05-11-2007 03:12 AM
Hi to all, i'm triyng to use VRF-Lite with shared service.I tried to configure two different VRF (blue and red for example) and then i configured another vrf (for example server). I tried to export with route-target both vrf blue and green to vrf server and to import vrf server into vrf blue and green to give rechability, this is part of my configuration :
ip vrf green
rd 65001:100
route-target export 65001:100
route-target import 65001:100
route-target import 65001:300
ip vrf red
rd 65001:200
route-target export 65001:200
route-target import 65001:200
route-target import 65001:300
ip vrf server
rd 65001:300
route-target export 65001:300
route-target import 65001:300
route-target import 65001:100
route-target import 65001:200
but it doesn't work.
Any help appreciated
Max
p.s. is it possible to merge two vrf in VRF-Lite ?
Solved! Go to Solution.
05-11-2007 01:31 PM
Hi,
I insist on my opinion :) and from your document:
Note This command is effective only if BGP is running.
HTH,
Mohammed Mahmoud.
05-11-2007 04:26 AM
Hi,
As posted in another group you need to
add a route-target export 65001:300
at vrf red and
a route-target export 65001:100
at vrf server
to give full reachability between the two VPNs
BR,
Bjornarsb
05-11-2007 05:10 AM
hi,
As far as i know, using route-targets is effective only if BGP is running. (route-target is an extended community)
HTH, please do rate all helpful replies,
Mohammed Mahmoud.
05-11-2007 05:15 AM
Yes,
If you run ospf in the Customer environment and BGP on the CE router this will work fine.
Then inter-vpn communication goes through the CE router.
I refer to the design in this document:
http://www.cisco.com/en/US/docs/switches/lan/catalyst4500/12.2/31sga/configuration/guide/vrf.html
HTH,
Regards
Bjornarsb
05-11-2007 09:39 AM
Hi:
That was very useful info on VRF-Lite.
Thank you very much.
Sincerely.
05-11-2007 10:21 AM
Hi mate,
You are very welcome!
Please rate if you find my posts helpfull.
BR,
Bjornarsb
05-11-2007 01:31 PM
Hi,
I insist on my opinion :) and from your document:
Note This command is effective only if BGP is running.
HTH,
Mohammed Mahmoud.
05-11-2007 11:35 PM
I agree with you. I tested the configuration yesterday and VRF-Lite is able ONLY to make traffic isolation, and it seems not possible to merge two or more vrf together with route-target attributes.If you want to use this tecnique, you must run BGP (that is the try i had).I turned on BGP and MPLS and realized MPLS VPN.It's not necessary to have a neighboor bgp up to make Route-target work.
Configure BGP with vpn4 and vrf, and all works.If you want to merge more than one vrf with VRF-Lite, you have to make them in touch with a physical loop (for example with cross cable connected to both vrf) from one vrf to the other.Also Cisco eng told me to use a firewall to be possible to use shared service with VRF-Lite, configuring every VRF in one interface on the firewall and the shared service on DMZ.
05-12-2007 12:01 AM
Hi,
Very very nice, i've already tested it my self, i enabled MPLS and MBGP and it works fine. With just VRF-Lite, only traffic isolation can be done but no merge of VPNs can be done, its logical as VRF-Lite wasn't invented for this job, it was only invented for converting a CE router into multiple virtual routers each one with its separated routing table, interfaces and routing protocols.
BR,
Mohammed Mahmoud.
05-13-2007 05:01 AM
Yes , but you still have to
add a route-target export 65001:300
at vrf red and
a route-target export 65001:100
at vrf server
to give full reachability between the two VPNs
BR,
Bjornarsb
05-13-2007 05:56 AM
hi,
You are totally right, but the whole idea is that it can't be done with just VRF-Lite, you must have MBGP.
HTH,
Mohammed Mahmoud.
05-13-2007 10:16 PM
Hi,
You can run vrf-lite with BGP.
As you have posted vrf-lite makes
you get separate routing instances.
Another cause why vrf-lite was developed
was that you do not need to run tag-switching between CE and PE.
So you can run BGP for each vrf.
Agree?
BR,
Bjornarsb
05-13-2007 11:17 PM
Hi,
Yes i totally agree :) VRF-Lite without MBGP (BGP with VPNv4) won't do it, but by having VRF-Lite with MBGP its doable. VRF-Lite alone is only capable of traffic isolation.
BR,
Mohammed Mahmoud.
05-13-2007 07:08 PM
Why do you need to add those export route-tag?
In vrf red it exports 65001:200 and vrf server has import 65001:200. So vrf server should have all routes imported from vrf red. Same vrf red should have all routes from vrf server.
05-13-2007 10:19 PM
Hi,
You need an export to 65001:100
so it can import 65001:200. Thats how it works :)
See this example:
br,
Bjornarsb
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide