I have a Cisco 1721 with MP-BGP Support, you can create VRFs with it and every other MPLSVPN feature, but the commands for MPLS switching are not supported like Router(config-if)mpls ip , I read in some forums that you can create MPLS VPN without enabling MPLS at all, just with MPBGP, but I couldn't do it myself, Can someone tell me how to make it work or what can I do with a Cisco 1721 that supports MP-BGP?
thanks in advance
MPLS VPN requires MPLS support at least on the PE router. Without MPLS, you can always use the VRF feature to create multiple RIBs on the router (VRF lite).
Hope this helps,
Probably you can connect the 1750 router to a MPLS enabled router on a back-to-back x-connect, and still route VRF traffic through that. But your MP-BGP should start from the MPLS enabled router only.
I've run into the same issue. VRF-"lite" is really MPLS-99%, IE all features work, MP-BGP peer sessions, routes in VRF's etc, just no tag-switching on the interfaces.
One of the suggestions the TAC offered was to use some form of encapsulation (frame-relay or Dot1Q) to explode the VRF's apart from the PE to CE then put them back into VRF's on the 17xx (CE).
thanks very much,
Can I use dot1q encapsulation on ethernet interfaces by creating sub-interfaces between those routers (PE and CE)?
What were the other suggestions by TAC?
Yes you can do that. I have done it myself and it works. The only drawback is that it does not support
QoS in the PE-CE Vlan sub-interfaces.
You can enable VRF-Lite without MP-BGP or MPLS transport. It's not mandatory. I Made for a customer a design that uses multi-vrf via IpSec on 1711 and 1712 routers (GRE/IPSec with dynamic routing per VPN). This emulates multiple routers and multiple serial lines via Internet. That kind of designs are possible. Multi-vrf allows U to have per VPN default routing. In my design I use per VPN OSPF process, but MP-BGP is another possibility to transport per VPN routes.
Here is an example. Take care about overhead for packets like VoIP. The overhead is 88 bytes.
The packet semms something like that.
IpHeader-pub@ - NAT-Tudp4500 - ESP - IpHeader-priv@(vrf discriminator) - GRE - Original IP Header - Data - Esp Trailer.
In this case you neet tunnel-mode because you use
private @ in order to determine vrf (vrf discriminator).
This is a LAB config, all other security parameters you need on a router are not configured. If you add access-list on the external interface of REMOTE you have to understand every encapsulation step in order to well tune it.
The PPT draw shows physically and logically views.
PS, take care about fragmentation issues, the problematic is still not well managed by the routers, I could not made Tunnel-path-mtu discovery work with vrf's. The workaround is to fragment packets. It's not good for performance but actually there is no other solution concerning that.
PS to my last update...
You really need to use C1700-ADVSECURITYK9-M), Version 12.3(7)T on the router,
During my first tests this was only working on 2600, because a bug was present. I identified the bug and the developpement made trhe fix recently.