Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. And see here for current known issues.

VRF lite and shared service

Hi to all, i'm triyng to use VRF-Lite with shared service.I tried to configure two different VRF (blue and red for example) and then i configured another vrf (for example server). I tried to export with route-target both vrf blue and green to vrf server and to import vrf server into vrf blue and green to give rechability, this is part of my configuration :

ip vrf green

rd 65001:100

route-target export 65001:100

route-target import 65001:100

route-target import 65001:300

ip vrf red

rd 65001:200

route-target export 65001:200

route-target import 65001:200

route-target import 65001:300

ip vrf server

rd 65001:300

route-target export 65001:300

route-target import 65001:300

route-target import 65001:100

route-target import 65001:200

but it doesn't work.

Any help appreciated

Max

p.s. is it possible to merge two vrf in VRF-Lite ?

1 ACCEPTED SOLUTION

Accepted Solutions

Re: VRF lite and shared service

Hi,

I insist on my opinion :) and from your document:

Note This command is effective only if BGP is running.

http://www.cisco.com/en/US/docs/switches/lan/catalyst4500/12.2/31sga/configuration/guide/vrf.html#wp1045301

HTH,

Mohammed Mahmoud.

16 REPLIES
Bronze

Re: VRF lite and shared service

Hi,

As posted in another group you need to

add a route-target export 65001:300

at vrf red and

a route-target export 65001:100

at vrf server

to give full reachability between the two VPNs

BR,

Bjornarsb

Re: VRF lite and shared service

hi,

As far as i know, using route-targets is effective only if BGP is running. (route-target is an extended community)

HTH, please do rate all helpful replies,

Mohammed Mahmoud.

Bronze

Re: VRF lite and shared service

Yes,

If you run ospf in the Customer environment and BGP on the CE router this will work fine.

Then inter-vpn communication goes through the CE router.

I refer to the design in this document:

http://www.cisco.com/en/US/docs/switches/lan/catalyst4500/12.2/31sga/configuration/guide/vrf.html

HTH,

Regards

Bjornarsb

New Member

Re: VRF lite and shared service

Hi:

That was very useful info on VRF-Lite.

Thank you very much.

Sincerely.

Bronze

Re: VRF lite and shared service

Hi mate,

You are very welcome!

Please rate if you find my posts helpfull.

BR,

Bjornarsb

Re: VRF lite and shared service

Hi,

I insist on my opinion :) and from your document:

Note This command is effective only if BGP is running.

http://www.cisco.com/en/US/docs/switches/lan/catalyst4500/12.2/31sga/configuration/guide/vrf.html#wp1045301

HTH,

Mohammed Mahmoud.

Re: VRF lite and shared service

I agree with you. I tested the configuration yesterday and VRF-Lite is able ONLY to make traffic isolation, and it seems not possible to merge two or more vrf together with route-target attributes.If you want to use this tecnique, you must run BGP (that is the try i had).I turned on BGP and MPLS and realized MPLS VPN.It's not necessary to have a neighboor bgp up to make Route-target work.

Configure BGP with vpn4 and vrf, and all works.If you want to merge more than one vrf with VRF-Lite, you have to make them in touch with a physical loop (for example with cross cable connected to both vrf) from one vrf to the other.Also Cisco eng told me to use a firewall to be possible to use shared service with VRF-Lite, configuring every VRF in one interface on the firewall and the shared service on DMZ.

Re: VRF lite and shared service

Hi,

Very very nice, i've already tested it my self, i enabled MPLS and MBGP and it works fine. With just VRF-Lite, only traffic isolation can be done but no merge of VPNs can be done, its logical as VRF-Lite wasn't invented for this job, it was only invented for converting a CE router into multiple virtual routers each one with its separated routing table, interfaces and routing protocols.

BR,

Mohammed Mahmoud.

Bronze

Re: VRF lite and shared service

Yes , but you still have to

add a route-target export 65001:300

at vrf red and

a route-target export 65001:100

at vrf server

to give full reachability between the two VPNs

BR,

Bjornarsb

Re: VRF lite and shared service

hi,

You are totally right, but the whole idea is that it can't be done with just VRF-Lite, you must have MBGP.

HTH,

Mohammed Mahmoud.

Bronze

Re: VRF lite and shared service

Hi,

You can run vrf-lite with BGP.

As you have posted vrf-lite makes

you get separate routing instances.

Another cause why vrf-lite was developed

was that you do not need to run tag-switching between CE and PE.

So you can run BGP for each vrf.

Agree?

BR,

Bjornarsb

Re: VRF lite and shared service

Hi,

Yes i totally agree :) VRF-Lite without MBGP (BGP with VPNv4) won't do it, but by having VRF-Lite with MBGP its doable. VRF-Lite alone is only capable of traffic isolation.

BR,

Mohammed Mahmoud.

New Member

Re: VRF lite and shared service

Why do you need to add those export route-tag?

In vrf red it exports 65001:200 and vrf server has import 65001:200. So vrf server should have all routes imported from vrf red. Same vrf red should have all routes from vrf server.

Bronze

Re: VRF lite and shared service

Hi,

You need an export to 65001:100

so it can import 65001:200. Thats how it works :)

See this example:

http://www.cisco.com/en/US/products/sw/netmgtsw/ps4748/products_user_guide_chapter09186a008019abb3.html#88319

br,

Bjornarsb

New Member

Re: VRF lite and shared service

I did a test in a dynamips environment. You don't need to an export to 65001:100 to allow import 65001:200.

The router just checks the route-tag in the MBGP route and grab the route that has route-tag match the import setting.

Re: VRF lite and shared service

Hi,

Import and export under the same VRF are independent, in simple VPNs the best practice is that we import and export with the same RT (Route Target), while in complex VPNs we do import and export according the VPN design.

export RT --> attached to the routes when exported from the VRF (VPN identifier).

import RT --> Used to select which routes to be imported into the VRF from the routes received via MP-BGP (Import route filter)

HTH, please do rate all helpful replies

Mohammed Mahmoud.

455
Views
0
Helpful
16
Replies