Multi VRF-CE

Answered Question
Sep 16th, 2009

Hi

This conversation was once initiated and I tried looking for it but I can't remember under which topic it was done, getting back to the problem. my questions are based on the document "Designing MPLS Extensions for Customer Edge Routers"

url: www.cisco.com/warp/public/cc/pd/rt/2600/prodlit/1575_pp.pdf

I am using a sketch on page 11 for router 3640-PE-WEST-1 chart shows this router as running ospf for all it's vrf's (sub-interfaces), but I don't see those configs on the configs shown for this router,

1. Aren't we suppose to have the OSPF process configs for this router? If yes do they look like this:

router ospf 11 vrf V1(vpn1)

area 11 virual-link 220.1.65.6

router ospf 12 vrf V2(vpn2)

area 11 virual-link 220.1.65.10 for all other sub-interfaces using the same configs?

2. I only see 1 sub-interface configuration, should I assume there are other sub-interfaces configurations but not shown? (page 13)

3. For BGP process 1 they used the update source loopback, so my understanding is there should be another routing protocol that advertises these loopbacks between the PE routers. Am I right? (page 13)

If yes, can it be an ospf if yes still how can they do that if we have ospf processes running per vrf?

Router 2611-CE-4

On page 16 and 17, BGP process shows many address-families configured.

4. Can it work well if I were to configure the address-family for vrf vrflite3 only and leave out the rest of the other address-families?

5. One last question is the configs for the VXR is it the same as on the 2611-CE-4 or they different since all the site's can communicate with the router VXR? What I don't know is are they all pointing to maybe one point (ip address or there are different network like vrflite vpn's shown for router 2611?

Regards

Mpho

I have this problem too.
0 votes
Correct Answer by Giuseppe Larosa about 7 years 4 months ago

Hello Mpho,

yes you're right the VXR on the left upper corner of figure 8 on pag. 11 is another multi-VRF CE.

in your case:

being multilayer switches you can use SVI and you can configure the physical links as L2 trunks.

int vlan 100

ip vrf forwarding VRF100

ip addr 10.10.10.1 255.255.255.0

int gix/y

switchport

switchport enc dot1q

switchport mode trunk

switchport trunk allowed vlan 100,200,300

this allows you also to have links between the two PE nodes and between the two CE nodes.

It is very handy and we use it in multiple scenarios.

Hope to help

Giuseppe

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 5 (1 ratings)
Loading.
Giuseppe Larosa Wed, 09/16/2009 - 05:12

Hello Mpho,

you are wellcome.

1)

3640-PE-WEST-1 should have for each VRF a router ospf process with a network area command and redistribute BGP like it happens on the multi VRF CE.

the difference between the PE and the CE is that the PE has an MPLS backbone link that is used for forwarding MPLS frames for all VRFs.

no virtual link are needed here.

There are cases where sham-links are used to handle the fact that VRF sites are interconnected with links not managed by the service provider but that is a different thing.

you are right OSPF processes config is not reported for the PE node.

2)

yes there is one subif for each VRF as I wrote in the other thread PE-multiVRF CE use back to back VRF links.

So one link for each VRF is needed: it can be a FR subif with a DLCI or a vlan based subif with a vlan-id.

3)

yes it is not reported but a classless protocol is needed (OSPF, ISIS or EIGRP) is needed to make LDP and BGP working in the backbone.

the protocol can be an OSPF process or it can be a different protocol the requirement is that is able to handle subnet masks (that carry them in its updates) so even RIPv2 could be used (in a lab not in real world)

4) to see the multiVRF CE concept in action I would suggest you to configure at least two VRFs they are enough.

5)

the VXR should be a PE so its config should look like that of 3640-PE-WEST-1.

Hope to help

Giuseppe

mailaglady2 Wed, 09/16/2009 - 05:56

Hi Giuseppe

This is a connection of one side. In my case I have two routers 7600 that are PE's and 2 6509's that are multi vrf CE's, between the PE and a multi vrf CE(6509) the connection is gig ethernet SFP links. Again from the 6509 to the CE-router(1841)ethernet port and will creating sub-interfaces, does my concept sounds feasible?

VXR is not a PE but an RSP-PE-EAST-4 is a PE, VXR looks more like another Multi-vrf-ce please confirm.

Thanks and regards

Mpho

Correct Answer
Giuseppe Larosa Wed, 09/16/2009 - 07:01

Hello Mpho,

yes you're right the VXR on the left upper corner of figure 8 on pag. 11 is another multi-VRF CE.

in your case:

being multilayer switches you can use SVI and you can configure the physical links as L2 trunks.

int vlan 100

ip vrf forwarding VRF100

ip addr 10.10.10.1 255.255.255.0

int gix/y

switchport

switchport enc dot1q

switchport mode trunk

switchport trunk allowed vlan 100,200,300

this allows you also to have links between the two PE nodes and between the two CE nodes.

It is very handy and we use it in multiple scenarios.

Hope to help

Giuseppe

mailaglady2 Wed, 09/16/2009 - 11:22

Do I use the above configs between the PE and between the ce as well? Another thing that I have noticed is on the routers when I try to configure the vlan it dont accept the hundred it must be configured with the value more than a thousand, I can't remember the exact number.

mailaglady2 Wed, 09/16/2009 - 12:01

I meant: Do I use the above configs between the PE and multi vrf-ce and between the ce and multi vrf-ce as well? Another thing that I have noticed is on the routers when I try to configure the vlan it dont accept the hundred it must be configured with the value more than a thousand, I can't remember the exact number.

Giuseppe Larosa Wed, 09/16/2009 - 12:06

Hello Mpho,

you are not obliged to have a CE downstream to a multi VRF CE it depends on the scenario.

about vlan creation:

you need to create the vlan at layer2 first with

conf t

vlan 100

! this creates L2 broadcast domain

then

you can do what I've suggested before.

also check the vtp status of devices this can influence the possibility to create vlans or not

you can create L2 vlans on:

vtp servers or vtp transparent nodes

vtp controls vlans 1-1005 so what you say point to VTP

Hope to help

Giuseppe

mailaglady2 Mon, 09/21/2009 - 12:36

Hi - I have tried to configure multi vrf ce but it don't work, there is something that I'm not doing right. I truly can't understand this thing. I want to know how to configure this.

Sw6509 (CE)- Router7613(PE) - Router7609 - sw6509(CE)

1. Can I use only BGP to configure mv-ce?

2.In a case whereby I use OSPF(global) as IGP between the two PE's and ospf as a routing protocol between the PE and CE, do I run an OSPF vrf instance for every sub-interface that is connected between the PE and CE?

3. Do I redistribute the OSPF vrf routes into BGP vrf and BGP vrf routes into OSPF vrf routes?

Giuseppe Larosa Mon, 09/21/2009 - 13:03

Hello Mpho,

1) you can use BGP but both devices have the eBGP sessions under vrf address family

multiVRF CE

ip vrf VRFA

rd 65000:100

route-target both 65000:101

ip vrf VRFB

rd 65000:200

route-target both 65000:201

router bgp 65000

no bgp default ipv4-unicast

address-family vrf VRFA

neigh 10.10.10.2 remote-as 6600

neigh 10.10.10.2 activate

redistribute connected

address-family vrf VRFB

neigh 10.20.10.2 remote-as 6600

neigh 10.20.10.2 activate

redistribute connected

int vlan 100

ip vrf forwarding VRFA

ip address 10.10.10.1 255.255.255.0

no shut

int vlan 200

ip vrf forwarding VRFB

ip address 10.20.10.1 255.255.255.0

int vlan 101

ip vrf forwarding VRFA

ip address 10.100.10.1 255.255.255.0

no shut

int vlan 201

ip vrf forwarding VRFB

ip address 10.20.20.1 255.255.255.0

int gi3/4

desc interface to PE

switchport

switchport enc dot1q

switchport mode trunk

switchport trunk allowed vlan 100,200

int gi3/5

switchport

switchport mode access

switchport access vlan 101

desc interface to client vlan in VRFA

int gi3/6

switchport

switchport mode access

switchport access vlan 102

desc interface to client vlan in VRFB

what changes on PE node is the configuration of OSPF as IGP and of MPLS.

2)

yes as in the whitepaper

3)

yes as in the whitepaper

Hope to help

Giuseppe

mailaglady2 Tue, 09/22/2009 - 00:43

If I use the trunk link between the PE and CE, on the router side how am I going to get these routes accross the MPLS back bone to the remote side? Is there a detalied document that I can use/read?

Giuseppe Larosa Tue, 09/22/2009 - 02:11

Hello Mpho,

the configuration on the PE side is the same with the addition of MPLS, MP BGP and LDP.

the L2 trunk towards multiVRF CE carries vlans 100,200,

a L3 SVI interface for each Vlan 100 is associated to the right VRF.

an eBGP session is configured under the corresponding BGP address-family.

OSPF is configured on links between PE nodes.

LDP is configured on links between PE nodes.

OSPF has to advertise the loopback used as LDP router-id to make LDP sessions to come up.

use the same loopback as BGP source-address on iBGP sessions

int loop1

ip address 172.16.60.1 255.255.255.255

mpls label protocol ldp

mpls ldp router-id loop1 force

router ospf 10

network 172.16.60.1 0.0.0.0 area 0

network 172.16.20.0 0.0.0.255 area 0

router bgp 6600

neigh 172.16.60.2 remote-as 6600

neigh 172.16.60.2 update-source loop1

address-family vpvn4

neigh 172.16.60.2 activate

neigh 172.16.60.2 send-community both

int gi4/7

desc backbone

ip address 172.16.20.1 255.255.255.0

mpls ip

mpls mtu 1512

there are some things to be aware of:

if you create the loop1 after having enabled mpls to have it to become the LDP router-id you need the command with the force option.

use /32 loopbacks or you need ip ospf network point-to-point under loop config to have OSPF advertise the correct mask.

check with sh mpls forw 172.16.60.2 that the action is POP TAG.

before setting up the eBGP sessions in VRFs you should be able to ping from CE1:vlan100 to CE2:vlan102 at the other end exactly as in a standard MPLS VPN setup.

So the suggestion is a step by step approach.

First make working the PE-PE communication and verify VPN connectivity from CE to CE.

then add the eBGP sessions in VRF both on PE side and on multiVRF side.

Do this on site1 and use CE of site2 to verify it can reach in each VRF the subnets advertised by multiVRF CE1 of site1.

Finally add the eBGP session in VRF on multiVRF CE2 and PE2

verify end-to-end connectivity using extended ping in VRF

ping vrf VRFA enter

notice that CE needs to use this command too because they see the PE node as a device in a VRF.

You have already setup an MPLS VPN lab so you just need to build over it.

Hope to help

Giuseppe

mailaglady2 Tue, 09/22/2009 - 03:51

I am only loosing you on these below configs, did you use different ip on all of these vlans. I thought trunk dont need ip addresses. Can you clearify please?

int vlan 100

ip vrf forwarding VRFA

ip address 10.10.10.1 255.255.255.0

no shut

int vlan 200

ip vrf forwarding VRFB

ip address 10.20.10.1 255.255.255.0

int vlan 101

ip vrf forwarding VRFA

ip address 10.100.10.1 255.255.255.0

no shut

int vlan 201

ip vrf forwarding VRFB

ip address 10.20.20.1 255.255.255.0

Giuseppe Larosa Tue, 09/22/2009 - 04:18

Hello Mpho,

the L2 trunk is useless without ip addresses associated to SVIs.

VRFA:

vlan101 represents the client vlan ip subnet that has to be advertised to PE on an eBGP session in BGP af vrf VRFA.

vlan100: represents the vrf access link to PE node for VRFA

so it is

PE1--- vlan100 --- multiVRF-CE1--- vlan101

VRFB:

PE1--- vlan200 --- multiVRF-CE1--- vlan201

again vlan201 represents a customer route in VRFB to be advertised to PE on eBGP session in af vrf VRFB

whole chain topology for VRFA

vlan101 --- MultiVRFCE1--- vlan100-- PE1

PE1 --- MPLS --- PE2-- vlan 102--MultiVRFCE2 -- vlan103

whole chain topology for VRFB

vlan201 --- MultiVRFCE1--- vlan200-- PE1

PE1 --- MPLS --- PE2-- vlan 202--MultiVRFCE2 -- vlan203

you need something to advertise over BGP sessions my suggestion is that it can be another SVI mapped to same VRF or you can use a loopback interface.

if you look at figure 8 of the document you have attached in first post the scenario is similar.

Hope to help

Giuseppe

mailaglady2 Tue, 09/22/2009 - 07:14

I will use this configs tomorrow, it starting to make sense a bit. at the moment there are other configs that I used but PE can only ping it's immediate connected routes, it can't ping the remote side through the MPLS. When I do sh ip route it can see the routes but it can't ping them.. I have configured "redistribute connected under my vrf's.

What could be a problem?

Does this mean anything?

CR7613PE#sh mpls forwarding-table vrf vpntest1

Local Outgoing Prefix Bytes Label Outgoing Next Hop

Label Label or VC or Tunnel Id Switched interface

18 No Label 192.4.1.0/24[V] 0 Gi10/21.100 172.100.0.2

19 No Label 111.111.111.111/32[V] \

0 Gi10/21.100 172.100.0.2

21 No Label 100.0.0.0/24[V] 0 Gi10/21.100 172.100.0.2

22 Pop Label IPv4 VRF[V] 0 aggregate/vpntest1

Local Outgoing Prefix Bytes Label Outgoing Next Hop

Label Label or VC or Tunnel Id Switched interface

23 Pop Label IPv4 VRF[V]

CR7609PE#sh mpls forwarding-table vrf vpntest1

Local Outgoing Prefix Bytes Label Outgoing Next Hop

Label Label or VC or Tunnel Id Switched interface

18 No Label 155.239.247.0/24[V] \

0 Gi2/0/1.100 172.200.0.2

23 No Label 222.222.222.222/32[V] \

0 Gi2/0/1.100 172.200.0.2

24 Pop Label IPv4 VRF[V] 0 aggregate/vpntest1

CR7609PE#sh mpls forwarding-table vrf vpntest2

Local Outgoing Prefix Bytes Label Outgoing Next Hop

Label Label or VC or Tunnel Id Switched interface

19 No Label 200.200.200.200/32[V] \

0 Gi2/0/1.200 172.200.0.6

21 No Label 155.239.248.0/24[V] \

0 Gi2/0/1.200 172.200.0.6

25 Pop Label IPv4 VRF[V] 0 aggregate/vpntest2

0 aggregate/vpntest2

Actions

This Discussion