Cisco Support Community
Showing results for 
Search instead for 
Did you mean: 
New Member

grey vpn depoyments


I have a question to management in an MPLS/VPN network. Up to now I always

used the "grey" VPN: Created a management VPN, exported the IPs I want to

manage from my VPNs into the grey VPN and information from the grey VPN

back into the VPNs. So far, so good.

But now someone told me that this is not the right way to do it, because

you cannot import routes from a vrf on the same device. So as long as you

have two, you are fine. If one fails, you loose access to/from your management


I tried to find something about this problem, but unfortunately I was not

able to find some documentation on this. The guy telling me about it could

not explain it any further than this.

Does anyone have an explanation or a link to a document to this? Does that mean

that grey VPNs are not working?

So what is the way to do management vpns?




Re: grey vpn depoyments


As far as i know there are 2 VPN CE management techniques: Grey and Rainbow:

Grey - were all the CE routers are managed through a single link of the NMS VPN to the network core.

Rainbow - were each CE will have its own dedicated link to the NMS VPN --> Used for Overlay VPNs (ex: Frame-Relay).

We are using Grey VPN management, and we are not facing any kind of problems.

HTH, please do rate all helpful replies,

Mohammed Mahmoud.

New Member

Re: grey vpn depoyments

Hi Mohammed:

Would you mind elaborating on Grey and Rainbow?

Have not heard these terms before :-(

Thank you.



Re: grey vpn depoyments


You need to ask the guy what he means by:

you cannot import routes from a vrf on the same device.

Yor import both mgmt and customer routes one the PE router. Best practice is to import the /30 link-nett into mgmt vrf. However if routing for mgmt addresses is gone you can telnet from the PE router.



New Member

Re: grey vpn depoyments

Thanks for getting back to me on this.

What he was referring was the fact, that on the management PE you import routes from every customer VPN. And this is supposedly not working on the same device.

I labbed it up and it seems to be working alright. He said as long as you have two mPEs, it workes, but when one dies, the other stops working as well.

He could not elaborate any further, that's why I ask here.



CreatePlease to create content