VRF-Lite CE configuration

Similar Messages

• Could MPLS L3 VPN forward packet which CE configure VRF Lite?

  Or does anyone have a lab for my test? Please share.
  Diagram:
  vrf lite - mplsl3 vpn - vrf lite
  Will it have any change on mpls l3vpn configuration?
  Thank you very much.

  I test lab follow to this document is work. I test with static route and OSPF is work. Now, I’m testing with BGP route. I found the PE doesn’t send the BGP routes from the other sites to the CE. How should I do?
  Topology:
  BGP vrf lite (vrf v11) CE1 - BGP - MPLS L3VPN (vrf v1) PE1 - PE2 (vrf v1) MPLS L3VPN - BGP - CE2 (vrf v11) vrf lite BGP
  PE1#sho ip rou vrf v1
  Gateway of last resort is not set
  B    10.0.252.1/32 [200/0] via 10.0.0.11 (nexthop in vrf default), 1d22h
  B    10.0.252.2/32 [200/0] via 10.0.0.14 (nexthop in vrf default), 1d22h
  L    10.0.252.3/32 is directly connected, 1d22h, Loopback101
  B    38.0.0.0/24 [200/0] via 10.0.0.11 (nexthop in vrf default), 1d04h
  B    39.0.0.0/24 [200/0] via 10.0.0.14 (nexthop in vrf default), 05:13:07
  B    40.0.0.0/24 [200/0] via 10.0.0.11 (nexthop in vrf default), 1d04h
  C    41.0.0.0/24 is directly connected, 1d22h, GigabitEthernet0/0/1/2.14
  L    41.0.0.3/32 is directly connected, 1d22h, GigabitEthernet0/0/1/2.14
  B    208.0.0.0/24 [200/0] via 10.0.0.11 (nexthop in vrf default), 00:06:55
  B    209.0.0.0/24 [200/0] via 10.0.0.14 (nexthop in vrf default), 00:08:14
  B    210.0.0.0/24 [20/0] via 41.0.0.8, 00:11:17
  CE1#sho ip bgp vpnv4 vrf v11
  BGP table version is 23, local router ID is 172.16.30.5
     Network          Next Hop            Metric LocPrf Weight Path
  Route Distinguisher: 800:1 (default for vrf v11)
  *> 10.0.252.1/32    41.0.0.3                               0 18252 ?
  *> 10.0.252.2/32    41.0.0.3                               0 18252 ?
  *> 10.0.252.3/32    41.0.0.3                 0             0 18252 ?
  *> 38.0.0.0/24      41.0.0.3                               0 18252 ?
  *> 39.0.0.0/24      41.0.0.3                               0 18252 ?
  *> 40.0.0.0/24      41.0.0.3                               0 18252 ?
  r> 41.0.0.0/24      41.0.0.3                 0             0 18252 ?
  *> 210.0.0.0        0.0.0.0                  0         32768 i
  CE1#

• VRF Lite running in the enterprise network

  Hello everybody
  Altough VRF lite (or Mulit VRF) seems to be a Service Provider Tecnology.
  Does it make sense to use it in an Enterprise Network to isolate Networks from others ?
  I cant find any design paper which describes if this would make sense.
  What do you think. Is someone using it ? Does Cisco recommend it ?

  Yes, VRF-lite SHOULD be used in an Enterprise environment to isolate the different security classes of devices.
  In the past you would isolate different groups of users using Layer1, i.e. separate hubs either totally isolated or connected together by a router with ACLs. Since the PCs were only connected at shared 10 Mbit and the routers were such low performance and worms weren't really prevalent, this was not a big security issue at the time.
  Then we migrated to VLANs, which essentially allowed Layer2 isolation within the same switch to provide the same functionality of separating different classes of users and to break up broadcast domains. Unfortunately, everyone connected the VLANs together at Layer3 with a router (or SVI) which essentially connected everything together again! And almost no one gets the ACLs right (if at all) to isolate the VLANs from each other. In fact, in most cases every VLAN can automatically reach every other VLAN from a Layer3 or IP perspective. This is a huge security problem.
  Enter VRF-lite, essentially created by Cisco as their tag switching migrated to standards based MPLS and had a need to isolate Layer3 security domains from each other within the same switch (or router). Think of VLANs for routing tables. VRF stands for 'Virtual Route Forwarding', which basically means separate routing tables. Since VRF-lite is a per-switch feature (running locally to the switch) you will need to use other technologies to connect multiple VRF-lite switches together and keep the traffic isolated, see below.
  What makes this so secure is that there is no command within the switch to connect different VRFs together within the same switch. You would need to connect a cable between two ports on the same switch configured in different VRFs to be able to communicate between them (recent IOS 12.2SR allows tunnels with different source VRFs but that is a corner case). The reason for this is simple, remember the basis for VRF (and VRF-lite) is for a service provider to isolate multiple customers from each other within the same switch. Just like an ATM, Frame-Relay, SONET, or Optical switch, the command line makes it very difficult (or impossible) to accidentally connect 2 different customers together.
  Think about that. Even if someone was able to get ssh enable access to your switch (you aren't running telnet anymore, right?!), they CAN'T connect 2 VRFs together with any command.
  And, yes, this is highly recommended by Cisco Engineers and is actually deployed far more than you think. I have VRF-lite running on at least 10 client's networks and those are LARGE networks. VRF-lite was integrated into the environment purely to solve a Layer3 security class isolation issue. I have used Layer3 dot1q trunks on c6500 switches and tunnels to keep isolated connectivity between VRFs between switches.
  In Cisco speak, VRF-lite falls under the topic of 'Path Isolation' which is combined with other features that isolate traffic within the same network such as dot1q trunking, tunneling, VPN, policy-routing, and MPLS. Do a search on Cisco's web site for 'path isolation' and you will find a bunch of info.
  See the following URLs for a good start:
  http://www.cisco.com/en/US/netsol/ns658/networking_solutions_design_guidances_list.html
  http://www.cisco.com/en/US/netsol/ns658/netbr0900aecd804a17db.html
  http://www.cisco.com/en/US/netsol/ns658/networking_solutions_white_paper0900aecd804a17c9.shtml
  As always, rate all posts appropriately, particularly those that provide value and don't be shy about following up with additional questions or comments.
  Good luck!

• Dial-In access to VRF Lite (MPLS VPN)

  Hi,
  I'm trying to implement a solution, that gives opportunity to dial-in to some specific customers VPN (VRF Lite)
  Configuration of NAS is done using cisco.com guide and seems OK. NAS is using RADIUS to authenticate users, and if authenticated, RADIUS sends a specific users virtual-profile configuration to NAS. So far everything seems OK. I can dial-in, succesfuly authenticate against RADIUS and download the virtual-profile configration (DEBUG is pasted below).
  BUT, even there is a command "virtual-profile aaa", and RADIUS sends all info, Virtual-Access interface isn't created or it is created without any configuration.
  Maybe this is happening because I'm using dialer-profile ? Some cisco documentation says that if there are dialer-profiles configured, virtual-profile configuration cann't be downloaded from AAA ???
  Here is debug, You can see RADIUS to NAS communication:
  Aug 24 07:59:59: %LINK-3-UPDOWN: Interface Serial2/0:26, changed state to up
  Aug 24 08:00:00: RADIUS(000000A1): Storing nasport 20026 in rad_db
  Aug 24 08:00:00: RADIUS(000000A1): Config NAS IP: 0.0.0.0
  Aug 24 08:00:00: RADIUS/ENCODE(000000A1): acct_session_id: 247
  Aug 24 08:00:00: RADIUS(000000A1): sending
  Aug 24 08:00:00: RADIUS/ENCODE: Best Local IP-Address xxx.xxx.xxx.xxx for Radius-Server xxx.xxx.xxx.xxx
  Aug 24 08:00:00: RADIUS(000000A1): Send Access-Request to xxx.xxx.xxx.xxx:1645 id 21646/40, len 113
  Aug 24 08:00:00: RADIUS: authenticator C9 98 61 51 0F FF 0F C8 - FA A2 3E C1 5E 80 13 0E
  Aug 24 08:00:00: RADIUS: Framed-Protocol [7] 6 PPP [1]
  Aug 24 08:00:00: RADIUS: User-Name [1] 6 "vrft"
  Aug 24 08:00:00: RADIUS: CHAP-Password [3] 19 *
  Aug 24 08:00:00: RADIUS: Vendor, Cisco [26] 20
  Aug 24 08:00:00: RADIUS: cisco-nas-port [2] 14 "Serial2/0:26"
  Aug 24 08:00:00: RADIUS: NAS-Port [5] 6 20026
  Aug 24 08:00:00: RADIUS: NAS-Port-Type [61] 6 ISDN [2]
  Aug 24 08:00:00: RADIUS: Calling-Station-Id [31] 9 "xxxxxxx"
  Aug 24 08:00:00: RADIUS: Called-Station-Id [30] 9 "xxxxxxx"
  Aug 24 08:00:00: RADIUS: Service-Type [6] 6 Framed [2]
  Aug 24 08:00:00: RADIUS: NAS-IP-Address [4] 6 xxx.xxx.xxx.xxx
  Aug 24 08:00:00: RADIUS: Received from id 21646/40 xxx.xxx.xxx.xxx:1645, Access-Accept, len 277
  Aug 24 08:00:00: RADIUS: authenticator 8D E7 52 2A 4B 72 88 9E - B8 85 38 CF 70 4A B7 79
  Aug 24 08:00:00: RADIUS: Service-Type [6] 6 Framed [2]
  Aug 24 08:00:00: RADIUS: Framed-Protocol [7] 6 PPP [1]
  Aug 24 08:00:00: RADIUS: Framed-IP-Address [8] 6 10.10.8.5
  Aug 24 08:00:00: RADIUS: Framed-IP-Netmask [9] 6 255.255.255.240
  Aug 24 08:00:00: RADIUS: Framed-Compression [13] 6 VJ TCP/IP Header Compressi[1]
  Aug 24 08:00:00: RADIUS: Vendor, Cisco [26] 54
  Aug 24 08:00:00: RADIUS: Cisco AVpair [1] 48 "lcp:interface-config#1= ip vrf forwarding test"
  Aug 24 08:00:00: RADIUS: Vendor, Cisco [26] 68
  Aug 24 08:00:00: RADIUS: Cisco AVpair [1] 62 "lcp:interface-config#2= ip address 10.10.8.1 255.255.255.240"
  Aug 24 08:00:00: RADIUS: Vendor, Cisco [26] 50
  Aug 24 08:00:00: RADIUS: Cisco AVpair [1] 44 "lcp:interface-config#3= description horray"
  Aug 24 08:00:00: RADIUS: Vendor, Cisco [26] 49
  Aug 24 08:00:00: RADIUS: Cisco AVpair [1] 43 "lcp:interface-config#4= encapsulation ppp"
  Aug 24 08:00:00: RADIUS: Framed-Routing [10] 6 0
  Aug 24 08:00:00: RADIUS(000000A1): Received from id 21646/40
  Aug 24 08:00:00: %ISDN-6-CONNECT: Interface Serial2/0:26 is now connected to xxxxxxx vrft
  Aug 24 08:00:00: %LINK-3-UPDOWN: Interface Serial2/0:26, changed state to down
  Please let me know if any other information is required.

  Besides, as I see, virtual-access interface's description is as configured on RADIUS, but all other configuration is from virtual-template. Why? Even if there are no overlapping configuration strings in Vtemplate and on AAA (like ip address etc), configuration string received from RADIUS isn't getting added to virtual-access interface configuration.

• AAA Authentication and VRF-Lite

  Hi!
  I've run into a strange problem, when using AAA Radius authentication and VRF-Lite.
  The setting is as follows. A /31 linknet is setup between PE and CE (7206/g1 and C1812), where PE sub-if is a part of an MPLS VPN, and CE uses VRF-Lite to keep the local services seperated (where more than one VPN is used..).
  Access to the CE, via telnet, console etc, will be authenticated by our RADIUS servers, based on the following setup:
  --> Config Begins <---
  aaa new-model
  aa group server radius radius-auth
  server x.x.4.23 auth-port 1645 acct-port 1646
  server x.x.7.139 auth-port 1645 acct-port 1646
  aaa authentication login default group radius-auth local
  aaa authentication enable default group radius-auth enable
  radius-server host x.x.4.23 auth-port 1645 acct-port 1646 key <key>
  radius-server host x.x.7.139 auth-port 1645 acct-port 1646 key <key>
  ip radius source-interface <outside-if> vrf 10
  ---> Config Ends <---
  The VRF-Lite instance is configured like this:
  ---> Config Begins <---
  ip vrf 10
  rd 65001:10
  ---> Config Ends <---
  Now - if I remove the VRF-Lite setup, and use global routing on the CE (which is okey for a single-vpn setup), the AAA/RADIUS authentication works just fine. When I enable "ip vrf forwarding 10" on the outside and inside interface, the AAA/RADIUS service is unable to reach the two defined servers.
  I compared the routing table when using VRF-Lite and global routing, and they are identical. All routes are imported via BGP correctly, and the service as a whole works without problems, in other words, the AAA/RADIUS part is the only service not working.

  Just wanted to help future people as some of the answers I found here were confusing.
  This is all you need from the AAA perspective:
  aaa new-model
  aaa group server radius RADIUS-VRF-X
  server-private 192.168.1.10 auth-port 1812 acct-port 1813 key 7 003632222D6E3839240475
  ip vrf forwarding X
  aaa authentication login default group RADIUS-VRF-X local
  aaa authorization exec default group X local if-authenticated
  Per VRF AAA reference:
  http://www.cisco.com/c/en/us/td/docs/ios/12_2/12_2b/12_2b4/feature/guide/12b_perv.html#wp1024168

• Extending VRF-lite to 6500??

  Hello,
  I have a simple scenario, where there is a 6500 connected to a router (ISP end), which we have planned to implement vrf-lite on.... there are basically 2 VLANs on the LAN, one production and one guest... we need to isolate the routing table instances between the production and guest.. we have planned to configure trunk between the 6500 and PE router at the ISP end. 6500 acts as a CE here.
  Now, I want to extend the VRF information from the PE to the 6500 CE, since the layer 3 VLANs terminate on the 6500. i will define the same VRF information on the 6500 and isolate VRF routing tables for the guest/production vlan on the LAN also.. I know we will require to configure VRF, RD, BGP etc on the PE router and do a "ip vrf forwarding" on the subinterface of the router. What is the configuration required on the 6500 to extend the VRF-lite information to the end vlans ????? does anyone have any sample configs or links to which i can refer ?
  Raj

  Well,
  first a sample config (not from a 6500, but you should be able to get the idea):
  ip vrf Cust1
  rd 65000:1
  ip vrf Cust2
  rd 65000:2
  interface FastEthernet0/0.100
  encapsulation dot1Q 100
  ip vrf forwarding Cust1
  ip address 10.1.1.1 255.255.255.252
  interface FastEthernet0/0.200
  encapsulation dot1Q 200
  ip vrf forwarding Cust1
  ip address 10.1.2.1 255.255.255.252
  interface FastEthernet0/0.300
  encapsulation dot1Q 300
  ip vrf forwarding Cust2
  ip address 10.20.1.1 255.255.255.252
  interface FastEthernet0/0.333
  encapsulation dot1Q 333
  ip vrf forwarding Cust2
  ip address 10.1.1.1 255.255.255.252
  !On a 6500 you could also have:
  interface vlan 400
  ip vrf forwarding Cust2
  ip address 10.1.123.1 255.255.255.252
  router rip
  address-family ipv4 vrf Cust1
  version 2
  network 10.0.0.0
  no auto-summary
  exit-address-family
  address-family ipv4 vrf Cust2
  version 2
  network 10.0.0.0
  no auto-summary
  exit-address-family
  The separation in the control plane (routing etc.) is achieved through the normal VRF configuration. Overlapping IPs and such are supported by having separate IP routing tables per VRF and VRF aware routing protocols like RIP, OSPF, etc.
  In the data plane traffic is sorted by layer2 encapsulation. In the example above, the dot1Q VLAN tag will deliver the same functionality as the MPLS VPN labels. If f.e. an IP packet with destination 10.1.1.1 arrives, the VLAN tag 100 or 333 will allow the VRF-lite CE to determine, whether it belongs to Cust1 or Cust2. The same differentation will take place for traffic from the CE to the PE. So the PE config is practically the same, BUT in addition MP-BGP and route-targets and MPLS towards the core is used.
  So no MPLS is needed on the VRF-lite CE router, no labels will be used, hence VRF-lite.
  The PE will not be the PHP LSR in the MPLS sense, because it is the LAST router in the MPLS network.
  Instead of the FastEthernet also VLAN interfaces can be used. The number of interfaces per VRF or the number of VRFs are limited by memory.
  Hope this helps! Please use the rating system.
  Regards, Martin

• Vrf-lite (extranet solution)

  Hi,
  I have a requirement of an extranet solution (ASP model) where many customer will be connected to a central site. The spoke sites do not talk to each other, not even through the central site. One option is to use 1 VRF at the central site and import routes from all other spokes sites (different RD and RT at the spopke sites). This has been rules out. so now my other alternative is to use multiple vrf on a single access link (ethernet in this case) between the CE and PE. I was thinking of using vrf-lite at the central site, but few concepts I am not clear about.
  1) can i get away without using vrf-lite on the central site. PE configures individual vrf for each 1.q interface, but CE just uses 1.q without any vrf. For start I am going to have only two/three sites, so I can either map the subinterface to a separate LAN port or i could do .1q on a single LAN int and map it to the WAN subinterface. Maybe this is not the best solution,but I do not want to go for an unnecessary solution.
  2) what are the advantages and disadvantages of using vrf-lite vs no vrf (if it is possible) in this scenario.
  Attached is a diagram.
  thanks,
  Arana

  Jon,
  I am back with some reading on vrf lite. I am pasting a sample configure that I picked up from another post. I noticed that there is no 'network' statement or 'redistribute static'. My questions:
  1) If I am running BGP with PE, what is the normal pratice to advertise my routers per vrf?
  2) In the LAN do I run separate OSPF or EIGRP instances per VRF (per subinterface)? what is the best way?
  3) If I have static route to other LAN routers then I will be using 'redistribute static' right? Do I have to be specific about which static route I should redistribute to that vrf. If not how does the router know which static route to redistribute to which vrf.
  I have attached a diagram. The below sample does not map to my diagram.
  frame-relay switching
  interface serial0/0/0
  encapsulation frame-relay
  interface serial0/0/0.1 point-to-point
  ip vrf forwarding A
  ip address x.x.x.x x.x.x.x
  frame-relay interface-dlci 100
  interface serial0/0/0
  encapsulation frame-relay
  interface serial0/0/0.2 point-to-point
  ip vrf forwarding B
  ip address y.y.y.y y.y.y.y
  frame-relay interface-dlci 101
  And So on for further interfaces.
  router bgp 1
  no synchronization
  bgp log-neighbor-changes
  no auto-summary
  address-family ipv4 vrf A
  neighbor x.x.x.x remote-as x
  no synchronization
  exit-address-family
  address-family ipv4 vrf B
  neighbor y.y.y.y remote-as y
  no synchronization
  exit-address-family
  Vikram,
  As long as we all can share/learn/solve problems, it is perfectly fine. I don't think I qualify to give you any advise but here is what I have found in another post that might be of interest to you.
  In your post you mentioned that you do not think you can run MP-BGP between the two switch through the FW. In another post I had got an indication that you can run LDP between two PE's using GRE tunnel. In your scenario you are going throuhg a FW and in that particular post the PEs are separated by a third service provider. So if you are open to explore this might be a solution for you.
  Hope this piece of information helps.
  thanks,
  Arana

• VRF-Lite on one 6509; How to route traffic from global to VRF.

  To anyone that can lead me in the right direction:
  I have a 6509 switch with IOS " s3223-adventerprise_wan-mz.122-33.SXJ2.bin"  on it. I am running VRF-lite on it and would like to route some subnets from the global route table to the VRF route table. How can I do this and stay on the same physical switch.  I am using EIGRP for the global network and route table and static routing within the the VRF.  Any suggestions or recommendations?  Thanks in advance for your help in this matter...

  Hello,
  You need to use (Static route) in both directions, One Static in the VRF table points to the Global interface, and another one in the Global point to the VRF interface for the recieved traffic. After that, you Can Redistribute the Global Static route into Eigrp for end-to-end connectivity!
  Example:
  Consider you have 2 interfaces in your Core SW-6509: One is G0/1 and the other is G0/2
  G0/1 is placed into the Global table , and G0/2 is part of VRF (X)
  interface G0/1
  IP address 1.1.1.1 255.255.255.0
  inteface G0/2
  ip vrf forwarding X
  ip address 2.2.2.2 255.255.255.0
  Consider Subnet Y.Y.Y.Y in the Global and you want to have it accessible from the VRF!
  configure this:  (ip route vrf X  y.y.y.y y.y.y.y.y G0/1 Global)
  Configure also this for the return traffic from the Global table: (ip route 2.2.2.2 z.z.z.z G0/2)
  You Can then redistribute the Global static into the Eigrp as below:
  router Eigrp 1
  no auto summary
  redistribute static metric 1.1.1.1.1
  HTH
  Mohamed

• PBR / VRF-lite / 6500 SUP720-10G-3C

  Hello.
  I have to make a config with PBR in a VRF, PBR tied to an IP SLA sensor also ran into the same VRF, is there any restriction regarding this on this supervisor ?

  It is supported
  BTW, your IOS is at least 7 years old.
  VRF-Lite Aware PBR
  Cisco IOS Software Release 12.2(33)SXH1 also introduces the VRF-Lite Aware Policy Based Routing (PBR) feature, which provides the ability to configure PBR on a VPN routing/forwarding instance. This feature allows users to configure VRF on an ingress interface (VRF-Lite) and apply PBR using the Cisco Express Forwarding table for that VRF. VRF-Lite Aware PBR is supported on all Cisco Catalyst 6500 Series Supervisor Engine 720, Cisco Catalyst 6500 Supervisor Engine 32, and ME-6524 products.
  link:
  http://www.cisco.com/c/en/us/products/collateral/switches/catalyst-6500-series-switches/product_bulletin_cisco_catalyst_6500_virtual_switching_system_1440.html
  HTH

• CSM VRF Lite OSPF and IPSEC/GRE

  We have a pretty complex vpn configuration. Its a site-to-site VRF-Lite GRE/IPSEC VPN that would be considered a point-to-point, each router is connected to two peers in a ring.
  CSM complains about discovering this VPN configuration due to the VRF and the fact that OSPF with multiple OSPF processes is not supported.
  My question is, can we still monitor the tunnels. We'd like to monitor the tunnels, but that seems impossible unless we can get CSM to see the tunnels which it currently is not.

  VRF Lite and MPLS-VPN act independently so they can work independently. And there is no specific need for mapping. If link is for VRF A on PE so you can make it part of vrf A in CE as well. Both VRFs are independent of each other.
  http://www.cisco.com/en/US/products/hw/switches/ps4324/products_configuration_guide_chapter09186a00801cddd9.html#1045190
  THis document is for 4500 but logic holds the same.

• Howto control/filter traffic between VRF-(lite) using route leaking?

  Hi,
  does anybody know how I can control/filter the traffic between two vrf when I use route leaking or also normal route target export/import connections, maybe with an acl, in the following scenarios?
  Scenario 1:
  I use a normal MPLS network with several PE routers (maybe ASR series) which connect to the CE routers via OSPF. Two VPNs are configured on the PE routers and I want one of PE routers to allow/route traffic between these VPNs but especially traffic on tcp port 80 and no other ports. I'm only aware of bindung acls to logical or physical interfaces but I don't know how to do this here.
  Scenario 2:
  Same as scenario 1 but not the PE router will connect the VPN but a separate router-on-a -tick (e.g. 4900M) which is connected to one of the PE routers should do this job with vrf-lite and route leaking (address-family ipv4 vrf ...). Also here I want only to allow tcp port 80 between the vpns
  Kind Regards,
  Thorsten

  Thanks.
  That's what I was assuming. In my experience this solution does not scale with increasing number of vpn and inter vpn traffic via route target.
  Is it correct that there is only one common acl per vpn where all rules for the communication to all other vpns are configured? Doesn't this acl become too complex and too error-prone to administrate in a real network environment? Further on in my understanding this acl has to be configured per vpn on all pe routers which have interfaces to ce routers for that vpn.
  Does cisco offer software for managing this?

• VRF-Lite with 6500 w/ Sup720

  I am working with a customer who would like to utilize path isolation in their network using VRF-Lite. I am currently debating between the use of GRE tunnels vs. VLANs between 3 core switches they currently have in place today. This is going to be overlay network on top of what they currently have. The core is all L2 today with 802.1q trunks between each of 3 cores in a ring topology. Closets are single homed into the core throughout.
  My question is regarding GRE vs. VLANs. Currently, we are looking at having to deploy 12 VRFs to support 12 seperate network types they would like to isolate. The Access layer switches will trunk to the cores where the core will apply VRFs to specific VLANs based on their role.
  Which is going to be a more scalable solution from a performance and adminstration standpoint. GRE, VLANs, or MPLS?
  Currently the GRE implementation is going to require that we configure many loopbacks and tunnels on each core in order to get the VRFs talking to each other in each core. The VLAN approach will require 24 VLANs per core (assuming we would go with PTP vs Multipoint for routing inside the VRF).
  Any thoughts on which way to proceed? From what i have read GRE is more appropriate when you have multiple hops between VRF tables, which in this case we do not. I am just concerned with loopbacks,tunnels, and then routing on top of that the GRE solution will lack scalability as they add more VRFs. A PTP VLAN will pose a similar problem without the need for loopbacks which should simplify the solution.
  Can we use MPLS here and just do PE to PE MPLS and still get the VRF segmentation we need between cores?
  I would like eventually migrate the entire core to L3 completely but today we are stuck with having to support legacy networks (DEC/LAT/SNA) and have to keep some L2 in place.
  Whats the best approach here?

  Shine,
  I actually ended up with basically the same design you are talking about here except that I ended up adding a couple 6500 +FWSM and NAC L3/L2 CAM/CAS into the mix.
  Here is the high level overview
  1. Every Closet had a minimum of 6 VLANs - unique to the stack or closet switch - Subnets were created for each VLAN as well - no spanning of L2 VLANs across switch stacks.
  2. VLANs were assigned for - Voice, Data, LWAPP VLAN, Guest/Unauthorized, Switch/Device Management, and at least 1 special purpose VLAN - (Lab, Building Controls, Security, etc).
  3. Then we trunked all the VLANs back to 1 of 3 cores - 6509s with Sup-720s
  4. Each Core 6509 was configured for each L2 VLAN with a L3 SVI (The VLANs configured here were not configured on any other cores - we didn't have available fiber runs to do any type of redundant pathing across multiple cores so it wasn't valid in this design to configure VLAN SVIs on more than one core).
  5. Each L3 SVI was assigned to the appropriate VRF based on use - Voice, Data, LWAPP, etc
  6. Spanning-Tree Roots for all VLANs trunked to a core were specific to that core - they did not trunk between Cores - no loops
  7. Each Core was connected via a L2 Trunk that carried Point to Point VLANs for VRFs traffic - We had an EIGRP AS assigned to each VRF on the link - so we had 6 VRFs and 6 EIGRP AS per trunk.
  8. This design occurred on each core x2 as it connected to the other cores in a triangle core fashion.
  9. Each of the Cores had a trunk to to 6500 with a FWSM configured - VRF/L3 PTP VLAN design continued here as well
  10. The 6500+FWSM was configured with multiple SVIs and VRFs - we had to issue mult-vlan mode on the FWSM to get it to work.
  11. Layer 2 NAC was configured with VLAN translation coming into the Core 6500/FWSM for Wireless in L2 InBand Mode - the L3 SVIs were configured on the clean side of the NAC CAM so traffic was pulled through the CAM from from the dirty side - where the controller mapped host SSIDs to appropriate VLANs. We only had to configure a couple host VLANs here - Guest and Private so this was not much of an issue - Private was NAC enabled, Guest VLAN/SVI was mapped to a DMZ on the firewall
  12. For Layer 3 NAC we justed used an out of band CAM configurations with ACLs on the Unauthorized VLAN
  It worked like a charm.
  If I had to do it all over again I would go with MPLS/BGP for more scalability. Configuring trunks between the cores and then having the mulitple EIGRP AS/PTP VLANs works well in networks this small but it doesn't scale indefinately. It sounds like your network is quite large. I would look into MPLS between a set of at least 3-4 Core PE/CE devices. Do you plan on building a pure MPLS core for tagged switched traffic only? Is your campus and link make up significant enough to benefit from such a flexible design?

• Vrf-Lite with MPLS requires a PE at the customer side?

  Folks,
  Looking at a cisco doc, which gives a sample configuration of VRF lite with MPLS (multiple customers in the same building using same MPLS cloud). My question is that how is it done in the real world. Does the provider place a PE at the customer site? cause the connection between the CE and PE has to be a link that can carry dot1Q (ethernet or fast etheret) atleast the example shows that.
  Any real world experience would be highly appreciated.
  Thanks,

  Hi,
  the customer needs no PE router installed at his site.
  You can use vrf-lite (aka multi-vrf) even on a Cisco router, which does not support MPLS at all. On the CE each dot1Q subinterface can be placed in a vrf. All you need is a routing process started within the vrf being adjacent to the PE.
  Example CE:
  ip vrf CE-VRF1
  rd 65000:1
  interface FastEthernet0.100
  encapsualtion dot1Q 100
  ip vrf forwarding CE-VRF1
  ip address 10.1.1.1 255.255.255.0
  router ospf 100 vrf CE-VRF1
  network 10.1.1.1 0.0.0.0 area 1
  The PE would have MBGP and different RD and RTs defined, whatever is needed to setup VRFs in the provider network. Infact PE and CE each do not know about each others VRF configs at all.
  VRFs on the CE define a separate IP routing context (control plane). The separation on the data plane is done via dot1Q headers (frame-relay, ATM PVC etc. would do as well) on the link between CE and PE. In an MPLS network data plane separation is done via labels.
  Hope this helps
  Martin

• Does IOS XR support vrf lite?

  Am researching PE-CE configuration for a multiservice CE, using eBGP as the protocol. The XR fundermentals book describes this, but does not give an example of the CE configuration.
  I want to configure several sub-interfaces and alloacate to different VRF's, running vrf lite on CE. The sub-interface bit works fine. I cannot find which document describes vrf lite configuration, am using XR 4.3.0.
  does anyone have an example of how to set up an IOS XR ce with vrf lite they could share, using ebgp as the routing protocol?

  ok, I see that bit. So I set this up with sub-interfaces, assign each to a vrf. Works great!
  How do configure eBGP to act as the PE-CE routing protocol, it is that bit that I cannot get to work. I configured BGP, defined the vrf's under the BGP process, and then defined the neighbors under the BGP/VRF settings. The eBGP peerings all established, but no prefixes were received. And yes, I had an inbound/outbound route policy configured.
  will have another look later today at this, but any suggestions greatfully received.

• IP VRF-Lite

  Hi,
  we had a network with Cat4500 SupV as Core and Cat3750/Cat3750G (not metro!) as Distribution platform.
  I'm finding out if using VRF Lite is possible to separate two entities that use the same physical network and span the whole net to have one, max. two, contact point between these entities...to implement security policy
  Should this work with the platform we had or to implement a VRF network we should have had Cat6500 ???
  If this not work the only solution available is to use RACL at each Distribution node where there are both entitites to separate the traffic
  thanks for any help

  Hello,
  yes what you want to do is possible.
  You will need the "multi-VRF aka VRF lite" where IP routing is performed. So in case the Cat3750 are pure Layer2 switches the VRFs are not needed there.
  Think of a VRF as a sort of virtual router to which certain VLAN/ethernet interfaces are attached.
  To separate two entities you would create two VRFs in the Catalyst 4500 according to "Configuring VRF-lite"
  http://www.cisco.com/en/US/products/sw/iosswrel/ps5187/products_command_reference_chapter09186a008017d03c.html#wp1062144
  and also in the Catalyst 3750 along the description in "Configuring Multi-VRF CE"
  http://www.cisco.com/en/US/products/hw/switches/ps5023/products_configuration_guide_chapter09186a00804764c7.html#wp1320198
  Note that there has being a name change from VRF-lite to Multy-VRF. This is however exactly the same feature - afaik marketing wanted the change because it sounds better.
  Did this help? Then please rate the post.
  Martin