Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. If you'd prefer to explore, try our test area to get started. And see here for current known issues.

New Member

Redundant access from MPLS VPN to global routing table

Several our customers have MPLS VPNs deployed over our infrastructure. Part of them requires access to Internet (global routing table in our case).

As I'm not aware of any methods how to dynamicaly import/export routes between VRF/Global routing tables, at the moment there are static routes configured - one inside VRF pointing to global next hop, another one in global routing table, pointing to interface inside VRF.

Task is to configure redundant access to Internet. By redundancy I mean using several exit points (primary and backup), what physically represents separate boxes.

Here comes tricky part - both global static routes (on both boxes, meaning) are valid and reachable in all cases - no matter if specific prefix is reachable in VRF or not. What I'd like to achieve is that specific static route becomes valid only if specific prefix is reachable inside VRF. Yea, sounds like dynamic routing :), I know

OK, hope U got the idea. Any solutions/recommendations ? Running all Internet routing inside VRF isn't an option, at least for now :(

  • MPLS
15 REPLIES

Re: Redundant access from MPLS VPN to global routing table

Hello Andris,

would it be feasible to separate internet access and VRF access by using f.e. two frame-relay PVCs (or VLANs etc.) on the PE-CE access line? The PE would get two sub-interfaces and one of them is placed in the VRF, the other in the global routing table. This would allow for all internet access options customers could ask for - from static default to full BGP internet table. You can use any available routing protocol on the "VRF-PVC" and BGP on the "internet-PVC".

Regards

Martin

Re: Redundant access from MPLS VPN to global routing table

Hello, me again,

had a second thought:

why not setting up a BGP session between CE and (global) PE utilizing packet leaking?

Instead of static routing towards the announced coustomer prefix you only announce BGP neighbor host routes and BGP will exchange the customer prefixes. It will require eBGP multi-hop but should do the trick.

Regards

Martin

New Member

Re: Redundant access from MPLS VPN to global routing table

Question was not about PE-CE communications, everything is fine there.

To be more specific - I dont see any bonuses having two routing tables on CE box, meaning - global and VRF. All customer traffic is inside one VRF or all in global table (all respective interfaces on PE are in VRF in that case).

Question is about PE configuration - how to configure redundant/resilent VRF/global communications on PE boxes?

One option (seems attractive) is to import global prefixes from all customers requiring internet connectivity into one specific VPN (mini-internet :) ), and then run some IGP between interface inside that VPN and global interface on another box (dot1q subinterfaces in all cases). Any pros/cons ?

Re: Redundant access from MPLS VPN to global routing table

Hi Andris,

I did not mean to have a VRF on the CE. The CE would have both PVCs in the global routing table - his ONLY routing table in fact. One PVC would be used to announce routes into the customer specific VPN (VRF configured on the PE). The other PVC would allow for internet access through the PE (global IP routing table on the PE).

dot1q will be ok as well.

This way the CE can be a normal BGP peer to the PE, i.e. there is no MPLS VPN involved here. This allows all options of customer-ISP connectivity.

Example:

PE config:

interface Serial0/0

encapsulation frame-relay

interface Serial0/0.1 point-to-point

description customer VPN access

ip vrf customer

ip address 10.1.1.1 255.255.255.252

interface Serial0/0.2 point-to-point

description customer Internet access

ip address 192.168.1.1 255.255.255.252

router rip

address-family ipv4 vrf customer

version 2

network 10.0.0.0

no auto-summary

redistribute bgp 65000 metric 5

router bgp 65000

neighbor 192.168.1.2 remote-as 65001

address-family ipv4 vrf customer

redistribute rip

CE config:

interface Serial0/0

encapsulation frame-relay

interface Serial0.1 point-to-point

description VPN access

ip address 10.1.1.2 255.255.255.252

interface Serial0.2 point-to-point

description Internet access

ip address 192.168.1.2 255.255.255.252

router bgp 65001

neighbor 192.168.1.1 remote-as 65000

router rip

version 2

network 10.0.0.0

no auto-summary

Of course you can replace RIP with whatever is suitable for you. And don´t sue me when you do not apply required BGP filters for internet access... ;-)

The other option ("mini internet") would be feasible as well. Just make sure your BGP filters are NEVER messed up and additionally apply a limit on the numbers of prefixes in your VRF mini-internet.

Regards

Martin

Silver

Re: Redundant access from MPLS VPN to global routing table

Wondering if this would help. Importing IPv4 prefixes into VRF. Two things

a) only 5 such VRFs supported per Router

b) Not how default route would react.

http://www.cisco.com/univercd/cc/td/doc/product/software/ios122s/122snwft/release/122s25/fs_bgivt.htm.

New Member

Re: Redundant access from MPLS VPN to global routing table

This feature sounds good, only thing - it works in only one direction - to import global prefixes into VRF, so that solves only smallest half of problem.

Any ideas how to do same thing vice-versa ? Export prefixes from VRF to global ?

Silver

Re: Redundant access from MPLS VPN to global routing table

I assume you want it for backup floating routes to kick in, in which case you can use object tracking and remove the static routes so that backup routes can kick in and change the global routing table.

New Member

Re: Redundant access from MPLS VPN to global routing table

Exactly, you got the idea.

About scripts - you mean some non-IOS based stuff? I havent had much experience with object tracking, but as far as I know - tracking itself isnt able to to any actions, just track state of some specified objects and you have to combine it with some kind of process to do some actions based on tracking results. I hope I'm right with that :)

It'd be really nice if you give some more specific info (http links, for example), where I could find addtional details about stuff you are talking about?

Silver

Re: Redundant access from MPLS VPN to global routing table

1069
Views
0
Helpful
15
Replies