cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
3541
Views
4
Helpful
9
Replies

MPLS VRF Management

intermediasud
Level 1
Level 1

Hi,

After upgrading the network to MPLS, i have some problems about the management Ps and PEs routers. I want to use "VRF Management" to manage these devices but i have no infomation how to config it.

- For PEs i think i should use the second loopback to add to VRF admin;

- For Ps no solution.

Please show me some links or example useful.

Thanks for your help

9 Replies 9

mheusing
Cisco Employee
Cisco Employee

Hi,

To access P routers from a VRF environment you can use two scenarios:

1) connect a P router interface to the PE in the Mgmt VRF

2) use packet leaking.

For managing other dveices in different VRFs:

3) central service VPN

Option 1) is giving you plain IP connectivity into the core and you could also connect your Mgmt LAN directly to the core. The advantage of a direct connection: you do not rely on VRF related features to be configured correctly on the access PE to connect to P (and PE) routers.

An example: if someone deletes the Mgmt VRF, all IP addresses on all VRF interfaces in that VRF will be removed. You might end up with no connectivity even to the PE, where the "accident" happened.

Option 2) allows access to the global routing table through a VRF. The configuration could look like this:

ip vrf Mgmt

rd 65000:161

export map MgmtLAN

route-target import 65000:162

interface Serial0/0

description to a P router

ip address 10.1.1.1 255.255.255.252

interface Serial 0/1

description to the Mgmt LAN

ip vrf forwarding Mgmt

ip address 192.168.1.1 255.255.255.252

ip route vrf Mgmt 10.1.1.0 255.255.255.0 10.1.1.2 global

! Assuming the core IP adresses for management are from 10.1.1.0/24 this will send packets arriving in the VRF to the P routers

ip route 192.168.161.0/24 Serial0/1

! assuming the Mgmt LAN is 192.168.161.0/24 this will forward packets arriving from the P routers to the Mgmt LAN behind Serial0/1

Option 3) central service VPN for managing devices in different VRFs

ip vrf Mgmt

rd 65000:161

export map MgmtLAN

route-target import 65000:162

ip vrf Customer

rd 65000:666

route-target export 65000:666

route-target import 65000:666 !normal customer RTs

route-target import 65000:161 ! this will import the Mgmt LAN network

export map MgmtLoopbacks

! this will ensure only management IPs will be imported into the Mgmt VRF and not all customer routes from all VRFs.

interface Loopback161

description PE Mgmt IP

ip vrf forwarding Mgmt

ip address 10.1.2.123 255.255.255.255

interface Serial 0/1

description to the Mgmt LAN

ip vrf forwarding Mgmt

ip address 192.168.1.1 255.255.255.252

route-map MgmtLAN

match ip address 1

set extcommunity rt 65000:161

route-map MgmtLoopbacks

match ip address 2

set extcommunity rt 65000:162 additive

access-list 1 permit host 192.168.161.0

!Only announce the Mgmt LAN

access-list 2 permit host 192.168.162.1

access-list 2 permit host 192.168.162.2

access-list 2 permit host 192.168.162.3

! list the Loopback IPs of devices to manage

From a routing point of view you would need to make sure to route all required IPs with BGP and IGP in the Mgmt environment, as well as the core.

Hope this helps! Please use the rating system.

Regards, Martin

Hi,

Thanks for your reply. It's very useful for me.

Now, i have some questions

1 - How to P route the packet to Management LAN?

2 - What happen in this case P2-P1-PE? How to manage P2 from Management LAN connected on PE?

Thanks

Hi,

In your PE IGP (likely OSPF or ISIS) redistribute the static route pointing to the Mgmt LAN on the PE router. This will ensure all P routers learn the route to the management LAN.

Hope this helps!

Regards, Martin

HI Martin,

The above Options are really interesting. Can you please explain the same in details for better understanding. What is meant by P's ? ?

Do forward any reference manuals on the same.

I have multiple Customer VRF's landing on different MPLS PE's and how to manage all those Customer VRF's using single Managment VRF's

Best Regards,

Guru Prasad R

Hi,

"P's" are core routers in a MPLS network, i.e. running IGP, MPLS but no BGP. They are interconnecting the PE routers. Your network might or might not have them.

Basically for your scenario you would replicate option 3 for each customer VRF containing managed devices. You do not need the VRF Mgmt on every PE, only where interfaces to your management LAN are connected.

So on each PE you would have your existing customer VRFs and add the management VPN RTs:

ip vrf Customer

rd 65000:666

route-target export 65000:666

route-target import 65000:666 !normal customer RTs

route-target import 65000:161 ! this will import the Mgmt LAN network

export map MgmtLoopbacks

! this will ensure only management IPs will be imported into the Mgmt VRF and not all customer routes from all VRFs.

route-map MgmtLoopbacks

match ip address 2

set extcommunity rt 65000:162 additive

access-list 2 permit host 192.168.162.1

access-list 2 permit host 192.168.162.2

access-list 2 permit host 192.168.162.3

! list the Loopback IPs of devices to manage

Where ACL 2 would list the IP addresses of the managed devices.

So the task is to add

route-target import 65000:161

export map MgmtLoopbacks

to existing VRFs and locally define the route-map MgmtLoopbacks plus ACL 2

Hope this helps! Please use the rating system.

Regards, Martin

bradbenz
Level 1
Level 1

I know this is an older thread, but I hope I can pick this back up.

This solution is VERY close to what I'd like to implement, but with a few differences. I'm doing all P and PE-router management via a dedicated, "OOB" network, using both Console and Ethernet. Our requirement is to only manage the CE side of things, which in theory should simplify this a bit.

In looking at your example, I see reference to a RD that exists nowhere else in the config:

ip vrf Mgmt

rd 65000:161

export map MgmtLAN

route-target import 65000:162

What is the route-target 162?

For my particular environment, here's what I've roughed out: (for brevity and clarity's sake, I've skipped the routing particulars)

!!! PE-Side !!!
ip vrf MPLS_CE_MGMT
rd 15305:100
route-target import 15305:100
!
ip vrf CUSTOMER
rd 15305:666
route-target export 15305:666
route-target import 15305:666
route-target import 15305:100
export map MPLS_CE_MGMT
!
route-map MPLS_CE_MGMT
match ip address 1
set extcommunity rt 15305:100 additive
!
access-list 1 permit host 10.16.140.10
!
!
!!!CE-Side!!!
interface Loopback100
description CE Mgmt IP
ip address 10.16.140.10 255.255.255.255

Comments? Questions? Am I on the right track here?

Thanks!

Hello Brad,

sorry for late answer.

However, the difference between your solution and that suggested by  Martin is the following:

in your case by using a single route target value your management VPN builds a basic any-to-any connectivity, this means all VRFs can communicate on ip addresses exported with RT 15305:100 directly without going through the management block.

Martin's solution uses a central service VPN that implements and Hub and spokes connectivity: the use of two different route targets allow to have each VRF management IP address to talk only with management LAN.

This still provides some separation between different customer vlans.

Hope to help

Giuseppe

Thanks for your response! Since I'm quite new to the whole import-export thing, would you mind clarifying your suggestions based on my config?

I'd really appreciate your efforts in this reagard...

Thanks!

-Brad

Hello Brad,

route-targets allow to implement different connectivity models:

a) single route-target imported and exported in all VRF sites = any to any connectivity between VRF sites

b) hub and spokes = dual route targets

    spokes export using RT1 and imports RT2

   central site imports RT1 and exports its own routes as RT2

  central site learns all spoke routes, each spoke learns only the central site routes not those of the other remote sites.

This is useful in your scenario to avoid communication between different VRFs

Hope to help

Giuseppe

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: