Vrf-Lite with MPLS requires a PE at the customer side?

Similar Messages

• VRF-Lite with 6500 w/ Sup720

  I am working with a customer who would like to utilize path isolation in their network using VRF-Lite. I am currently debating between the use of GRE tunnels vs. VLANs between 3 core switches they currently have in place today. This is going to be overlay network on top of what they currently have. The core is all L2 today with 802.1q trunks between each of 3 cores in a ring topology. Closets are single homed into the core throughout.
  My question is regarding GRE vs. VLANs. Currently, we are looking at having to deploy 12 VRFs to support 12 seperate network types they would like to isolate. The Access layer switches will trunk to the cores where the core will apply VRFs to specific VLANs based on their role.
  Which is going to be a more scalable solution from a performance and adminstration standpoint. GRE, VLANs, or MPLS?
  Currently the GRE implementation is going to require that we configure many loopbacks and tunnels on each core in order to get the VRFs talking to each other in each core. The VLAN approach will require 24 VLANs per core (assuming we would go with PTP vs Multipoint for routing inside the VRF).
  Any thoughts on which way to proceed? From what i have read GRE is more appropriate when you have multiple hops between VRF tables, which in this case we do not. I am just concerned with loopbacks,tunnels, and then routing on top of that the GRE solution will lack scalability as they add more VRFs. A PTP VLAN will pose a similar problem without the need for loopbacks which should simplify the solution.
  Can we use MPLS here and just do PE to PE MPLS and still get the VRF segmentation we need between cores?
  I would like eventually migrate the entire core to L3 completely but today we are stuck with having to support legacy networks (DEC/LAT/SNA) and have to keep some L2 in place.
  Whats the best approach here?

  Shine,
  I actually ended up with basically the same design you are talking about here except that I ended up adding a couple 6500 +FWSM and NAC L3/L2 CAM/CAS into the mix.
  Here is the high level overview
  1. Every Closet had a minimum of 6 VLANs - unique to the stack or closet switch - Subnets were created for each VLAN as well - no spanning of L2 VLANs across switch stacks.
  2. VLANs were assigned for - Voice, Data, LWAPP VLAN, Guest/Unauthorized, Switch/Device Management, and at least 1 special purpose VLAN - (Lab, Building Controls, Security, etc).
  3. Then we trunked all the VLANs back to 1 of 3 cores - 6509s with Sup-720s
  4. Each Core 6509 was configured for each L2 VLAN with a L3 SVI (The VLANs configured here were not configured on any other cores - we didn't have available fiber runs to do any type of redundant pathing across multiple cores so it wasn't valid in this design to configure VLAN SVIs on more than one core).
  5. Each L3 SVI was assigned to the appropriate VRF based on use - Voice, Data, LWAPP, etc
  6. Spanning-Tree Roots for all VLANs trunked to a core were specific to that core - they did not trunk between Cores - no loops
  7. Each Core was connected via a L2 Trunk that carried Point to Point VLANs for VRFs traffic - We had an EIGRP AS assigned to each VRF on the link - so we had 6 VRFs and 6 EIGRP AS per trunk.
  8. This design occurred on each core x2 as it connected to the other cores in a triangle core fashion.
  9. Each of the Cores had a trunk to to 6500 with a FWSM configured - VRF/L3 PTP VLAN design continued here as well
  10. The 6500+FWSM was configured with multiple SVIs and VRFs - we had to issue mult-vlan mode on the FWSM to get it to work.
  11. Layer 2 NAC was configured with VLAN translation coming into the Core 6500/FWSM for Wireless in L2 InBand Mode - the L3 SVIs were configured on the clean side of the NAC CAM so traffic was pulled through the CAM from from the dirty side - where the controller mapped host SSIDs to appropriate VLANs. We only had to configure a couple host VLANs here - Guest and Private so this was not much of an issue - Private was NAC enabled, Guest VLAN/SVI was mapped to a DMZ on the firewall
  12. For Layer 3 NAC we justed used an out of band CAM configurations with ACLs on the Unauthorized VLAN
  It worked like a charm.
  If I had to do it all over again I would go with MPLS/BGP for more scalability. Configuring trunks between the cores and then having the mulitple EIGRP AS/PTP VLANs works well in networks this small but it doesn't scale indefinately. It sounds like your network is quite large. I would look into MPLS between a set of at least 3-4 Core PE/CE devices. Do you plan on building a pure MPLS core for tagged switched traffic only? Is your campus and link make up significant enough to benefit from such a flexible design?

• "An error has been detected with a required application library and the product cannot continue. Please reinstall the application.

  I have received the following error message from my Adobe Acrobat Pro X1 after installing the CS6 package :, "An error has been detected with a required application library and the product cannot continue. Please reinstall the application.
  I am now unable to open any pdf?
  Any words of advise here how to fix this problem?
  Thanks!

  ** Moved to Acrobat Forums for quicker and accurate resolution steps ***

• An error has been detected with a required application library and the product cannot continue. Plea

  I am getting the following error each time I open Adobe Acrobat 7.0 Professional...
  "An error has been detected with a required application library and the product cannot continue. Please reinstall the application."
  I have tried uninstalling and then reinstalling the program. It didn't help, got the same error shortly after opening the program.
  What is strange is that the problem just suddenly appeared therefore, I believe that it may have been malware related causing this problem. And I have had this program and have been using it without any problems now for over 3 years.
  It appears that a vital part of the program is being blocked.
  Can anyone please help and offer a detailed solution to this problem? Maybe someone has already encountered it.
  Thank you!
  -Dan Sacapano

  Anoop,
  Upon re-reading that information, I am curious as to why your believe that this will solve my issue. That is not related to my error message: "An error has been detected with a required application library and the product cannot continue. Please reinstall the application."
  I have not received any such message as the one seen on that page.
  Please explain why I wouldn't have gotten that partcular message and instead got the one I quoted above?
  Thank you,
  -Dan

• I've bought leather case for iPhone 4 with a magnet clip situated on the back side just above the "apple" label. Can it interfere with any signals or made other damage?

  I've bought leather case for iPhone 4 with a magnet clip situated on the back side just above the "apple" label. Can it interfere with any signals or made other damage?

  I have been using a leather case with a magnetic clasp for months.  The only side effect is that I need to recalibrate the compass app when I use it.  This is really not a problem since I don't use the compass app very often.  I haven't encountered any other interference or problems.

• VRF lite and MPLS VRFs

  We have a CE router connected to PE router. The CE router is connected via 2 links to the PE router, because we need to create two VRFs on the PE for the traffic coming from the CE to separate the traffic, so we have one vrf per link. We are running OSPF between CE and PE.. Now we need to further separate the traffic up to the CE, so I’m thinking of using the VRF lite on the CE.. Can MPLS work with the VRF lite, and how to map the VRF lite VRFs on the CE to the MPLS VPN on the PE?
  Is there any config examples?
  Thanks in advance

  VRF Lite and MPLS-VPN act independently so they can work independently. And there is no specific need for mapping. If link is for VRF A on PE so you can make it part of vrf A in CE as well. Both VRFs are independent of each other.
  http://www.cisco.com/en/US/products/hw/switches/ps4324/products_configuration_guide_chapter09186a00801cddd9.html#1045190
  THis document is for 4500 but logic holds the same.

• SharePoint Bug? Conflict Error when saving a Page with a "Required" DateTime field in the page layout

  Hello,
  I've just recently encountered a weird error / bug in SharePoint. Here is the scenario:
  - I have a custom column "Test Date" that is of DateTime field type. The field is configured as REQUIRED.
  - It is added to a custom Content Type "Test CT" that is based on a "Publishing Page" content type
  - I have created a Page Layout "Test PL" which is based on that particular content type.
  Now here is what happens:
  1. I try to create a page based on both that Content Type and Page Layout in the Pages Library. I manage to create it successfully.
  2. However, when I go to try and edit the page, fill-in the required values and try to save it using the PAGE TAB -> SAVE BUTTON, I get the below error/s. Note that this happens no matter what I choose in the drop-down menu for Save Button.
  "The file XXX has been modified by USER on DATE"
  But I know I am the ONLY user modifying the page. 
  If I try to save again it gives me options to whether Discard my Changes, Keep Editing, Overwrite Changes, or Merge.
  3. HOWEVER, if I use the Save button on the UPPER RIGHT corner of the screen (the shortcut). I am able to save successfully without any errors!
  The only thing I've tried that made it work was if I made the DateTime OPTIONAL. But I need it to be REQUIRED.
  Is there any workaround to this error / bug?
  Thanks

  I have some additional info but nothing really good. 
  If you click the Save in the left side of the Ribbon then it looks like that is when you get the message. If you click the Save in the top right corner you won't get the message. They must be calling different saving functions. 
  There really is no way around it other than making the field optional which probably removes some server side validation checks causing that message.
  We've chosen to remove that field from the page as I needed it required, then they can't publish the page until they go to the properties and set the article date. By removing the field from the page layout the message goes away.
  I hope MS will fix this at some point.
  -tom daly

• Having problems with pro audio under Vista on the Intel side?

  This article has some extremely interesting information about that and might be helpful.
  http://www.cs.auckland.ac.nz/~pgut001/pubs/vista_cost.html
  IMac    

  Is this for real?
  "Since S/PDIF doesn't provide any content protection,
  Vista requires that it be disabled when playing
  protected content [Note E]. In other words if you've
  sunk a pile of money into a high-end audio setup fed
  from an S/PDIF digital output, you won't be able to
  use it with protected content.
  Very real!
  I have heard the writer in an interview on a security program
  and they went into all the problems this is going to cause.
  There are people who have bought large screen tvs that
  will not work with Vista because the company did not put
  the required hardware into the device,(because they did not
  want to pass the cost on to the consumer and raise the price
  of their product). Not only that but the required DRM that is
  mandated in connected devices is supposed to disable itself if
  it senses someone trying to get around the protection.
  Plus, if you create your own HD or high quality audio, who is
  to say that Vista wont try and protect it from yourself!
  Microsoft has bowed down to the movie industry by putting this
  so far down into the core of the operating system that I see this
  as a incentive to piracy and switching platforms.
  Say your on a skype call and you start playing a piece of music
  with DRM, your connection would probably be gone since audio
  is all routed the same.
  A fluctuation of voltage could be interpreted as a attack and trigger
  tilt bits that cause subsystems to reboot and denial of license to
  drivers. So just a power surge could cause some of your system
  to stop working not because of the surge but because Vista
  felt threatened.
  The real pirates will figure out how to get around this and
  it will just be a problem for normal users.
  I new they were not bright but this takes stupidity to a whole
  new demension.

• Horrible performance drop with mixed ports 100 & 1000 on the LAN side.

  I have horrible performance with newly bought lrt224.
  WAN side is a 150 Mb/s Cable connection.
  LAN has 3 ports at 1Gb/s and 1 port at 100 Mb/s
  Test:
  On any of the lan ports at 1 Gb/s I do a test via speedtest.net and get 150 Mb/s
  On the Lan port at 100 Mb/s I do a test via speedtest.net and get 10 Mb/s (same server)
  Weird part, I do a LAN (1Gb/s) to LAN (100Mb/s) test I get around 99Mb/s.
  Second weird part, I replace WAN side cable modem with a VDSL+ line and I get max VDSL+ performance of 75 Mb/s.
  Any hints?

  CABLE modem stats (bad perf):
  Ping statistics for 46.228.47.115:
  Packets: Sent = 83, Received = 83, Lost = 0 (0% loss),
  Approximate round trip times in milli-seconds:
  Minimum = 24ms, Maximum = 106ms, Average = 32ms
  Tracing route to fd-fp3.wg1.b.yahoo.com [46.228.47.114]
  over a maximum of 30 hops:
  1 <1 ms <1 ms <1 ms 20.20.20.1
  2 1 ms <1 ms <1 ms 192.168.0.1
  3 27 ms 17 ms 9 ms d51a50801.access.telenet.be [81.165.8.1]
  4 14 ms 17 ms 11 ms dD5E0CC79.access.telenet.be [213.224.204.121]
  5 * 15 ms 20 ms dD5E0FA01.access.telenet.be [213.224.250.1]
  6 * * * Request timed out.
  7 19 ms 14 ms 24 ms nl-ams05a-rd1-te-6-0-0.aorta.net [213.46.183.101]
  8 20 ms 16 ms 13 ms pat2.ams.yahoo.com [80.249.209.163]
  9 35 ms 34 ms 30 ms ae-5.pat2.iry.yahoo.com [66.196.65.154]
  10 33 ms 33 ms 35 ms ae-3.msr1.ir2.yahoo.com [66.196.67.243]
  11 28 ms 29 ms 34 ms et-18-10.bas2-2-prd.ir2.yahoo.com [77.238.186.47]
  12 33 ms 26 ms 32 ms ir2.fp.vip.ir2.yahoo.com [46.228.47.114]
  VDSL modem stats (good one):
  Ping statistics for 46.228.47.114:
  Packets: Sent = 68, Received = 68, Lost = 0 (0% loss),
  Approximate round trip times in milli-seconds:
  Minimum = 44ms, Maximum = 110ms, Average = 46ms
  Tracing route to fd-fp3.wg1.b.yahoo.com [46.228.47.115]
  over a maximum of 30 hops:
  1 <1 ms <1 ms <1 ms 20.20.20.1
  2 1 ms 1 ms 1 ms 192.168.1.1
  3 19 ms 19 ms 19 ms 109.131.160.1
  4 21 ms 20 ms 21 ms ae-62-100.iarstr4.isp.belgacom.be [91.183.241.240]
  5 * 21 ms 21 ms ae-13-1000.ibrstr3.isp.belgacom.be [91.183.246.112]
  6 * * * Request timed out.
  7 22 ms 21 ms 21 ms 94.102.162.147
  8 * * * Request timed out.
  9 * * * Request timed out.
  10 25 ms 25 ms 25 ms ge-1-3-0.pat1.ams.yahoo.com [80.249.209.110]
  11 74 ms 44 ms 44 ms ae-5.pat1.iry.yahoo.com [216.115.104.64]
  12 43 ms 43 ms 43 ms ae-2.msr2.ir2.yahoo.com [66.196.65.159]
  13 47 ms 43 ms 44 ms et-17-17.bas2-2-prd.ir2.yahoo.com [217.146.185.188]
  14 43 ms 48 ms 43 ms ir1.fp.vip.ir2.yahoo.com [46.228.47.115]

• How many VRF-Lite Routing Instances can a 6509-E with a 720-Sup module run?

  I know that in a 4500 style switch it supports a maximum of 64 VRF-lite routing instances. However what is the maximum amount of VRF-Lite routing instances can a 6509-E switch support with a Sup-720 sup module?

  Sup 720  supports 1024 VRF Lites
  see table-1 in this link:
  http://www.cisco.com/c/en/us/products/collateral/switches/catalyst-6500-series-switches/product_data_sheet09186a0080159856.html
  HTH

• Multi-VRF CE with Private VLANs

  Does anyone know if you can implement a VRF instance on a private vlan? I would assume so, and will lab it out as time permits, but was curious if anyone had tried it/knows one way or the other.

  Since both the platforms support VRF lite and MPLS VPN, you can use Frame-Relay as the encapsulation for sub interfaces with local DLCI switching.
  As the VRF configuration is not media dependent.
  HTH-Cheers,
  Swaroop
  Router 1
  interface Serial0/0
  no ip address
  encapsulation frame-relay
  no keepalive
  !--- This command disables LMI processing.
  interface Serial0/0.1 point-to-point
  !--- A point-to-point subinterface has been created.
  ip address 172.16.120.105 255.255.255.0
  ip vrf forwarding xxx
  frame-relay interface-dlci 101
  !--- DLCI 101 has been assigned to this interface
  Router 2
  interface Serial0/0
  no ip address
  encapsulation frame-relay
  no keepalive
  !--- This command disables LMI processing.
  interface Serial0/0.1 point-to-point
  !--- A point-to-point subinterface has been created.
  ip vrf forwarding xxx
  ip address 172.16.120.120 255.255.255.0
  frame-relay interface-dlci 101
  !--- DLCI 101 has been assigned to this interface

• CSM VRF Lite OSPF and IPSEC/GRE

  We have a pretty complex vpn configuration. Its a site-to-site VRF-Lite GRE/IPSEC VPN that would be considered a point-to-point, each router is connected to two peers in a ring.
  CSM complains about discovering this VPN configuration due to the VRF and the fact that OSPF with multiple OSPF processes is not supported.
  My question is, can we still monitor the tunnels. We'd like to monitor the tunnels, but that seems impossible unless we can get CSM to see the tunnels which it currently is not.

  VRF Lite and MPLS-VPN act independently so they can work independently. And there is no specific need for mapping. If link is for VRF A on PE so you can make it part of vrf A in CE as well. Both VRFs are independent of each other.
  http://www.cisco.com/en/US/products/hw/switches/ps4324/products_configuration_guide_chapter09186a00801cddd9.html#1045190
  THis document is for 4500 but logic holds the same.

• AAA Authentication and VRF-Lite

  Hi!
  I've run into a strange problem, when using AAA Radius authentication and VRF-Lite.
  The setting is as follows. A /31 linknet is setup between PE and CE (7206/g1 and C1812), where PE sub-if is a part of an MPLS VPN, and CE uses VRF-Lite to keep the local services seperated (where more than one VPN is used..).
  Access to the CE, via telnet, console etc, will be authenticated by our RADIUS servers, based on the following setup:
  --> Config Begins <---
  aaa new-model
  aa group server radius radius-auth
  server x.x.4.23 auth-port 1645 acct-port 1646
  server x.x.7.139 auth-port 1645 acct-port 1646
  aaa authentication login default group radius-auth local
  aaa authentication enable default group radius-auth enable
  radius-server host x.x.4.23 auth-port 1645 acct-port 1646 key <key>
  radius-server host x.x.7.139 auth-port 1645 acct-port 1646 key <key>
  ip radius source-interface <outside-if> vrf 10
  ---> Config Ends <---
  The VRF-Lite instance is configured like this:
  ---> Config Begins <---
  ip vrf 10
  rd 65001:10
  ---> Config Ends <---
  Now - if I remove the VRF-Lite setup, and use global routing on the CE (which is okey for a single-vpn setup), the AAA/RADIUS authentication works just fine. When I enable "ip vrf forwarding 10" on the outside and inside interface, the AAA/RADIUS service is unable to reach the two defined servers.
  I compared the routing table when using VRF-Lite and global routing, and they are identical. All routes are imported via BGP correctly, and the service as a whole works without problems, in other words, the AAA/RADIUS part is the only service not working.

  Just wanted to help future people as some of the answers I found here were confusing.
  This is all you need from the AAA perspective:
  aaa new-model
  aaa group server radius RADIUS-VRF-X
  server-private 192.168.1.10 auth-port 1812 acct-port 1813 key 7 003632222D6E3839240475
  ip vrf forwarding X
  aaa authentication login default group RADIUS-VRF-X local
  aaa authorization exec default group X local if-authenticated
  Per VRF AAA reference:
  http://www.cisco.com/c/en/us/td/docs/ios/12_2/12_2b/12_2b4/feature/guide/12b_perv.html#wp1024168

• Does IOS XR support vrf lite?

  Am researching PE-CE configuration for a multiservice CE, using eBGP as the protocol. The XR fundermentals book describes this, but does not give an example of the CE configuration.
  I want to configure several sub-interfaces and alloacate to different VRF's, running vrf lite on CE. The sub-interface bit works fine. I cannot find which document describes vrf lite configuration, am using XR 4.3.0.
  does anyone have an example of how to set up an IOS XR ce with vrf lite they could share, using ebgp as the routing protocol?

  ok, I see that bit. So I set this up with sub-interfaces, assign each to a vrf. Works great!
  How do configure eBGP to act as the PE-CE routing protocol, it is that bit that I cannot get to work. I configured BGP, defined the vrf's under the BGP process, and then defined the neighbors under the BGP/VRF settings. The eBGP peerings all established, but no prefixes were received. And yes, I had an inbound/outbound route policy configured.
  will have another look later today at this, but any suggestions greatfully received.

• "An error has been detected with a required application library"

  Hi All,
  I installed Audition 3.0 on a new laptop running Windows 7 Home Premium.  The installation goes fine but when I try to run the program it fails and I get this message, "An error has been detected with a required application library and the product cannot continue.  Please reinstall the application."  I've tried reinstalling many times but it doesn't help.  Any ideas?
  Thanks,
  Billy

  There's a good chance the software is too old and is not compatible with Windows 7.  One thing you might try is to uninstall and then install the new CS6 trial version and see if that works properly for you.  If it does, then it is not a mchine issue (except that the machine might be too new for the old version).