We currently use a BT MPLS network and use BGP on our CE router to peer with the providers PE routers. Currently we only use one VPN for production across the MPLS network.
We are now looking to give access from some of our MPLS sites to a test environment housed in our data centre. We need to do this on a pc by pc basis.
At the moment the plan is to add a Test VPN within the MPLS network. All sites will be a member of the production VPN and those sites that also need access to test environment will be a member of the Test vpn.
This will segregate the traffic over the WAN but the issue i now have is how to segregate the traffic once it leaves the PE router. The link between the CE and PE router is just a layer 3 link so the VPN separation
has disappeared by now. I don't mind the traffic not being separated in terms of VPN's on the CE to PE link but i need to segregate the traffic once it leaves the CE router and enters our LAN.
So finally the questions
1) Is there a way to keep the separation at a VPN level on the CE -> PE link. As i say i don't mind not having it but if there is a way i would be interested.
2) More importantly i have done some limited reading on VRF-lite and was wondering before i go further if that would allow me to segregate the traffic internally within the LAN. Our Lan's in major buildings usually consist
of 4500 at the access-layer and 6500 as distribtion/core. What i would ideally like to do is ensure that only users within the site who need to access the test environment can ie. by adding a site to the TEST vpn this does
not mean that all users within the site should be able to get to it.
i) Use PBR together with access-list and potentially firewalls
ii) use vrf-lite to segregate the traffic.
So is this a good application for vrf-lite or have i missed the point of it ?. if not can anyone suggest a better way ?
What is your current link between CE-PE. Is it a Gig or Fa or Serial leased lines ????
If I understand your requirement currently and assuming its a gig or fa between CE-PE,then I think,you should be able to make sub-interfaces on CE/PE by associating with a dot1q tag on the CE as well as PE side. So there would be 2 sub-interfaces, one sub-interface would be for your connection to Production VPN and you would be routing traffic over this sub-interface only for the production sites. Then, the other sub-interface would be terminating on the PE side on test VPN and CE would be routing only subnets belonging to test VPN.
If the PE-CE is a leased line ,,then you should be able to change the encapsulation to frame-relay and use the DLCI to make multiple sub-interface and use it as above.
Thanks to both of you for your replies. If i could just query your expertise a little more.
Attached is a visio of a site that i would like to be able to access both the Test and Production VPN's. The key thing to note is that we are routing from the access-layer down to the distribution 6500 switches.
Now on the 4500 i can have 2 separate VRF's, one for the Prod VPN and one for the Test VPN. I can then assign different vlan interfaces into the relevant vrf.
Am i right in my assumptions so far ?
The problem i am having in taking this further is that a L3 interface can only be in one VRF and as the connections from the 4500 to the 6500 are L3 uplinks i can't allocate the L3 link into 2 separate vrf's (nor would it make sense to do so).
I am not in a position to change the L3 links to L2 links which would solve part of the problem as the vlan interfaces would then be on the 6500 and i could allocate these interfaces into separate VRF's.
So is there any way, bearing in mind that i need to keep L3 links from the access-layer, that i can segregate the routing tables on the 6500 and 7200 router.
If i can't do this then i don't see the advantage of trying to use VRF-lite because the 6500/7200 and 3800 will all have one routing table with both Test and Prod routes in in it and this means without route filtering these routes will get propogated by the 3800 to our remote sites.
If i have to revert to route-filtering i may as well not bother with vrf-lite ?
I believe you're correct that a L3 interface can only be in on VRF but the trick is a physical interface is configured as a L2 trunk that carries multiple virtual L3 interfaces. Using tagging, each L3 interface is a subinterface on your Ethernet uplink interfaces.
It's not clear why you would be unable to change your L3 uplinks to L2 uplinks that carry multiple L3 logical links.
As to it not making sense, it does, the purpose is to create a virtual routing environment, so just as you would carry multiple L2 VLANs across a trunk, you now carry multiple L3 routing domains across a trunk.
Thanks for taking the time to explain. It is possible as you say to make the L3 links into L2 trunks that carry multiple L3 subinterfaces, it's just that what with the QOS/VOIP configuration already on there i was reluctant to change !
Think i'll give this a go in the lab, once again many thanks
Introduction: The "external-out enable" command is available for
configuration under the "router ospf process" in case of the IOS-XR
operating system. This command basically enables advertisement of
intra-area routes on the device as external routes in th...
IntroductionIn this article we'll discuss how to troubleshoot packet
loss in the asr9000 and specifically understanding the NP drop counters,
what they mean and what you can do to mitigate them. This document will
be an ongoing effort to improve troublesh...