Label switching in VRF

Answered Question
Jan 26th, 2009
User Badges:

Does any body know how to configure label switching in VRF?


I have Tunnel 10 between two routers. The tunnel 10 is in VRF red. Below is the config.


ip vrf red

rd 10:10

route-target export 10:10

route-target import 10:10

!

!

mpls label protocol ldp

mpls ldp explicit-null

mpls ldp router-id vrf red Loopback1

!

interface Loopback0

ip address 172.22.17.3 255.255.255.255

!

interface Loopback1

ip vrf forwarding red

ip address 10.1.2.3 255.255.255.255

!

interface Tunnel10

ip vrf forwarding red

ip address 10.1.1.1 255.255.255.252

mpls ip

tunnel source Loopback0

tunnel destination 172.22.17.4


LDP is in UP state:


R3#sh mpls ldp neighbor vrf red

Peer LDP Ident: 10.1.2.4:0

No TCP connection; Downstream

Up time: 01:04:30

Peer LDP Ident: 10.1.2.4:0; Local LDP Ident 10.1.2.3:0

TCP connection: 10.1.2.4.18593 - 10.1.2.3.646

State: Oper; Msgs sent/rcvd: 73/72; Downstream

Up time: 01:02:38

LDP discovery sources:

Tunnel10, Src IP addr: 10.1.1.2

Addresses bound to peer LDP Ident:

10.1.2.4 10.1.1.2


But I have no any bindings:


R3#sh mpls ldp bindings vrf red detail


- Empty output .-


R3#


Could you help me?


Correct Answer by Giuseppe Larosa about 8 years 2 months ago

Hello Aliaksandr,

if you want to encrypt CE to CE you shouldn't use CsC (VRF or VRF).


I would :

build L2Tpv3 L2 transport CE to CE

on CE to backbone L3 IP interface

you then add a crypto map that will match:


L2TPv3 traffic carrying L2 ethernet frames

CE to CE ipv4 traffic


Actually I wonder if you really need a VRF in your case but I can understand it can help in segregating traffic (but you are using IPSec so the question arises)


EoMPLS would be ideal if no encyption of the L2 frames is required.


I think it can be a more clean design and you will however have to handle possible MTU issues just to say.


Hope to help

Giuseppe


  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 4 (1 ratings)
Loading.
Giuseppe Larosa Mon, 01/26/2009 - 12:02
User Badges:
  • Super Silver, 17500 points or more
  • Hall of Fame,

    Founding Member

Hello Aliaksandr,

to have mpls LDP bindings you need to advertise subnets over the link with a classless routing protocol (from RIPv2 to OSPF) in a PE-CE relationship.


the sh mpls ldp neigh says that:


the only addresses bounded to the peer are the GRE tunnel endpoints themselves


Then there is the nature of the link.

I don't know if it is possible to have Carrier Supporting Carrier over a GRE tunnel


see


http://www.cisco.com/en/US/solutions/collateral/ns341/ns524/ns562/ns577/net_implementation_white_paper0900aecd806a7df1.html




Hope to help

Giuseppe


APatotski Tue, 01/27/2009 - 03:35
User Badges:

Giuseppe,


Thank you for reply.

I have connected CE router and configured dynamic routing protocol. On local and remote PE routers I can see the routes from CE in vrf red, but I do not see any label bindings.


Debug shows the following:


R3#debug mpls ldp bindings

LDP Label Information Base (LIB) changes debugging is on

R3#

*Jan 27 13:31:48.279: tc_handle_bg_timer_event: TC not enabled, ctx # 0(Default-

IP-Routing-Table)

R3#


Harold Ritter Mon, 01/26/2009 - 12:05
User Badges:
  • Cisco Employee,

Aliaksandr,


Unless you are going to deploy Carrier Supporting Carrier (CsC), you don't need to configure label switching within the VRF context. Can you please further explain what you are trying to achieve.


Regards

APatotski Mon, 01/26/2009 - 12:31
User Badges:

hritter,


Thank you for prompt reply.


I have two datacenters (DC) in different buildings. Now we have L2 VLAN for server clusters between DCs. We are required to encrypt all the traffic between DCs, including L2 Ethernet. The idea is to build EoMPLS. GRE will be encrypted with crypto map. I can not use GRT because GRT is already used in our aggregation switches (cat 6500).

Correct Answer
Giuseppe Larosa Tue, 01/27/2009 - 08:45
User Badges:
  • Super Silver, 17500 points or more
  • Hall of Fame,

    Founding Member

Hello Aliaksandr,

if you want to encrypt CE to CE you shouldn't use CsC (VRF or VRF).


I would :

build L2Tpv3 L2 transport CE to CE

on CE to backbone L3 IP interface

you then add a crypto map that will match:


L2TPv3 traffic carrying L2 ethernet frames

CE to CE ipv4 traffic


Actually I wonder if you really need a VRF in your case but I can understand it can help in segregating traffic (but you are using IPSec so the question arises)


EoMPLS would be ideal if no encyption of the L2 frames is required.


I think it can be a more clean design and you will however have to handle possible MTU issues just to say.


Hope to help

Giuseppe


APatotski Wed, 01/28/2009 - 00:58
User Badges:

Hello Giuseppe,


Thank you for advice regarding L2TPv3.

I will test it in my lab to understand if it is a satisfied solution.

I will post the results.


Best Regards.


shivlu jain Thu, 01/29/2009 - 21:46
User Badges:
  • Silver, 250 points or more

APatotski


L2TPV3 is the trusted solution. We are serving more than 30% of clients on L2 solution.

Configuration is given below


pseudowire-class SHIVLU

encapsulation l2tpv3

ip local interface Loopback20


interface GigabitEthernet0/2.998

encapsulation dot1Q 998

xconnect 998 encapsulation l2tpv3 pw-class SHIVLU

end


the same will need to configure the another PE also.


how to check whether it is up or not


sh l2tun session circuit vcid 998




regards

shivlu jain


APatotski Wed, 01/28/2009 - 06:55
User Badges:

Hello Giuseppe,


L2TPv3 is the satisfied solution in our network. Unfortunately we have to use global routing table. Nevertheless, I think it is the best of possible solutions.

Thank you for help!

Best Regards.


Actions

This Discussion