I was working on this to make this thing work in better and comprehensive way. There are two solutions to this problem which i would like to share and have suggestions on these solution
The scenario is this:-
1.When CE and PE are both under your control and want to accomplish the isolation on CE device. This solution only works when both CE and PE are under control that means you are the service provider .
Solution: VRF- Lite Solution
This solution can be implemented in two ways:-
a) By creating sub interfaces at PE interface and assigning each sub- interface to each VRF's. On CE device you can either create sub-interfaces or a TRUNK(in case of this you need to have VLANS assigned to VRF's on CE device)
b) By creating a TRUNK on between PE and CE, then create VLAN interfaces assigned to each VRF's
Note: Out of which the first (a) compromises scalability, wherein we go on creating sub-interfaces for each VRF. Its cumbersome to create and manage when you are dealing with more than 10 VRF's. The second (b) is more scalable solution however the response time of the network decreases as well as hindering monitoring. For example: when you have created one VLAN for a customer say CUSTA and you have many links connecting this customer connected to the same PE router. In this case the VLAN interface does not go down unless all its assigned interfaces go down (although there are port based monitoring tools). The second thing this if you have noticed although it is possible to create multiple VLANS for the same customers with different subnet masks, it would hinder management, and would possibly avoid and create only one VLAN interface assigned to CUSTA and assign all its interfaces to that particular VLAN. By doing this we are creating a single broadcast domain for all this interfaces, thus decreasing the response time again.
2. When the CE router is connected to a service provider which is providing MPLS L3 VPN based service and you need to accomplish network segregation or isolate networks at customer end i.e. CE.
Solution : This is where it gets interesting. I have made it work I don't know yet how it works. I even don't if it is CSC model, but I think so.
The key to this solution is the send-label command. In this scenario the service provider configuration is shown in the diagram. The ISP 2 configuration is below.
Note-When we are done with this configuration on CSC PE 1 router and CSC CE 1 router we get this message which verifies the neighbor is up-â*Mar 1 00:26:01.799: %BGP-5-ADJCHANGE: neighbor 10.240.5.2 vpn vrf ISP2 Upâ on CSC PE 1 router. There is more weird things I have observed in this solution for e.g.:- the LDP neighborship is not formed, the BGP on the service provider does shows BGP neighbor status as IDLE. Etc. And one more thing i would like to add is that the ISP 1 is unaware of the vrf's created on CE.
This is still a mystery to me and I am trying to find how actually it works and I need you guys to help me doing this and come up with suggestion on each of these scenarios especially un- reveal the mystery of the last one.
Attached are the .vsd diagram and .jpeg diagram. Both are the same.
Have nice day!
a correct configuration would require send-labels also on CSC-CE/subPE devices.
for this reason the session stays in idle on CSC PE side for capabilitises mismatch.
Hope to help