VRF and MPLS

Is it possible to connect a CE via vrf to a PE (ISP) running full MPLS?

I believe the support for MPLS is there for 3750-Metro range. If you have a Cat 3750 then MPLS is not supported.
But you can although configure MultiVRF CE as described in an earlier post in this thread.
You can run a layer 2 trunk to your next-hop Full MPLS PE and, create dot1q subinterfaces on both sides for the required number of VRF's. There shouldnt be any performance issues as far as i know with this setup.
In fact not carrying your IBGP to your aggregation edges (CE's) you have a leaner network, which is the way to go for enterprises trying to virtualize their network.
Here is a reference link for configuration sample.
http://www.cisco.com/en/US/tech/tk828/technologies_white_paper0900aecd8012033f.shtml
HTH-Cheers,
Swaroop

Similar Messages

MPLS VRFs and DMVPN

Hello,
we try to build a DMVPN Solution and try to integrate this solution into our MPLS network.
Can anybody give me some informations about DMVPN and MPLS VRF configuration.
Thanks
Peer

Try this link, might help http://www.cisco.com/en/US/products/sw/iosswrel/ps1839/products_feature_guide09186a0080110ba1.html

VRF lite and MPLS VRFs

We have a CE router connected to PE router. The CE router is connected via 2 links to the PE router, because we need to create two VRFs on the PE for the traffic coming from the CE to separate the traffic, so we have one vrf per link. We are running OSPF between CE and PE.. Now we need to further separate the traffic up to the CE, so Im thinking of using the VRF lite on the CE.. Can MPLS work with the VRF lite, and how to map the VRF lite VRFs on the CE to the MPLS VPN on the PE?
Is there any config examples?
Thanks in advance

VRF Lite and MPLS-VPN act independently so they can work independently. And there is no specific need for mapping. If link is for VRF A on PE so you can make it part of vrf A in CE as well. Both VRFs are independent of each other.
http://www.cisco.com/en/US/products/hw/switches/ps4324/products_configuration_guide_chapter09186a00801cddd9.html#1045190
THis document is for 4500 but logic holds the same.

Sourced Based VRFs and IPSEC

Hi All,
I have 2 questions.
1) Does Cisco Router 7600 with SUP720 3BXL supports VRF Selection based on Source IP Address [Layer 3 VPNs]?
2) We have various clients reaching a Router and we want to forward them to a their company's VRFs, based on their source address (Given by Radius or Statically). Now, Ideally, we want to give to the customer's H.Q. the option to connect to this router using Leased Lines (or Frame Relays) or by using IPSEC (over the internet). Is this possible? Can traffic from an access server arrive to an interface and based on the source, the user will be either forwarded to a VRF or an IPSEC?
Regards.
Regards.

Hello,
a solution to xour problem could be to have a VRF aware access server and place the customers into their respective VRF right away (the feature is called Multi-VRF aka VRF-lite). IPSec and Dialer interfaces are possible. Based on authentication you could define the VRF and by having a dot1Q trunk to the 7600 which operates as the MPLS PE.
A second option is to have the trunk to the 7600, VLANs in different VRFs and to do PBR into different VLANs on the CE router/access server.
Hope this helps! please rate all posts.
Regards, Martin

MP-BGP and MPLS multipath load sharing

Hi,
I am trying to PoC MPLS multi path load sharing by using per-PE-per-VRF RDs in the network.
I have a simple lab setup with AS65000 which consists of SITE1 PE1&PE2 routers (10.250.0.101 and 10.250.0.102), route reflector RR in the middle (10.250.0.55) and SITE2 PE1&PE2 routers (10.250.0.201 and 10.250.0.202). PE routers only do iBGP peering with centralized route reflector and passing route to 10.1.1.0/24 prefix (learned from single CE router) with 100:1 and 100:2 RDs for specific VRF.
Route reflector gets routes with multiple RDs, makes copies of these routes in order to make local comparison to RD 55:55 configured, uses these routes and install multiple paths into its routing table (all PE routers and RR have "maximum-paths eibgp 4" configured):
RR#sh ip bgp vpnv4 all
BGP table version is 7, local router ID is 10.250.0.55
Status codes: s suppressed, d damped, h history, * valid, > best, i - internal,
              r RIB-failure, S Stale
Origin codes: i - IGP, e - EGP, ? - incomplete
   Network          Next Hop            Metric LocPrf Weight Path
Route Distinguisher: 55:55 (default for vrf VRF-A) VRF Router ID 10.250.0.55
* i10.1.1.0/24      10.250.0.102             0    100      0 65001 i
*>i                 10.250.0.101             0    100      0 65001 i
Route Distinguisher: 100:1
*>i10.1.1.0/24      10.250.0.101             0    100      0 65001 i
Route Distinguisher: 100:2
*>i10.1.1.0/24      10.250.0.102             0    100      0 65001 i
RR#sh ip route vrf VRF-A
<output omitted>
     10.0.0.0/8 is variably subnetted, 2 subnets, 2 masks
B       10.1.1.0/24 [200/0] via 10.250.0.102, 00:45:52
                          [200/0] via 10.250.0.101, 00:46:22
BUT, for some reason RR doest reflects routes with multiple RDs down to SITE2 PE1&PE2 - its own clients:
RR#sh ip bgp vpnv4 all neighbors 10.250.0.201 advertised-routes
Total number of prefixes 0
RR#sh ip bgp vpnv4 all neighbors 10.250.0.202 advertised-routes
Total number of prefixes 0
Here comes RR BGP configuration:
router bgp 65000
no synchronization
bgp router-id 10.250.0.55
bgp cluster-id 1.1.1.1
bgp log-neighbor-changes
neighbor 10.250.0.101 remote-as 65000
neighbor 10.250.0.101 update-source Loopback0
neighbor 10.250.0.101 route-reflector-client
neighbor 10.250.0.101 soft-reconfiguration inbound
neighbor 10.250.0.102 remote-as 65000
neighbor 10.250.0.102 update-source Loopback0
neighbor 10.250.0.102 route-reflector-client
neighbor 10.250.0.102 soft-reconfiguration inbound
neighbor 10.250.0.201 remote-as 65000
neighbor 10.250.0.201 update-source Loopback0
neighbor 10.250.0.201 route-reflector-client
neighbor 10.250.0.201 soft-reconfiguration inbound
neighbor 10.250.0.202 remote-as 65000
neighbor 10.250.0.202 update-source Loopback0
neighbor 10.250.0.202 route-reflector-client
neighbor 10.250.0.202 soft-reconfiguration inbound
no auto-summary
address-family vpnv4
neighbor 10.250.0.101 activate
neighbor 10.250.0.101 send-community both
neighbor 10.250.0.102 activate
neighbor 10.250.0.102 send-community both
neighbor 10.250.0.201 activate
neighbor 10.250.0.201 send-community both
neighbor 10.250.0.202 activate
neighbor 10.250.0.202 send-community both
exit-address-family
address-family ipv4 vrf VRF-A
maximum-paths eibgp 4
no synchronization
bgp router-id 10.250.0.55
network 10.255.1.1 mask 255.255.255.255
exit-address-family
SITE1 PE1 configuration:
router bgp 65000
no synchronization
bgp router-id 10.250.0.101
bgp log-neighbor-changes
neighbor 10.250.0.55 remote-as 65000
neighbor 10.250.0.55 update-source Loopback0
neighbor 10.250.0.55 soft-reconfiguration inbound
no auto-summary
address-family vpnv4
neighbor 10.250.0.55 activate
neighbor 10.250.0.55 send-community both
exit-address-family
address-family ipv4 vrf VRF-A
neighbor 10.1.101.2 remote-as 65001
neighbor 10.1.101.2 activate
neighbor 10.1.101.2 soft-reconfiguration inbound
maximum-paths eibgp 4
no synchronization
bgp router-id 10.250.0.101
exit-address-family
SITE1 PE2 configuration is similar to SITE1 PE1. They both do eBGP peering with dualhomed CE router in AS65001 which announces 10.1.1.0/24 prefix into VRF-A table.
My question is: clearly, the issue is that RR doesn't reflect any routes to its clients (SITE2 PE1&PE2) for 10.1.1.0/24 prefix with 100:1 and 100:2 RDs that dont match it's locally configured RD 55:55 for VRF-A, although they are present in its BGP/RIB tables and used for multipathing. Is this an expected behavior or some feature limitation for specific platform or IOS version? Currently, in this test lab setup I run IOS 12.4(24)T8 on all the devices.
Please, let me know if any further details are needed to get an idea of why this well known and widely used feature is not working correctly in my case. Thanks a lot!
Regards,
Sergey

Hi Ashish,
I tried to remove VRF and address family configurations completely from RR.
router bgp 65000
no synchronization
bgp router-id 10.250.0.55
bgp cluster-id 1.1.1.1
bgp log-neighbor-changes
neighbor 10.250.0.101 remote-as 65000
neighbor 10.250.0.101 update-source Loopback0
neighbor 10.250.0.101 route-reflector-client
neighbor 10.250.0.101 soft-reconfiguration inbound
neighbor 10.250.0.102 remote-as 65000
neighbor 10.250.0.102 update-source Loopback0
neighbor 10.250.0.102 route-reflector-client
neighbor 10.250.0.102 soft-reconfiguration inbound
neighbor 10.250.0.201 remote-as 65000
neighbor 10.250.0.201 update-source Loopback0
neighbor 10.250.0.201 route-reflector-client
neighbor 10.250.0.201 soft-reconfiguration inbound
neighbor 10.250.0.202 remote-as 65000
neighbor 10.250.0.202 update-source Loopback0
neighbor 10.250.0.202 route-reflector-client
neighbor 10.250.0.202 soft-reconfiguration inbound
no auto-summary
address-family vpnv4
neighbor 10.250.0.101 activate
neighbor 10.250.0.101 send-community both
neighbor 10.250.0.102 activate
neighbor 10.250.0.102 send-community both
neighbor 10.250.0.201 activate
neighbor 10.250.0.201 send-community both
neighbor 10.250.0.202 activate
neighbor 10.250.0.202 send-community both
exit-address-family
After this, RR doesn't accept any routes at all from S1PE1&S1PE2 routers, thus not reflecting any routes down to its clients S2PE1&S2PE2 as well:
S1PE1#sh ip bgp vpnv4 all
BGP table version is 6, local router ID is 10.250.0.101
Status codes: s suppressed, d damped, h history, * valid, > best, i - internal,
              r RIB-failure, S Stale
Origin codes: i - IGP, e - EGP, ? - incomplete
   Network          Next Hop            Metric LocPrf Weight Path
Route Distinguisher: 100:1 (default for vrf VRF-A) VRF Router ID 10.250.0.101
*> 10.1.1.0/24      10.1.101.2               0             0 65001 i
S1PE1#sh ip bgp vpnv4 all neighbors 10.250.0.55 advertised-routes
BGP table version is 6, local router ID is 10.250.0.101
Status codes: s suppressed, d damped, h history, * valid, > best, i - internal,
              r RIB-failure, S Stale
Origin codes: i - IGP, e - EGP, ? - incomplete
   Network          Next Hop            Metric LocPrf Weight Path
Route Distinguisher: 100:1 (default for vrf VRF-A) VRF Router ID 10.250.0.101
*> 10.1.1.0/24      10.1.101.2               0             0 65001 i
Total number of prefixes 1
S1PE2#sh ip bgp vpnv4 all
BGP table version is 6, local router ID is 10.250.0.102
Status codes: s suppressed, d damped, h history, * valid, > best, i - internal,
              r RIB-failure, S Stale
Origin codes: i - IGP, e - EGP, ? - incomplete
   Network          Next Hop            Metric LocPrf Weight Path
Route Distinguisher: 100:2 (default for vrf VRF-A) VRF Router ID 10.250.0.102
*> 10.1.1.0/24      10.1.201.2               0             0 65001 i
S1PE2#sh ip bgp vpnv4 all neighbors 10.250.0.55 advertised-routes
BGP table version is 6, local router ID is 10.250.0.102
Status codes: s suppressed, d damped, h history, * valid, > best, i - internal,
              r RIB-failure, S Stale
Origin codes: i - IGP, e - EGP, ? - incomplete
   Network          Next Hop            Metric LocPrf Weight Path
Route Distinguisher: 100:2 (default for vrf VRF-A) VRF Router ID 10.250.0.102
*> 10.1.1.0/24      10.1.201.2               0             0 65001 i
Total number of prefixes 1
RR#sh ip bgp vpnv4 all
RR#sh ip bgp vpnv4 all neighbors 10.250.0.101 routes
Total number of prefixes 0
RR#sh ip bgp vpnv4 all neighbors 10.250.0.102 routes
Total number of prefixes 0
Any feedback is appreciated. Thanks.
Regards,
Sergey

VRF and FTP Server

I have a weird problem with VRF and FTP Server. I have a lab setup whereby two VRFs Client1 and Client2 are created. Both the VRFs are in the same subnet. I have configured FTP-Server and TFTP-Server on this router. TFTP-Server works perfectly fine from both the networks. But for FTP-Server, I can login in to the FTP Server and authenticate positively. But when I try to do listing of directory, it gives a error "can't bind data".
The web access to this router also works perfectly fine.
Any idea why FTP fails.
Before configuring vrf, the FTP server did work fine.
Any idea why. here's the config :
interface FastEthernet0/0.371
description Client1
encapsulation dot1Q 371
ip vrf forwarding client1
ip address 10.0.1.1 255.255.255.0
interface FastEthernet0/0.372
description Client2
encapsulation dot1Q 372
ip vrf forwarding client2
ip address 10.0.1.1 255.255.255.0

Ohhhhhhhh!!!
I'm even more convinced its a passive/active problem with the ftp control channel. Did you try the gentleman's suggestion of passive ftp?? What's happening is that from a client on one vrf, you're attempting to terminate the ftp session in a router whom is in the second vrf. The ftp data session isn't vrf-aware from the sound of it, hence my question about what device models and IOS you're using.
But I agree, it's getting complicated enough that sounds like TAC-time. My bet is something isn't vrf-aware to the point that the data is lost. For instance, to ping from one device to another from _within_ a vrf router instance, you have to use the keyword "vrf" like "ping vrf VRF_Name src dest".
In your situation, your source is on one vrf while the destination is _within_ the second vrf, not just simply the IP packet being routed from vrf1-client (like a Windows PC) to vrf2-server (like a Unix ftp server).
I'd be interested in hearing their solution.
-Jeff

Is it possible for Nexus7000 flexible netflow monitor for interfaces with different vrf and export to one netflow analyzer?

I have a Nexus 7000 with many vlan interfaces with multiple vrf, I would like to know if my netflow analyzer only connected to one vrf, can I use flexible netflow on the Nexus 7000 to monitor those vlan interfaces with multiple vrf and export them to my netflow analyzer, so that I can see all flow from different vrfs on my netflow analyzer?
Thank you!

Adriano, there is a RV042G, which supports the gig ports and a 800 mbps nat throughput. Here is the datasheet
http://www.cisco.com/en/US/prod/collateral/routers/ps10907/ps9923/ps12262/data_sheet_c78-706724.html
If you are using a DSL connection, the SRP527/547 models may be an alternative. These models support the RFC 1483 Bridges EOA Please note the SRP547 should be 10/100/1000. Also note the SRP521/541 are Fast Ethernet units and they do differ from the SRP527/547. The main selling point of these devices are the FXS/FXO ports. So this may also be a bit of an "unfocused" solution. But it's worth throwing the idea out there!
Here is the admin guide;
http://www.cisco.com/en/US/docs/voice_ip_comm/unified_communications/srp540_series/administration/srp500_AG_2567701.pdf
Here is the datasheet;
http://www.cisco.com/en/US/prod/collateral/voicesw/ps6790/gatecont/ps10500/data_sheet_c78-550705.pdf

MP-BGP and MPLS

Hello all,
I've been experimenting recently with MP-BGP and MPLS. I have no issues with how it works and how to implement and have a fully working lab however I am wondering whether there is a solution that exists in order to create a full mesh without on every PE router having to specify the IP address of every other PE router in the VPNv4 configuration. So the ideal scenario would be that i could add another site to my MPLS which will receive all routes from every other site without updating any configuration at any other site.
Thanks

Hi Mathew,
You can choose P1 or P2 as RR and configure a single MP-BGP session from PE devices to RR. Any new PE that you want to include will need configuraion changes on RR and the new PE alone. You dont need to add configuration on other exisitng PEs.
You can also play around with bgp dynamic neighbor to further reduce the configuration. But I ahvent used it myself and not sure if VPNv4 is supported.
-Nagendra

WCCP-2 and MPLS

Hi
This is a question regarding WCCP-2 and MPLS as well.
I have a customer who has Cisco Catalyst 6500 switches and would also like to run MPLS on the Network. MPLS as such is supported only on the Layer-3 modules. The customer has the GIG OSM modules and ATM modules in the switch. The GIG Modules connect to the Internet and the ATM modules connect to various of the branches. The Content Engines are connected to FastEthernet modules on the 6500 which do not support MPLS.
Now to run WCCP-2 redirection, this would be done on the GIG interfaces with the "ip wccp redirect out" command on that interface in addition to the usual commands for WCCP-2. Now what happens is that the input packets received via the branches are all going to be MPLS tagged. Will these packets be redirected to the CE before they are sent off the output GIG interfaces.
Also the customer require to run IP spoofing with WCCP-2. Will the same thing happen in the opposite direction.
Will this work at all.
Thanks

You described the physical connection, but not logical structure.
1. You did not mentioned does the customer have Layer 3 module installed in Catalyst 6500? Catalyst 6500 without RSM (route switch module) can not make desition on the 3d layer.
All modules that you mentioned are 2d layer modules. Usually, when you have RSM, you create virtual interfaces, where you configure the routing or 3d layer information. Of course, you can configure it directly in the physical interface (you need to allow this fuction, by default, physical interfaces are switched ones).
2. Catalyst 6500 - what role it has in MPLS network (CE, PE, something else)?
3. What you mean under "sent to Internet"? Usually the packets to Internet are sent without MPLS tags. MPLS tags are used inside of MPLS backbone. The customer also receie pure IP-packet without any addtional tags.

Frame Relay and MPLS

Hi,
I want to ask about the frame relay and MPLS.
Frame Relay Scenerio
The frames reached at the frame relay network and forwarded on the basis of DLCI. All the VCs are defined prior to the traffic on the network on the basis of DLCI (This is just like the MPLS network as packets are forwarded on the basis of Labels).
Now my Question is How can MPLS is used in frame relay network or what are its affects in the presence of DLCI (As DLCIs are also performing the same task and also works on layer 2) or these two are different equivalent technologies ?

Hi Muhammad,
The answer is : MPLS is working on FR like it's working on ethernet. Because the FR and Ethernet are running on Layer2. It's told that MPLS is working at layer 2.5 , meaning that is between Layer 3 , and Layer 2. So in order to work it needs a layer2 forwarding in your case FR's DLCI. On top of the Layer 2 it is the MPLS header.
Dan

MTU over DMVPN and MPLS

Hello All,
I have a query regarding MTU over both DMVPN and MPLS.
I have been running the following command from a windows box
ping x.x.x.x -f -l yyy (yyyy being the buffer size) and x.x.x.x being my remote hosts
I am using the same destination host and have two different paths to it. One over MPLS and one over a DMVPN.
I would have expected to be able to send packets with a higher MTU over the MPLS but for both MPLS and DMVPN the maximum packet size I can send with the DF bit set is the same (1372).
Is this normal behaviour? I though MPLS would have less overhead, so my maximum packet size would be higher in my tests

Disclaimer
The Author of this posting offers the information contained within this posting without consideration and with the reader's understanding that there's no implied or expressed suitability or fitness for any purpose. Information provided is for informational purposes only and should not be construed as rendering professional advice of any kind. Usage of this posting's information is solely at reader's own risk.
Liability Disclaimer
In no event shall Author be liable for any damages whatsoever (including, without limitation, damages for loss of use, data or profit) arising out of the use or inability to use the posting's information even if Author has been advised of the possibility of such damage.
Posting
Generally, MPLS supports an increased MTU, when adding MPLS labels, while VPN tunnels, like DMVPN, don't exceed original MTU, and so, it reduces payload space. So, normally, you should see larger ping buffer DF support across MPLS than DMVPN. However, "normal" can be very much impacted by actual device configurations, including making MTU for DF packets the same for either MPLS or DMVPN. (For example, you might want to make the two paths alike so flows that for any reason need to be redirect from one media path to the other see a consistent MTU.)

VRF and DHCP issue

VRF and DHCP issue
We have a 6500 ( 12.2 (33) SXH5 ) that has a VRF running for our guest network. On this 6500 resides the DHCP pool with a range defined for our guest network. We have a stack of 3750's (12.2 (46) SE) connected to the 6500 with a L3 connection. The 3750's have a local guest VLAN with its gateway defined in a VLAN interface. This VLAN on the 3750 has an IP helper address pointing to an IP within the VRF on the 6500. When debugging DHCP on the 6500, a request is received and sent back out. The client never receives this request.
If a static IP is applied, the client is able to communicate anywhere within the VRF successfully (including pinging the IP within the helper-address. As many posts have pointed out - there is no VRF <name> under the ip dhcp pool <name> within the 6500. I am just wondering if anyone else has run into this and what their solution was.
Thanks.

Hi,
I have tested the dhcp server and vrf on Cisco 3640 and it is working without VRF under the ip dhcp pool. Please ensure that you have configured routing for the dhcp-relay agent(VLAN facing dhcp client on 3750 in your case).

Layer 3 to the Access Layer and MPLS Design Considerations

Hi,
We are about to install a new network consisting of Cat 4500s with Sup7E at the Access Layer, with Nexus 7000 at the Distribution and Core layers.
We have 14 floors with at least three 4500s on each floor. Within the office block where the Access Layer and Distribution Layer reside we need to support secure borderless networking using 802.1x to place users from different parts of the business into segregated networks at layer 3.
All switches will have the feature sets to support MPLS/ VRF / OSPF / EIGRP / BGP etc.
We quickly dismissed the idea of using VRF-Lite due to the sheer number of Vlans we would need to managage and maintain, the point to point links alone just to get one additional VRF on each floor required far too many Vlans.
As a result we are now considering deploying MPLS. The obvious benefits include scalability and manageability, the fact that all switch to switch links can now be routed, instead of having to using SVIs.
My query is one of design surrounding MPLS and how this maps to an enterprise network with a routed access layer. Do Cat 4500s become the CEs and take part in MPLS / BGP and Label Distribution, or does the BGP peering and Label Distribution only occur between the Distrubtion - Core - Distrubtion layers, mapping to the PE - P - PE topology in an ISP environment, the access layer simply uses the IGP (OSPF in this case) to learn routes ?
Any help would be greatly appreciated.
Chris.

Hi Andy,
Thanks for your response.
I have been doing a little bit more research it seems the Cat 4500s do not support MPLS!! Nor do Cisco have any plans to support it on this platform. I find this a little rediculous considering the level that Cisco are pitching this platform. With the Sup 7E only VRF Lite is supported, with plans to support EVN (which still uses trunk links for logical separation).
So it looks like we are going to have to go back to the drawing board.
(perhaps we should have gone HP or Juniper!)
Chris.

GRE with VRF on MPLS/VPN

Hi.
Backbone network is running MPLS/VPN.
I have one VRF (VRF-A) for client VPN network.
One requirement is to configure another VRF (VRF-B) for this client for a separate public VRF connection.
Sub-interfacing not allowed on CE-to-PE due to access provider limitation.
So GRE is our option.
CE config:
Note: CE is running on global. VRF-A is configured at PE.
But will add VRF-B here for the requirement.
interface Tunnel0
ip vrf forwarding VRF-B
ip address 10.12.25.22 255.255.255.252
tunnel source GigabitEthernet0/1
tunnel destination 10.12.0.133
PE1 config:
interface Tunnel0
ip vrf forwarding VRF-B
ip address 10.12.25.21 255.255.255.252
tunnel source Loopback133
tunnel destination 10.12.26.54
tunnel vrf VRF-A
Tunnel works and can ping point-to-point IP address.
CE LAN IP for VRF-B is configured as static route at PE1
PE1:
ip route vrf VRF-B 192.168.96.0 255.255.255.0 Tunnel0 10.12.25.22
But from PE2 which is directly connected to PE1 (MPLS/LDP running), connectivity doesnt works.
From PE2:
- I can ping tunnel0 interface of PE1
- I cant ping tunnel0 interface of CE
Routing is all good and present in the routing table.
From CE:
- I can ping any VRF-B loopback interface of PE1
- But not VRF-B loopback interfaces PE2 (even if routing is all good)
PE1/PE2 are 7600 SRC3/SRD6.
Any problem with 7600 on this?
Need comments/suggestions.

Hi Allan,
what is running between PE1 and PE2 ( what I mean is any routing protocol).
If No, then PE2 has no ways of knowing GRE tunnel IP prefixes and hence I suppose those will not be in its CEF table...
If Yes, then check are those Prefixes available in LDP table...
Regards,
Smitesh

Filtering methods inside a VRF in MPLS VPN

Hi,
we have a network with MPLS VPN and several VRFs involved.
Inside a certain VRF I need to avoid that two particular networks can talk to each other.
Can you give me a hint of what can be a solution to implement this ?
Thanks
Regards
Marco

Hi Marco,
To prevent connectivity between two networks where a MPLS VPN is involved you can apply the same methods as in a "normal" router network. Just think of the complete MPLS VPN (PE to PE) as being one big "router simulator".
You could either implement ACLs on the interfaces connecting to the PE or filter routing updates between sites - depending on your topology. When filtering routing updates seems the way to go, you should also have a look into selective import or export. With the help of a route-map one can selectively insert single networks into a VPN by selectively attaching route-targets to BGP updates.
Regards, Martin

VRF and MPLS

Similar Messages

Maybe you are looking for