Thanks Chetan.  But the problem is, I can't configure VRF on the GigE interface facing the server.

For example, I have a T3 WAN interface on the data center CE router.  We can configure sub-interfaces on this T3 interface and assign different VRF to each sub-interface.  However, the link to the VRF to the data center switch is broken because the GigE interface connects to a device that does not support VRF, such as a FW.  So, let's say traffic coming from VRF1 on int t3/1.1 and it would stop right here and cannot be continued to the GigE interface toward the server.  So how do I cotinute to send this VRF1 traffic toward the server (again, remember I cannot configure VRF on the GigE interface)?

Hi Kevin

As per my understanding you are planning for 8 VRF and that is manage by SP.

We can consider that 8 VRF means 8 different group company or logical separation.

Or else please share the correct picture to get solution that why 8 VRF & Comman Data Center .

From client point of view you don't need to configure MPLS VRF on CE router.

MPLS VRF is configured on PE router , He will be responsible for inter-VRF communication as i hared previously.

Regards

Chetan kumar

Not MPLS VRF but VRF-Lite feature.  Each branch office has different functional groups.  For example, I want user data, voice and management traffic on different VRF for security compliance reason.  So on my branch office router, I configure:

ip vrf voice

rd 100:1

route-target both

ip vrf mgt

rd 100:2

route-target both

int f0/0.1 and s0/0.1

ip vrf forwarding voice

int f0/0.2 and s0/0.2

ip vrf forwarding mgt

Very simple and easy.

On my data center router, I configure the same:

ip vrf voice

rd 100:1

route-target both

ip vrf mgt

rd 100:2

route-target both

int s0/0.1

ip vrf forwarding voice

int s0/0.1

ip vrf forwarding mgt

How do I configure the GigE interface on the data center WAN router?  Remember it connects to a series of devices that are not VRF aware.

Hi Kevin

Thanks for sharing the required data.

As your datacenter device not support VRF, So we can go with the terminology “Internet access over MPLS VRF”.

Here all VRF customer are associated with static VRF route that communicate with GLOBAL routing table.

(For more information you can refer the attach document)

Your Data center router is configured with different VRF and you can add static VRF route towards global routing table.

(Your Data center router is having all route required for server communication.)

For Example : ip route vrf  (voice-Example)  0.0.0.0  0.0.0.0 (data center gatway) global

Regards

Chetan Kumar

Thanks Chetan.  That would solve traffic going toward the server.  How about traffic coming back from the server?  Do I use source selected VRF feature?

wow that's easy.  Just two static routes.  Thanks.

Hello Kevin,

in addition to route leakage you could use route-targets to create inter-VRF communication

VRF datacenter:

imports all route-targets of single VRFs

export its own route-target (it will be used on its locally generated routes only)

VRF service1

export its own route-target, imports its own route target, imports datacenter route-target

other services can do the same.

This is called an extranet

import  and export maps invoking route-maps can be used to import and export only a subset of routes

>> How do I configure the GigE interface on the data center WAN router?  Remember it connects to a series of devices that are not VRF aware.

this is not a problem as every CE router or connected PC or other device connected to a VRF access link doesn't know to be in a VRF

Another possible approach in VRF lite towards firewall is to use a Vlan subinterface for each service VRF, a vlan subinterface is defined also on the firewall.

The firewall can use multiple contexts one for each VRF or it can apply the same security level to all these interfaces and by default the interfaces will be isolated. (without adding communication between same security level interfaces on the Firewall I mean)

Hope to help

Giuseppe