the router assign an IP address to the computer and the connection is set out from the router (like the person is actually connect to LAN).
  I'm not quite sure what you're asking for here.
  First off, the router cannot be the one that assigns the IP address. The VPN server has a pool of IP addresses it can use, and those are the only addresses it will use. You can't have the VPN server query some other DHCP server for an address.
  This is rarely an issue, though, which is why I don't think I understand what you're after.
  The other part I don't get is '... the connection is set out from the router (like the person is actually connect to LAN)"
  What do you mean by this? The router is going to be used for all outgoing traffic, no matter what, and VPN clients will act just like they're on the LAN, so either you have a really funky network setup that I can't visualize, or I'm not understanding what you're trying to achieve (and what isn't working).
  Can you be more specific?

• Leaking MPLS VPN learned routes from VRF to Global

  I'm trying to leak routes from a VRF to global. I can get the routes leaked from directly connected CE to the global, however I can't get the routes from remote CE's to leak in to the global routing table. Below are my configurations
  RP/0/0/CPU0:B25BR1#sh run vrf TR
  Wed Dec 17 22:40:33.772 UTC
  vrf TR
   address-family ipv4 unicast
    import route-target
     65000:7020
    export to default-vrf route-policy TR-2-GLOBAL
    export route-target
     65000:7020
  RP/0/0/CPU0:B25BR1#sh rpl route-policy TR-2-GLOBAL
  Wed Dec 17 22:40:50.851 UTC
  route-policy TR-2-GLOBAL
    if destination in TR-2-GLOBAL then
      pass
    endif
  end-policy
  RP/0/0/CPU0:B25BR1#sh rpl prefix-set TR-2-GLOBAL
  Wed Dec 17 22:40:57.861 UTC
  prefix-set TR-2-GLOBAL
    192.168.0.17/32,
    192.168.0.18/32,
    192.168.0.19/32,
    192.168.0.20/32
  end-set
  !Routes that I want to see also are  192.168.0.19/32 and 192.168.0.20/32 which are there in the VRF routing table
  RP/0/0/CPU0:B25BR1#sh route vrf TR
  Wed Dec 17 22:41:45.767 UTC
  Codes: C - connected, S - static, R - RIP, B - BGP, (>) - Diversion path
         D - EIGRP, EX - EIGRP external, O - OSPF, IA - OSPF inter area
         N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2
         E1 - OSPF external type 1, E2 - OSPF external type 2, E - EGP
         i - ISIS, L1 - IS-IS level-1, L2 - IS-IS level-2
         ia - IS-IS inter area, su - IS-IS summary null, * - candidate default
         U - per-user static route, o - ODR, L - local, G  - DAGR
         A - access/subscriber, a - Application route, (!) - FRR Backup path
  Gateway of last resort is not set
  B    10.1.0.0/30 [20/0] via 10.1.0.5, 00:14:32
  C    10.1.0.4/30 is directly connected, 06:57:19, GigabitEthernet0/0/0/2
  L    10.1.0.6/32 is directly connected, 06:57:19, GigabitEthernet0/0/0/2
  B    10.1.128.0/30 [20/0] via 10.1.0.5, 00:14:32
  B    192.168.0.17/32 [20/0] via 10.1.0.5, 00:13:56
  B    192.168.0.18/32 [20/0] via 10.1.0.5, 00:13:56
  B    192.168.0.19/32 [200/0] via 192.168.0.4 (nexthop in vrf default), 00:13:31
  B    192.168.0.20/32 [200/0] via 192.168.0.4 (nexthop in vrf default), 00:13:31
  RP/0/0/CPU0:B25BR1#sh ip rou
  Wed Dec 17 22:41:50.097 UTC
  Codes: C - connected, S - static, R - RIP, B - BGP, (>) - Diversion path
         D - EIGRP, EX - EIGRP external, O - OSPF, IA - OSPF inter area
         N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2
         E1 - OSPF external type 1, E2 - OSPF external type 2, E - EGP
         i - ISIS, L1 - IS-IS level-1, L2 - IS-IS level-2
         ia - IS-IS inter area, su - IS-IS summary null, * - candidate default
         U - per-user static route, o - ODR, L - local, G  - DAGR
         A - access/subscriber, a - Application route, (!) - FRR Backup path
  Gateway of last resort is not set
  S    10.0.0.0/27 is directly connected, 08:04:01, Null0
  O    10.0.0.4/30 [110/2] via 10.0.0.9, 08:03:10, GigabitEthernet0/0/0/0
  C    10.0.0.8/30 is directly connected, 08:04:00, GigabitEthernet0/0/0/0
  L    10.0.0.10/32 is directly connected, 08:04:00, GigabitEthernet0/0/0/0
  O    10.0.0.12/30 [110/3] via 10.0.0.9, 08:03:10, GigabitEthernet0/0/0/0
                    [110/3] via 10.0.128.9, 08:03:10, GigabitEthernet0/0/0/1
  O    10.0.0.16/30 [110/2] via 10.0.128.9, 08:03:51, GigabitEthernet0/0/0/1
  O    10.0.0.24/30 [110/3] via 10.0.128.9, 06:29:14, GigabitEthernet0/0/0/1
  O    10.0.0.28/30 [110/2] via 10.0.128.9, 08:03:51, GigabitEthernet0/0/0/1
  S    10.0.128.0/29 is directly connected, 08:04:01, Null0
  O    10.0.128.0/30 [110/3] via 10.0.0.9, 08:03:10, GigabitEthernet0/0/0/0
                     [110/3] via 10.0.128.9, 08:03:10, GigabitEthernet0/0/0/1
  O    10.0.128.4/30 [110/2] via 10.0.128.9, 08:03:51, GigabitEthernet0/0/0/1
  C    10.0.128.8/30 is directly connected, 08:04:00, GigabitEthernet0/0/0/1
  L    10.0.128.10/32 is directly connected, 08:04:00, GigabitEthernet0/0/0/1
  S    10.1.0.4/30 is directly connected, 06:57:23, Null0
  S    10.1.128.4/30 is directly connected, 08:04:01, Null0
  C    10.18.0.0/16 is directly connected, 08:04:00, MgmtEth0/0/CPU0/0
  L    10.18.0.9/32 is directly connected, 08:04:00, MgmtEth0/0/CPU0/0
  L    127.0.0.0/8 [0/0] via 0.0.0.0, 08:04:04
  O    192.168.0.1/32 [110/2] via 10.0.0.9, 08:03:10, GigabitEthernet0/0/0/0
  O    192.168.0.2/32 [110/4] via 10.0.0.9, 08:03:10, GigabitEthernet0/0/0/0
                      [110/4] via 10.0.128.9, 08:03:10, GigabitEthernet0/0/0/1
  O    192.168.0.3/32 [110/3] via 10.0.128.9, 08:03:40, GigabitEthernet0/0/0/1
  O    192.168.0.4/32 [110/3] via 10.0.128.9, 08:03:51, GigabitEthernet0/0/0/1
  O    192.168.0.5/32 [110/4] via 10.0.0.9, 08:03:10, GigabitEthernet0/0/0/0
                      [110/4] via 10.0.128.9, 08:03:10, GigabitEthernet0/0/0/1
  O    192.168.0.6/32 [110/2] via 10.0.128.9, 08:03:51, GigabitEthernet0/0/0/1
  O    192.168.0.7/32 [110/3] via 10.0.0.9, 08:03:10, GigabitEthernet0/0/0/0
                      [110/3] via 10.0.128.9, 08:03:10, GigabitEthernet0/0/0/1
  L    192.168.0.8/32 is directly connected, 08:04:00, Loopback0
  B    192.168.0.17/32 [20/0] via 10.1.0.5 (nexthop in vrf TR), 00:05:37
  B    192.168.0.18/32 [20/0] via 10.1.0.5 (nexthop in vrf TR), 00:05:37
  I'm only seeing the routes from the directly connected CE, but not the routes received from RR. What am I missing here?
  Thanks!
  -Sajith

  I'm trying to leak routes from a VRF to global. I can get the routes leaked from directly connected CE to the global, however I can't get the routes from remote CE's to leak in to the global routing table. Below are my configurations
  RP/0/0/CPU0:B25BR1#sh run vrf TR
  Wed Dec 17 22:40:33.772 UTC
  vrf TR
   address-family ipv4 unicast
    import route-target
     65000:7020
    export to default-vrf route-policy TR-2-GLOBAL
    export route-target
     65000:7020
  RP/0/0/CPU0:B25BR1#sh rpl route-policy TR-2-GLOBAL
  Wed Dec 17 22:40:50.851 UTC
  route-policy TR-2-GLOBAL
    if destination in TR-2-GLOBAL then
      pass
    endif
  end-policy
  RP/0/0/CPU0:B25BR1#sh rpl prefix-set TR-2-GLOBAL
  Wed Dec 17 22:40:57.861 UTC
  prefix-set TR-2-GLOBAL
    192.168.0.17/32,
    192.168.0.18/32,
    192.168.0.19/32,
    192.168.0.20/32
  end-set
  !Routes that I want to see also are  192.168.0.19/32 and 192.168.0.20/32 which are there in the VRF routing table
  RP/0/0/CPU0:B25BR1#sh route vrf TR
  Wed Dec 17 22:41:45.767 UTC
  Codes: C - connected, S - static, R - RIP, B - BGP, (>) - Diversion path
         D - EIGRP, EX - EIGRP external, O - OSPF, IA - OSPF inter area
         N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2
         E1 - OSPF external type 1, E2 - OSPF external type 2, E - EGP
         i - ISIS, L1 - IS-IS level-1, L2 - IS-IS level-2
         ia - IS-IS inter area, su - IS-IS summary null, * - candidate default
         U - per-user static route, o - ODR, L - local, G  - DAGR
         A - access/subscriber, a - Application route, (!) - FRR Backup path
  Gateway of last resort is not set
  B    10.1.0.0/30 [20/0] via 10.1.0.5, 00:14:32
  C    10.1.0.4/30 is directly connected, 06:57:19, GigabitEthernet0/0/0/2
  L    10.1.0.6/32 is directly connected, 06:57:19, GigabitEthernet0/0/0/2
  B    10.1.128.0/30 [20/0] via 10.1.0.5, 00:14:32
  B    192.168.0.17/32 [20/0] via 10.1.0.5, 00:13:56
  B    192.168.0.18/32 [20/0] via 10.1.0.5, 00:13:56
  B    192.168.0.19/32 [200/0] via 192.168.0.4 (nexthop in vrf default), 00:13:31
  B    192.168.0.20/32 [200/0] via 192.168.0.4 (nexthop in vrf default), 00:13:31
  RP/0/0/CPU0:B25BR1#sh ip rou
  Wed Dec 17 22:41:50.097 UTC
  Codes: C - connected, S - static, R - RIP, B - BGP, (>) - Diversion path
         D - EIGRP, EX - EIGRP external, O - OSPF, IA - OSPF inter area
         N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2
         E1 - OSPF external type 1, E2 - OSPF external type 2, E - EGP
         i - ISIS, L1 - IS-IS level-1, L2 - IS-IS level-2
         ia - IS-IS inter area, su - IS-IS summary null, * - candidate default
         U - per-user static route, o - ODR, L - local, G  - DAGR
         A - access/subscriber, a - Application route, (!) - FRR Backup path
  Gateway of last resort is not set
  S    10.0.0.0/27 is directly connected, 08:04:01, Null0
  O    10.0.0.4/30 [110/2] via 10.0.0.9, 08:03:10, GigabitEthernet0/0/0/0
  C    10.0.0.8/30 is directly connected, 08:04:00, GigabitEthernet0/0/0/0
  L    10.0.0.10/32 is directly connected, 08:04:00, GigabitEthernet0/0/0/0
  O    10.0.0.12/30 [110/3] via 10.0.0.9, 08:03:10, GigabitEthernet0/0/0/0
                    [110/3] via 10.0.128.9, 08:03:10, GigabitEthernet0/0/0/1
  O    10.0.0.16/30 [110/2] via 10.0.128.9, 08:03:51, GigabitEthernet0/0/0/1
  O    10.0.0.24/30 [110/3] via 10.0.128.9, 06:29:14, GigabitEthernet0/0/0/1
  O    10.0.0.28/30 [110/2] via 10.0.128.9, 08:03:51, GigabitEthernet0/0/0/1
  S    10.0.128.0/29 is directly connected, 08:04:01, Null0
  O    10.0.128.0/30 [110/3] via 10.0.0.9, 08:03:10, GigabitEthernet0/0/0/0
                     [110/3] via 10.0.128.9, 08:03:10, GigabitEthernet0/0/0/1
  O    10.0.128.4/30 [110/2] via 10.0.128.9, 08:03:51, GigabitEthernet0/0/0/1
  C    10.0.128.8/30 is directly connected, 08:04:00, GigabitEthernet0/0/0/1
  L    10.0.128.10/32 is directly connected, 08:04:00, GigabitEthernet0/0/0/1
  S    10.1.0.4/30 is directly connected, 06:57:23, Null0
  S    10.1.128.4/30 is directly connected, 08:04:01, Null0
  C    10.18.0.0/16 is directly connected, 08:04:00, MgmtEth0/0/CPU0/0
  L    10.18.0.9/32 is directly connected, 08:04:00, MgmtEth0/0/CPU0/0
  L    127.0.0.0/8 [0/0] via 0.0.0.0, 08:04:04
  O    192.168.0.1/32 [110/2] via 10.0.0.9, 08:03:10, GigabitEthernet0/0/0/0
  O    192.168.0.2/32 [110/4] via 10.0.0.9, 08:03:10, GigabitEthernet0/0/0/0
                      [110/4] via 10.0.128.9, 08:03:10, GigabitEthernet0/0/0/1
  O    192.168.0.3/32 [110/3] via 10.0.128.9, 08:03:40, GigabitEthernet0/0/0/1
  O    192.168.0.4/32 [110/3] via 10.0.128.9, 08:03:51, GigabitEthernet0/0/0/1
  O    192.168.0.5/32 [110/4] via 10.0.0.9, 08:03:10, GigabitEthernet0/0/0/0
                      [110/4] via 10.0.128.9, 08:03:10, GigabitEthernet0/0/0/1
  O    192.168.0.6/32 [110/2] via 10.0.128.9, 08:03:51, GigabitEthernet0/0/0/1
  O    192.168.0.7/32 [110/3] via 10.0.0.9, 08:03:10, GigabitEthernet0/0/0/0
                      [110/3] via 10.0.128.9, 08:03:10, GigabitEthernet0/0/0/1
  L    192.168.0.8/32 is directly connected, 08:04:00, Loopback0
  B    192.168.0.17/32 [20/0] via 10.1.0.5 (nexthop in vrf TR), 00:05:37
  B    192.168.0.18/32 [20/0] via 10.1.0.5 (nexthop in vrf TR), 00:05:37
  I'm only seeing the routes from the directly connected CE, but not the routes received from RR. What am I missing here?
  Thanks!
  -Sajith

• Managing Route-Map based MPLS VPN

  1) How to derive the VPN information of the MPLS VPN configured using route-maps? As I understand, stitching route-maps information to derive VPN is complex as it is difficult to derive & correlate the filters tied to each of the route-maps that are tied to a VRF :(
  2) Is there any MIB to get from the MIB
  a) Route-maps tied to each VRF
  b) What is the filter associated with each route-map?
  c) Definition of each of the above filter
  It would have been nice if the route-maps' name had global-significance within AS, so that we could have treated route-maps, pretty much like the route-tragets. Alas, I doubt it is :(
  It should be noted here that if the MPLS VPN is configured using route targets, the VPN information derivation is fairly straight forward throught MplsVpn MIB.
  So, the question is what is the simplest way to derive the MPLS VPN info given that they are configured using route-maps in BGP for labelled-route-distribution & for the pkt association with the VRFs.
  Thanks,
  Suresh R

  Each CE in a customer VPN is also added to the management VPN by selecting the Join the management VPN option in the service request user interface.
  The function of the management route map is to allow only the routes to the specific CE into the management VPN. The Cisco IOS supports only one export route map and one import route map per VRF.
  http://www.cisco.com/en/US/products/sw/netmgtsw/ps4748/products_user_guide_chapter09186a0080353ac3.html

• Route Leaking in MPLS/VPN Networks (IOX support)

  Hi all,
  I would like to if IOX of CRS-1 can support route leaking between VRF<>Global routing table?
  hhttp://www.cisco.com/en/US/tech/tk436/tk832/technologies_configuration_example09186a0080231a3e.shtmlttp://www.cisco.com/en/US/tech/tk436/tk832/technologies_configuration_example09186a0080231a3e.shtml
  Regards

  Hi,
  You can use the vrf keyword after the prefix you want to join and before specifying the NH. It will tell the router in which VRF the lookup should be done:
  http://www.cisco.com/en/US/docs/routers/crs/software/crs_r4.0/routing/command/reference/rr40crs1book_chapter9.html#wp172562637
  The vrf name "default" is reserved to reference the GRT.
  HTH
  Laurent.

• Central Site Internet Connectivity for MPLS VPN User

  What are the solutions of Central site Internet connectivity for a MPLS VPN user, and what is the best practice?

  Hello,
  Since you mentioned that Internet Access should be through a central site, it is clear that all customer sites (except the central) will somehow have a default (static/dynamic) to reach the central site via the normal VPN path for unknown destinations. Any firewall that might be needed, would be placed at the central site (at least). So, the issue is how the central site accesses the Internet.
  Various methods exist to provide Internet Access to an MPLS VPN. I am not sure if any one of them is considered the best. Each method has its pros and cons, and since you have to balance various factors, those factors might conflict at some point. It is hard to get simplicity, optimal routing, maximum degree of security (no matter how you define "security"), reduced memory demands and cover any other special requirements (such as possibility for overlapping between customer addresses) from a single solution. Probably the most secure VPN is the one which is not open to the Internet. If you open it to the Internet, some holes also open inevitably.
  One method is to create a separate Internet_Access VPN and have other VPNs create an extranet with that Internet_Access VPN. This method is said to be very secure (at least in terms of backbone exposure). However, if full routing is a requirement, the increased memory demands of this solution might lead you to prefer to keep the internet routing table in the Global Routing Table (GRT). You might have full routing in the GRT of PEs and Ps or in PEs only (second is probably better).
  Some names for solutions that exist are: static default routing, dynamic default routing, separate BGP session between PE and CE (via separate interface, subinterface or tunnel), extranet with internet VRF (mentioned earlier), extranet with internet VRF + VRF-aware NAT.
  The choice will depend on the requirements of your environment. I cannot possibly describe all methods here and I do not know of a public document that does. If you need an analysis of MPLS VPN security, you may want to take a look at Michael Behringer's great book with M.Morrow "MPLS VPN Security". Another book that describes solutions is "MPLS and VPN Architectures" by Ivan Pepelnjak. There is a Networkers session on MPLS VPNs that lists solutions. There is also a relevant document in CCO:
  http://www.cisco.com/en/US/tech/tk436/tk428/technologies_configuration_example09186a00801445fb.shtml (covering static default routing option).
  Kind Regards,
  M.

• Implemting a Sprint MPLS/VPN

  Hello
  I'm implmenting a Sprint MPLS/VPN network. This is a point to point between two of my locations. The connection is handed of to me as a serial connection and I will be connecting to cisco 2800 on bothe ends. Does anyone have what a sample config might look like for my Cisco rotuer?
  Thanks in advance

  HI, [Pls Rate if HELPS]
  In addition to JOE POST,
  You need to configure as normal CE Router. You can handover your Network Traffic either via some DYNAMIC Routing Protocols (BGP, EIGRP, OSPF, RIP) or Static Routing at LAST MILE towards your Service Provider.
  At the Service Provider Side, the Connected Interface with your CE will be added with "ip vrf forwarding " command. Where seperate Routing instance will be maintained on top of Global Routing Table. The MPLS Labels are swapped over their Backbone / partner - NNI to carry your traffic over a Label Switched Path.
  For an MPLS to work, the IP-CEF will be enabled. This kind of MPLS Technology, will enable fast processing of Packets and Traffic over the Large Scale Network.
  Similarly the RT & RD Values are used to distinguish the Customer Prefixes. The RT export and Import will be done at end - to - end at Service Provider Side Routers to make the HO & BO to communicate.
  The CE Router will not involve any MPLS / VRF Configuration Technology.
  Hope I am Informative.
  Pls Rate if HELPS
  Best Regards,
  Guru Prasad R