Extending VRF-lite to 6500??

Unanswered Question
Feb 13th, 2007

Hello,

I have a simple scenario, where there is a 6500 connected to a router (ISP end), which we have planned to implement vrf-lite on.... there are basically 2 VLANs on the LAN, one production and one guest... we need to isolate the routing table instances between the production and guest.. we have planned to configure trunk between the 6500 and PE router at the ISP end. 6500 acts as a CE here.

Now, I want to extend the VRF information from the PE to the 6500 CE, since the layer 3 VLANs terminate on the 6500. i will define the same VRF information on the 6500 and isolate VRF routing tables for the guest/production vlan on the LAN also.. I know we will require to configure VRF, RD, BGP etc on the PE router and do a "ip vrf forwarding" on the subinterface of the router. What is the configuration required on the 6500 to extend the VRF-lite information to the end vlans ????? does anyone have any sample configs or links to which i can refer ?

Raj

I have this problem too.
0 votes
  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 4.3 (4 ratings)
Loading.
mheusinger Tue, 02/13/2007 - 04:47

Hi,

VRF wise the config is identical to a PE router. The difference is: no MPLS labels. Therefore interconnecting VRFs in VRF-lite is not possible through MP-BGP (announcing the VPN labels). Hence there are usually no route-targets defined.

Be aware that PE-CE protocol BGP has some limitations. You can NOT have two eBGP sessions between the same two routers, because there is only ONE BGP router ID. The net result is, that only one session between two BGP routers will be possible. So in a VRF lite environment you would use OSPF, EIGRP, RIPv2, ISIS or static routing between PE and (VFR-lite-)CE.

Another option would be to convert your 6500 in a full blown MPLS VPN PE and connect it through Inter-AS VPN options to the provider. Technically this will be possible, but the provider has to agree and there might be some nontechnical reasons preventing this setup.

Hope this helps! Please use the rating system.

Regards, Martin

sachinraja Tue, 02/13/2007 - 15:15

Hello Martin,

thanks for your response... the second option is not possible of making the 6500 as the PE !!! we have a lot of complications involved then !!! do you have any sample configs or links for the first option ? what if there are more vlans in production ? we can anyway use the same vrf for all vlans, and do a ip vrf forwarding on all the vlan interfaces, right?

I'm still not able to visualise the CE router adding vrf or tag information to the packet.. as i see, the PE router is the PHP and it does a label/vrf stripping and sends across ONLY the ip packet to the CE router. Now, will the CE router again put all the headers?? how will it differentiate ?

Raj

mheusinger Tue, 02/13/2007 - 15:56

Well,

first a sample config (not from a 6500, but you should be able to get the idea):

ip vrf Cust1

rd 65000:1

ip vrf Cust2

rd 65000:2

interface FastEthernet0/0.100

encapsulation dot1Q 100

ip vrf forwarding Cust1

ip address 10.1.1.1 255.255.255.252

!

interface FastEthernet0/0.200

encapsulation dot1Q 200

ip vrf forwarding Cust1

ip address 10.1.2.1 255.255.255.252

!

interface FastEthernet0/0.300

encapsulation dot1Q 300

ip vrf forwarding Cust2

ip address 10.20.1.1 255.255.255.252

!

interface FastEthernet0/0.333

encapsulation dot1Q 333

ip vrf forwarding Cust2

ip address 10.1.1.1 255.255.255.252

!

!On a 6500 you could also have:

!

interface vlan 400

ip vrf forwarding Cust2

ip address 10.1.123.1 255.255.255.252

router rip

!

address-family ipv4 vrf Cust1

version 2

network 10.0.0.0

no auto-summary

exit-address-family

!

address-family ipv4 vrf Cust2

version 2

network 10.0.0.0

no auto-summary

exit-address-family

The separation in the control plane (routing etc.) is achieved through the normal VRF configuration. Overlapping IPs and such are supported by having separate IP routing tables per VRF and VRF aware routing protocols like RIP, OSPF, etc.

In the data plane traffic is sorted by layer2 encapsulation. In the example above, the dot1Q VLAN tag will deliver the same functionality as the MPLS VPN labels. If f.e. an IP packet with destination 10.1.1.1 arrives, the VLAN tag 100 or 333 will allow the VRF-lite CE to determine, whether it belongs to Cust1 or Cust2. The same differentation will take place for traffic from the CE to the PE. So the PE config is practically the same, BUT in addition MP-BGP and route-targets and MPLS towards the core is used.

So no MPLS is needed on the VRF-lite CE router, no labels will be used, hence VRF-lite.

The PE will not be the PHP LSR in the MPLS sense, because it is the LAST router in the MPLS network.

Instead of the FastEthernet also VLAN interfaces can be used. The number of interfaces per VRF or the number of VRFs are limited by memory.

Hope this helps! Please use the rating system.

Regards, Martin

sachinraja Tue, 02/13/2007 - 16:54

Hello Martin,

That was a really useful info.. I was also going through some cisco slides, and saw some more info... they were talking about a command called "capability vrf-lite" under the OSPF or other routing protocols configuration !!! Is this mandatory for multi-vrf configuration ?

Raj

mheusinger Wed, 02/14/2007 - 00:16

Hi,

OSPF in a VRF has additional features/checks to avoid routing loops in redundant VPN setups. Specifically the down bit is set in all LSA3 a PE generates. IF the down bit is set on the other hand, the LSA3 is in the OSPF database, but will NOT be taken into account when calculating the routing table.

As a VRF-Lite CE gets the OSPF info from a PE, the down bit will - and should - be set. However OSPF in a VRF would completely ignore those routes, i.e. no connectivity between CEs across the MPLS VPN would be possible.

You can check the setting in the LSA3 with "show ip ospf database summary" and look out for "Downward" in the options.

"capability vrf-lite" basically instructs the CE to ignore the setting of the down bit and use the LSA in SPF.

A second, similar mechanism exists for LSA5 and again the CE should not check for it.

Hope this helps! Please use the rating system.

Regards, Martin

Actions

This Discussion