How do you route VRF traffic in data center?

Answered Question
May 28th, 2010

Hi,

In our upcoming deployment, we are going to have 8 different VRFs across the MPLS VPN network.  All these VRFs need to access the data center for resource.  In between the data center dual CEs and data center switch, there are other 3rd party devices (FW, IPS, WAN Opt, etc) that do not support VRF-Lite configuration.  That means we can only terminate VRF configuration on the data center CE WAN interface.

So my question is, how do I send VRF traffic to the server and server sends the traffic back to different VRFs?

Thanks!

I have this problem too.
0 votes
Correct Answer by Chetan Kumar Ress about 6 years 7 months ago

Hi Kevin

Not sure about the Source selected VRF feature, But still you can try if it work then ok or else you can go with the below solution for traffic coming from data center to VRF.

You need to add two routes.

@ You need to add static router fro VRF network to Data center network

i.e. ip route vrf (voice- VRF ) 0.0.0.0 0.0.0.0 (Gateway) global

@ You need to add static route for VRF network in the global routing table pointing to the interface connected to VRF.

i.e  ip route (VRF network ) (VRF subnet mask ) (Gateway Address that’s connect all VRF)

So when traffic is coming from Data Center till will be pointed towards the interface were all VRF is connected & they will communicate & when reverse traffic will come from VRF they will reach to Data Center router & use VRF global route to reach data Center network.

(You can refer the configuration of PE-2 of document that shared earlier)

Regards

Chetan Kumar

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 5 (1 ratings)
Loading.
Chetan Kumar Ress Fri, 05/28/2010 - 08:02

Hi Kevin

As per my understanding  you mention you have 8 different VRF and you what that all 8 VRF should communicate with Data Center

So as per your senario you can create new VRF for Data Center.

For Data Center VRF.

@ Import All 8 different VRF & Export Data Center VRF.

For All 8 Different VRF

@ Import Data Center VRF & Export Local VRF.

So in Data Center you will install all 8 VRF Route & in location VRF they will install Data Center VRF.

Regards

Chetan kumar

kevin.hu Fri, 05/28/2010 - 08:17

Thanks Chetan.  But the problem is, I can't configure VRF on the GigE interface facing the server.

For example, I have a T3 WAN interface on the data center CE router.  We can configure sub-interfaces on this T3 interface and assign different VRF to each sub-interface.  However, the link to the VRF to the data center switch is broken because the GigE interface connects to a device that does not support VRF, such as a FW.  So, let's say traffic coming from VRF1 on int t3/1.1 and it would stop right here and cannot be continued to the GigE interface toward the server.  So how do I cotinute to send this VRF1 traffic toward the server (again, remember I cannot configure VRF on the GigE interface)?

Chetan Kumar Ress Fri, 05/28/2010 - 08:58

Hi Kevin

As per my understanding you are planning for 8 VRF and that is manage by SP.

We can consider that 8 VRF means 8 different group company or logical separation.

Or else please share the correct picture to get solution that why 8 VRF & Comman Data Center .

From client point of view you don't need to configure MPLS VRF on CE router.

MPLS VRF is configured on PE router , He will be responsible for inter-VRF communication as i hared previously.

Regards

Chetan kumar

kevin.hu Fri, 05/28/2010 - 09:11

Not MPLS VRF but VRF-Lite feature.  Each branch office has different functional groups.  For example, I want user data, voice and management traffic on different VRF for security compliance reason.  So on my branch office router, I configure:

ip vrf voice

rd 100:1

route-target both

ip vrf mgt

rd 100:2

route-target both

int f0/0.1 and s0/0.1

ip vrf forwarding voice

int f0/0.2 and s0/0.2

ip vrf forwarding mgt

Very simple and easy.

On my data center router, I configure the same:

ip vrf voice

rd 100:1

route-target both

ip vrf mgt

rd 100:2

route-target both

int s0/0.1

ip vrf forwarding voice

int s0/0.1

ip vrf forwarding mgt

How do I configure the GigE interface on the data center WAN router?  Remember it connects to a series of devices that are not VRF aware.

Chetan Kumar Ress Fri, 05/28/2010 - 09:52

Hi Kevin

Thanks for sharing the required data.

As your datacenter device not support VRF, So we can go with the terminology “Internet access over MPLS VRF”.

Here all VRF customer are associated with static VRF route that communicate with GLOBAL routing table.

(For more information you can refer the attach document)

Your Data center router is configured with different VRF and you can add static VRF route towards global routing table.

(Your Data center router is having all route required for server communication.)

For Example : ip route vrf  (voice-Example)  0.0.0.0  0.0.0.0 (data center gatway) global

Regards

Chetan Kumar

kevin.hu Fri, 05/28/2010 - 09:57

Thanks Chetan.  That would solve traffic going toward the server.  How about traffic coming back from the server?  Do I use source selected VRF feature?

Correct Answer
Chetan Kumar Ress Fri, 05/28/2010 - 10:54

Hi Kevin

Not sure about the Source selected VRF feature, But still you can try if it work then ok or else you can go with the below solution for traffic coming from data center to VRF.

You need to add two routes.

@ You need to add static router fro VRF network to Data center network

i.e. ip route vrf (voice- VRF ) 0.0.0.0 0.0.0.0 (Gateway) global

@ You need to add static route for VRF network in the global routing table pointing to the interface connected to VRF.

i.e  ip route (VRF network ) (VRF subnet mask ) (Gateway Address that’s connect all VRF)

So when traffic is coming from Data Center till will be pointed towards the interface were all VRF is connected & they will communicate & when reverse traffic will come from VRF they will reach to Data Center router & use VRF global route to reach data Center network.

(You can refer the configuration of PE-2 of document that shared earlier)

Regards

Chetan Kumar

Giuseppe Larosa Fri, 05/28/2010 - 11:45

Hello Kevin,

in addition to route leakage you could use route-targets to create inter-VRF communication

VRF datacenter:

imports all route-targets of single VRFs

export its own route-target (it will be used on its locally generated routes only)

VRF service1

export its own route-target, imports its own route target, imports datacenter route-target

other services can do the same.

This is called an extranet

import  and export maps invoking route-maps can be used to import and export only a subset of routes

>> How do I configure the GigE interface on the data center WAN router?  Remember it connects to a series of devices that are not VRF aware.

this is not a problem as every CE router or connected PC or other device connected to a VRF access link doesn't know to be in a VRF

Another possible approach in VRF lite towards firewall is to use a Vlan subinterface for each service VRF, a vlan subinterface is defined also on the firewall.

The firewall can use multiple contexts one for each VRF or it can apply the same security level to all these interfaces and by default the interfaces will be isolated. (without adding communication between same security level interfaces on the Firewall I mean)

Hope to help

Giuseppe

Actions

This Discussion