VRF lite and shared service

Answered Question
May 11th, 2007
User Badges:

Hi to all, i'm triyng to use VRF-Lite with shared service.I tried to configure two different VRF (blue and red for example) and then i configured another vrf (for example server). I tried to export with route-target both vrf blue and green to vrf server and to import vrf server into vrf blue and green to give rechability, this is part of my configuration :

ip vrf green

rd 65001:100

route-target export 65001:100

route-target import 65001:100

route-target import 65001:300


ip vrf red

rd 65001:200

route-target export 65001:200

route-target import 65001:200

route-target import 65001:300


ip vrf server

rd 65001:300

route-target export 65001:300

route-target import 65001:300

route-target import 65001:100

route-target import 65001:200


but it doesn't work.

Any help appreciated


Max


p.s. is it possible to merge two vrf in VRF-Lite ?

Correct Answer by mohammedmahmoud about 9 years 11 months ago

Hi,


I insist on my opinion :) and from your document:


Note This command is effective only if BGP is running.


http://www.cisco.com/en/US/docs/switches/lan/catalyst4500/12.2/31sga/configuration/guide/vrf.html#wp1045301



HTH,

Mohammed Mahmoud.

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 5 (1 ratings)
Loading.
bjornarsb Fri, 05/11/2007 - 04:26
User Badges:
  • Bronze, 100 points or more

Hi,


As posted in another group you need to

add a route-target export 65001:300

at vrf red and

a route-target export 65001:100

at vrf server

to give full reachability between the two VPNs


BR,

Bjornarsb



mohammedmahmoud Fri, 05/11/2007 - 05:10
User Badges:
  • Green, 3000 points or more

hi,


As far as i know, using route-targets is effective only if BGP is running. (route-target is an extended community)



HTH, please do rate all helpful replies,

Mohammed Mahmoud.

rajju Fri, 05/11/2007 - 09:39
User Badges:

Hi:


That was very useful info on VRF-Lite.


Thank you very much.


Sincerely.

bjornarsb Fri, 05/11/2007 - 10:21
User Badges:
  • Bronze, 100 points or more

Hi mate,


You are very welcome!


Please rate if you find my posts helpfull.


BR,

Bjornarsb

Massimiliano Tognon Fri, 05/11/2007 - 23:35
User Badges:

I agree with you. I tested the configuration yesterday and VRF-Lite is able ONLY to make traffic isolation, and it seems not possible to merge two or more vrf together with route-target attributes.If you want to use this tecnique, you must run BGP (that is the try i had).I turned on BGP and MPLS and realized MPLS VPN.It's not necessary to have a neighboor bgp up to make Route-target work.

Configure BGP with vpn4 and vrf, and all works.If you want to merge more than one vrf with VRF-Lite, you have to make them in touch with a physical loop (for example with cross cable connected to both vrf) from one vrf to the other.Also Cisco eng told me to use a firewall to be possible to use shared service with VRF-Lite, configuring every VRF in one interface on the firewall and the shared service on DMZ.

mohammedmahmoud Sat, 05/12/2007 - 00:01
User Badges:
  • Green, 3000 points or more

Hi,


Very very nice, i've already tested it my self, i enabled MPLS and MBGP and it works fine. With just VRF-Lite, only traffic isolation can be done but no merge of VPNs can be done, its logical as VRF-Lite wasn't invented for this job, it was only invented for converting a CE router into multiple virtual routers each one with its separated routing table, interfaces and routing protocols.


BR,

Mohammed Mahmoud.

bjornarsb Sun, 05/13/2007 - 05:01
User Badges:
  • Bronze, 100 points or more

Yes , but you still have to

add a route-target export 65001:300

at vrf red and

a route-target export 65001:100

at vrf server

to give full reachability between the two VPNs


BR,

Bjornarsb

mohammedmahmoud Sun, 05/13/2007 - 05:56
User Badges:
  • Green, 3000 points or more

hi,


You are totally right, but the whole idea is that it can't be done with just VRF-Lite, you must have MBGP.



HTH,

Mohammed Mahmoud.


bjornarsb Sun, 05/13/2007 - 22:16
User Badges:
  • Bronze, 100 points or more

Hi,


You can run vrf-lite with BGP.

As you have posted vrf-lite makes

you get separate routing instances.


Another cause why vrf-lite was developed

was that you do not need to run tag-switching between CE and PE.

So you can run BGP for each vrf.


Agree?


BR,

Bjornarsb

mohammedmahmoud Sun, 05/13/2007 - 23:17
User Badges:
  • Green, 3000 points or more

Hi,


Yes i totally agree :) VRF-Lite without MBGP (BGP with VPNv4) won't do it, but by having VRF-Lite with MBGP its doable. VRF-Lite alone is only capable of traffic isolation.



BR,

Mohammed Mahmoud.


richard.gu Sun, 05/13/2007 - 19:08
User Badges:

Why do you need to add those export route-tag?


In vrf red it exports 65001:200 and vrf server has import 65001:200. So vrf server should have all routes imported from vrf red. Same vrf red should have all routes from vrf server.

richard.gu Tue, 06/12/2007 - 12:47
User Badges:

I did a test in a dynamips environment. You don't need to an export to 65001:100 to allow import 65001:200.


The router just checks the route-tag in the MBGP route and grab the route that has route-tag match the import setting.

mohammedmahmoud Wed, 06/13/2007 - 03:04
User Badges:
  • Green, 3000 points or more

Hi,


Import and export under the same VRF are independent, in simple VPNs the best practice is that we import and export with the same RT (Route Target), while in complex VPNs we do import and export according the VPN design.


export RT --> attached to the routes when exported from the VRF (VPN identifier).


import RT --> Used to select which routes to be imported into the VRF from the routes received via MP-BGP (Import route filter)


HTH, please do rate all helpful replies

Mohammed Mahmoud.

Actions

This Discussion