MPLS VRF Management

Unanswered Question
Feb 20th, 2008
User Badges:

Hi,


After upgrading the network to MPLS, i have some problems about the management Ps and PEs routers. I want to use "VRF Management" to manage these devices but i have no infomation how to config it.


- For PEs i think i should use the second loopback to add to VRF admin;

- For Ps no solution.


Please show me some links or example useful.


Thanks for your help

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 4 (1 ratings)
Loading.
mheusing Wed, 02/20/2008 - 04:18
User Badges:
  • Cisco Employee,

Hi,


To access P routers from a VRF environment you can use two scenarios:

1) connect a P router interface to the PE in the Mgmt VRF

2) use packet leaking.

For managing other dveices in different VRFs:

3) central service VPN


Option 1) is giving you plain IP connectivity into the core and you could also connect your Mgmt LAN directly to the core. The advantage of a direct connection: you do not rely on VRF related features to be configured correctly on the access PE to connect to P (and PE) routers.

An example: if someone deletes the Mgmt VRF, all IP addresses on all VRF interfaces in that VRF will be removed. You might end up with no connectivity even to the PE, where the "accident" happened.


Option 2) allows access to the global routing table through a VRF. The configuration could look like this:


ip vrf Mgmt

rd 65000:161

export map MgmtLAN

route-target import 65000:162


interface Serial0/0

description to a P router

ip address 10.1.1.1 255.255.255.252


interface Serial 0/1

description to the Mgmt LAN

ip vrf forwarding Mgmt

ip address 192.168.1.1 255.255.255.252


ip route vrf Mgmt 10.1.1.0 255.255.255.0 10.1.1.2 global

! Assuming the core IP adresses for management are from 10.1.1.0/24 this will send packets arriving in the VRF to the P routers


ip route 192.168.161.0/24 Serial0/1

! assuming the Mgmt LAN is 192.168.161.0/24 this will forward packets arriving from the P routers to the Mgmt LAN behind Serial0/1


Option 3) central service VPN for managing devices in different VRFs


ip vrf Mgmt

rd 65000:161

export map MgmtLAN

route-target import 65000:162


ip vrf Customer

rd 65000:666

route-target export 65000:666

route-target import 65000:666 !normal customer RTs

route-target import 65000:161 ! this will import the Mgmt LAN network

export map MgmtLoopbacks

! this will ensure only management IPs will be imported into the Mgmt VRF and not all customer routes from all VRFs.


interface Loopback161

description PE Mgmt IP

ip vrf forwarding Mgmt

ip address 10.1.2.123 255.255.255.255


interface Serial 0/1

description to the Mgmt LAN

ip vrf forwarding Mgmt

ip address 192.168.1.1 255.255.255.252


route-map MgmtLAN

match ip address 1

set extcommunity rt 65000:161


route-map MgmtLoopbacks

match ip address 2

set extcommunity rt 65000:162 additive


access-list 1 permit host 192.168.161.0

!Only announce the Mgmt LAN

access-list 2 permit host 192.168.162.1

access-list 2 permit host 192.168.162.2

access-list 2 permit host 192.168.162.3

! list the Loopback IPs of devices to manage


From a routing point of view you would need to make sure to route all required IPs with BGP and IGP in the Mgmt environment, as well as the core.


Hope this helps! Please use the rating system.


Regards, Martin





intermediasud Wed, 02/20/2008 - 07:16
User Badges:

Hi,


Thanks for your reply. It's very useful for me.


Now, i have some questions

1 - How to P route the packet to Management LAN?

2 - What happen in this case P2-P1-PE? How to manage P2 from Management LAN connected on PE?


Thanks

mheusing Wed, 02/20/2008 - 07:43
User Badges:
  • Cisco Employee,

Hi,


In your PE IGP (likely OSPF or ISIS) redistribute the static route pointing to the Mgmt LAN on the PE router. This will ensure all P routers learn the route to the management LAN.


Hope this helps!


Regards, Martin



guruprasadr Mon, 02/25/2008 - 21:32
User Badges:
  • Gold, 750 points or more

HI Martin,


The above Options are really interesting. Can you please explain the same in details for better understanding. What is meant by P's ? ?


Do forward any reference manuals on the same.


I have multiple Customer VRF's landing on different MPLS PE's and how to manage all those Customer VRF's using single Managment VRF's


Best Regards,


Guru Prasad R

mheusing Tue, 02/26/2008 - 08:01
User Badges:
  • Cisco Employee,

Hi,


"P's" are core routers in a MPLS network, i.e. running IGP, MPLS but no BGP. They are interconnecting the PE routers. Your network might or might not have them.

Basically for your scenario you would replicate option 3 for each customer VRF containing managed devices. You do not need the VRF Mgmt on every PE, only where interfaces to your management LAN are connected.

So on each PE you would have your existing customer VRFs and add the management VPN RTs:



ip vrf Customer

rd 65000:666

route-target export 65000:666

route-target import 65000:666 !normal customer RTs

route-target import 65000:161 ! this will import the Mgmt LAN network

export map MgmtLoopbacks

! this will ensure only management IPs will be imported into the Mgmt VRF and not all customer routes from all VRFs.


route-map MgmtLoopbacks

match ip address 2

set extcommunity rt 65000:162 additive


access-list 2 permit host 192.168.162.1

access-list 2 permit host 192.168.162.2

access-list 2 permit host 192.168.162.3

! list the Loopback IPs of devices to manage


Where ACL 2 would list the IP addresses of the managed devices.


So the task is to add

route-target import 65000:161

export map MgmtLoopbacks

to existing VRFs and locally define the route-map MgmtLoopbacks plus ACL 2


Hope this helps! Please use the rating system.


Regards, Martin


bradbenz Wed, 01/27/2010 - 10:17
User Badges:

I know this is an older thread, but I hope I can pick this back up.


This solution is VERY close to what I'd like to implement, but with a few differences. I'm doing all P and PE-router management via a dedicated, "OOB" network, using both Console and Ethernet. Our requirement is to only manage the CE side of things, which in theory should simplify this a bit.


In looking at your example, I see reference to a RD that exists nowhere else in the config:



ip vrf Mgmt

rd 65000:161

export map MgmtLAN

route-target import 65000:162


What is the route-target 162?


For my particular environment, here's what I've roughed out: (for brevity and clarity's sake, I've skipped the routing particulars)


!!! PE-Side !!!
ip vrf MPLS_CE_MGMT
rd 15305:100
route-target import 15305:100
!
ip vrf CUSTOMER
rd 15305:666
route-target export 15305:666
route-target import 15305:666
route-target import 15305:100
export map MPLS_CE_MGMT
!
route-map MPLS_CE_MGMT
match ip address 1
set extcommunity rt 15305:100 additive
!
access-list 1 permit host 10.16.140.10
!
!
!!!CE-Side!!!
interface Loopback100
description CE Mgmt IP
ip address 10.16.140.10 255.255.255.255



Comments? Questions? Am I on the right track here?


Thanks!

Giuseppe Larosa Fri, 02/05/2010 - 03:09
User Badges:
  • Super Silver, 17500 points or more
  • Hall of Fame,

    Founding Member

Hello Brad,

sorry for late answer.


However, the difference between your solution and that suggested by  Martin is the following:

in your case by using a single route target value your management VPN builds a basic any-to-any connectivity, this means all VRFs can communicate on ip addresses exported with RT 15305:100 directly without going through the management block.

Martin's solution uses a central service VPN that implements and Hub and spokes connectivity: the use of two different route targets allow to have each VRF management IP address to talk only with management LAN.

This still provides some separation between different customer vlans.


Hope to help

Giuseppe

bradbenz Fri, 02/05/2010 - 09:09
User Badges:

Thanks for your response! Since I'm quite new to the whole import-export thing, would you mind clarifying your suggestions based on my config?


I'd really appreciate your efforts in this reagard...


Thanks!


-Brad

Giuseppe Larosa Sat, 02/06/2010 - 13:31
User Badges:
  • Super Silver, 17500 points or more
  • Hall of Fame,

    Founding Member

Hello Brad,

route-targets allow to implement different connectivity models:


a) single route-target imported and exported in all VRF sites = any to any connectivity between VRF sites


b) hub and spokes = dual route targets

    spokes export using RT1 and imports RT2

   central site imports RT1 and exports its own routes as RT2


  central site learns all spoke routes, each spoke learns only the central site routes not those of the other remote sites.


This is useful in your scenario to avoid communication between different VRFs


Hope to help

Giuseppe

Actions

This Discussion