Need help on MPLS VRF routing

Unanswered Question
Dec 11th, 2011
User Badges:

Hello All,


I have two 3845 routers having 6M WAN links towards the MPLS cloud. Both these routers are running EBGP with the service provider.  We have taken 2 VRFs for our Internal DMZ 1 & DMZ 2 traffic. And all other corporate applications run on the Corp VRF.


As per the diagram, the DMZ 1and DMZ 2 VRF subnets are routed between the Routers and the FW through the MPLS switches. MPLS switches are being used in this environment for deploying Multi VRFs.


1) From the router, there are static routes pointing to the DMZ subnets through the FWs on DMZ 1 and DMZ 2 VRFs. There is a sub-interface created on the routers for VLAN 10 and vlan 20 for routing to happen. These DMZ 1 and DMZ 2 VRFs go into the MPLS cloud and to other branches.


2) There is Eigrp between the core switches and the Routers for advertising the corporate block (let's say 1.0.0.0/24 in this scenario).


Now, the problem is on the Tools/Server zone, there are certain servers which are given IPs from the global corporate block of my company (for ex 1.0.0.0/16). These servers need to access the corporate applications which are on 1.x.x.x subnet.


But all the routes inside to DMZ and Tools subnet from the routers is via the DMZ 1 and DMZ 2 VRF. This means, these routes will stay in that VRF all the way upto the MPLS cloud.


I need these Tools subnets to get into the Corp VRF on my routers. How do i advertise them?


I hope the setup makes sense to you guys. Please ask me for clarifications if any.


Appreciate your quick  help



Thanks Mikey

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 3.5 (2 ratings)
Loading.
Vaibhava Varma Sun, 12/11/2011 - 01:41
User Badges:
  • Silver, 250 points or more

Hi Mikey


As this setup seems to me there is VRF-Lite Happening on the 3845 Routers..The Link to the ISPs are MPLS VPN Links whereby we have 3 VPNs configured at ISP side also..Is that correct ?


We would require controlled route leaking on the 3845 Routers between the DMZ1 & DMZ2 VRF and Corp VRF for the required source and destination subnets..This will involve identifying the Tools/Servers Subnets assigned from Global Corporate Block and all remaining corporate subnets which need access to the Tools/Servers..I think this will lead to lot of leaked corporate subnets into the DMZ VRFs..Hope this will be fine in the current setup.

Are the VRFs configured on the routes have the RD/RT defined and MP-BGP configuration present..The Inter-VRF routing will require them as a prerequisite..


As an alternate(if its feasible in your setup) we can try to create another routing subnet between the FW and Routers and make it part of Corporate VRF on the Routers and then easily we can create reverse static routes for the Tools/Servers under that VRF and it can easily talk to other corporate blocks without any need of route leaking..


Hope this helps to provide some insight in your query..


Regards

Varma

Mikey John Sun, 12/11/2011 - 04:24
User Badges:

HI Varma,


Appreciate your inputs on this.


Yes we have 3 VPNs configured on the ISP end. In regards to the first option, as you have mentioned there will be a lot of route leakage happening between the Corp and DMZ VRFs. I don't want this to happen, as this would be way out of standard for our setups across branches, and also it would be a nightmare to troubleshoot for the Operations team.


The seond option seems pretty much feasible to me. So, in this case, I just have to create a new VLAN on the router and float it across to the DMZ zone. right?


For DMZ routing, we define the static routes in the following way


ip route static vrf DMZ1


We have RD/RT defined only for the DMZ 1 and DMZ 2 VRFs. Corp VRF is just defined under the address family under BGP.


How will the static route to the tools (corporate block) be from the Routers in this case?


Will it be "ip route static ". Will this work?



Thanks

Mikey

Vaibhava Varma Sun, 12/11/2011 - 04:50
User Badges:
  • Silver, 250 points or more

Hi Mikey


Yes in the 2nd option we need to create one new VLAN ( say 100) and extend it till DMZ Zone..


The New VLAN 100 should be configured under the Corp VRF same as for the existing Corp Switches Connectivity ((assuming that currently the Corp Switches connect to the routes under Corp VRF on the routers)) ..We need to put a VRF Specific Static Route pointing back to the Tools(Corporate Block) with the New VLAN 100 as exit point towards DMZ..


e.g


ip route static vrf Corp


The above Static Route will be under Corp VRF and now we can redistribute this into EIGRP towards Core Switches and in the eBGP towards ISPs..


Note: If the Current connectivity from Core-Switches to 3845 Routers is not under VRF then Static routes will be non-VRF specific.


Hope this helps to answer your query.


Regards

Varma

Mikey John Sun, 12/11/2011 - 05:06
User Badges:

HI Varma,


Currently, the connectivity between the routers and the core switches is through Eigrp, and these corp subnets get advertised outside through the Corp VRF.


Look at the config below.


router bgp xxx

bgp log-neighbor-changes

neighbor


address-family ipv4 -----> There is no VRF name or RD/RT values defined for Corp network.

  neighbor activate

  no auto-summary

  no synchronization

  network 1.x.x.x (corporate block)


exit-address-family

!


address-family ipv4 vrf DMZ 1

  redistribute static

  neighbor remote-as xxx

  neighbor activate

  no synchronization

  network

exit-address-family

!

address-family ipv4 vrf DMZ 2

  redistribute static

  neighbor remote-as xxx

  neighbor activate

  no synchronization

  network

exit-address-family



As you can see, there is no VRF name defined (no RD/RT values either) for advertising Corp network in MPLS (only address family), can we just put a normal static route towards the Tools subnet via the FW then? Will it work?


ip route static  < next hope of Firewall VLAN 100 IP> ?



Cheers

Mikey

Vaibhava Varma Sun, 12/11/2011 - 05:15
User Badges:
  • Silver, 250 points or more

Hi Mikey


I thought there is a Corp VRF configured on the 3845 Routers but as it seems that Corp Connectivity on 3845 routers is non-VRF then normal static route would work..


ip route static  < next hope of Firewall VLAN 100 IP> ?


Make sure the forward routing path from Tools(Corporate Block) to other Corporate Blocks is in place on the Firewall via the New Vlan 100.


Hope this helps to answer your query.


Regards

Varma

Mikey John Sun, 12/11/2011 - 07:47
User Badges:

That explains it all. Many thanks for your help.


Just curious, if we wanted to leak the routes from the DMZ VRF onto the Corp, how do we go about doing it?



Cheers

Mikey

Vaibhava Varma Sun, 12/11/2011 - 08:05
User Badges:
  • Silver, 250 points or more

HI Mikey


If we want to do route-leaking from DMZ VRF to Corp Global Routing Table Subnets it will be a case similar to providing Internet Access to MPLS VPN Customer using Route-Leaking as mentioned in below good cisco doc


http://www.cisco.com/en/US/tech/tk436/tk428/technologies_configuration_example09186a00801445fb.shtml


Basically what we do here is that we create static routes under VRF context with keyword as global after defining the INext-Hop present in the Global ROuting Table..


Then we create the routes for the VRF Specific Subnets in the Global ROuting Table pointing to the VRF Interface..


Hope this helps to answer your query..


Regards

Varma

Actions

This Discussion