Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. And see here for current known issues.

New Member

VRF-lite

Can someone please help me with the configuration of vrf-lite both at CE and PE. I am using eigrp as routing protocol between my CE and PE.

1 ACCEPTED SOLUTION

Accepted Solutions

Re: VRF-lite

Hi,

To give you an example of running VRF-Lite with EIGRP:

ip vrf test

rd

interface x

ip vrf forwarding test

ip address t.t.t.t

!

router eigrp

no auto-summary

!

address-family ipv4 vrf test

network t.t.t.t

no auto-summary

autonomous-system

exit-address-family

!

HTH, please do rate all helpful replies,

Mohammed Mahmoud.

17 REPLIES

Re: VRF-lite

Hi,

You don't need VRF-lite on a PE, as the PE would have MPLS/VRF on it (if we are talking about an MPLS provider), accordingly you need VRF-lite on CE (multi-VRF router), all that you need is to create VRF and use EIGRP address-family.

But please note that AFAIK VRF-lite is not supported with EIGRP on some platforms and IOSs.

HTH, please do rate all helpful replies,

Mohammed Mahmoud.

Re: VRF-lite

Hi,

To give you an example of running VRF-Lite with EIGRP:

ip vrf test

rd

interface x

ip vrf forwarding test

ip address t.t.t.t

!

router eigrp

no auto-summary

!

address-family ipv4 vrf test

network t.t.t.t

no auto-summary

autonomous-system

exit-address-family

!

HTH, please do rate all helpful replies,

Mohammed Mahmoud.

New Member

Re: VRF-lite

hi Mohammed,

Could you please also give an example using BGP and OSPF. Currently I'm in the offering into costumer which one is better..

thanks

Re: VRF-lite

Hi,

Sure, you are very welcomed:

1.VRF-Lite with OSPF:

ip vrf test

rd

interface x

ip vrf forwarding test

ip address t.t.t.t

router ospf vrf test

log-adjacency-changes

network t.t.t.t 0.0.0.255 area 0

2.VRF-Lite with BGP:

ip vrf test

rd

interface x

ip vrf forwarding test

ip address t.t.t.t

router bgp

address-family ipv4 vrf test

neighbor remote-as

network mask

HTH, please do rate all helpful replies using the scroll box on the right,

Mohammed Mahmoud.

Re: VRF-lite

Hi Mohammed,

Just a little add-on:

CE config with VRF-lite:

1.VRF-Lite with OSPF:

ip vrf test

rd

interface x

ip vrf forwarding test

ip address t.t.t.t

router ospf vrf test

log-adjacency-changes

network t.t.t.t 0.0.0.0 area 0

capability vrf-lite

The latter command ignores the down bit set by the PE. Otherwise you might end up with networks not installed in the IP routing table.

PE config:

ip vrf test

rd

interface x

ip vrf forwarding test

ip address t.t.t.t

router ospf vrf test

domain-id 0.0.0.1

network t.t.t.t 0.0.0.0 area 0

redistribute bgp subnets

router bgp

address-family ipv4 vrf test

redistribute ospf vrf test match internal external 1 external 2

Hope this helps! Please rate all posts.

Regards, Martin

Re: VRF-lite

Hi Martin,

You are completely right, i felt like forgetting something that caused me a lot of pain in the past :)

BR,

Mohammed Mahmoud.

New Member

Re: VRF-lite

Hi Mohammed,

You have been a great help.

Thanks.

Re: VRF-lite

Hi,

You are very welcomed, please never hesitate if you have further questions.

BR,

Mohammed Mahmoud.

New Member

Re: VRF-lite

Do you guys have any example for PE and CE vrf-lite with multiple subinterfaces on a shared single DS3 or T1 circuit. each sub-int runs its own BGP instance with traffic shaping and QoS.

thanks.

Re: VRF-lite

frame-relay switching

!

interface serial0/0/0

encapsulation frame-relay

interface serial0/0/0.1 point-to-point

ip vrf forwarding A

ip address x.x.x.x x.x.x.x

frame-relay interface-dlci 100

!

!

interface serial0/0/0

encapsulation frame-relay

interface serial0/0/0.2 point-to-point

ip vrf forwarding B

ip address y.y.y.y y.y.y.y

frame-relay interface-dlci 101

!

And So on for further interfaces.

!

router bgp 1

no synchronization

bgp log-neighbor-changes

no auto-summary

!

address-family ipv4 vrf A

neighbor x.x.x.x remote-as x

no synchronization

exit-address-family

!

address-family ipv4 vrf B

neighbor y.y.y.y remote-as y

no synchronization

exit-address-family

!

And so on for further VRF's

Here is a reference guide to configure shaping for VOIP...you can modify the values to match your requirements.

http://www.cisco.com/en/US/products/sw/iosswrel/ps1839/products_feature_guide09186a0080110bc6.html

HTH-Cheers,

Swaroop

New Member

Re: VRF-lite

Martin, I had a number of challenges getting VRF-Lite to work with bgp communicating between a 6500 and a 3845. Mainly i'm able to see bgp routes between vrf's but no ip routes are hitting the targeted endpoint. In this case the critical endpoint being the internet via a global services vrf that would include a wan link currently point to a Service Provider. Since BGP is providing inter vrf routes, I feel their's an issue with routes not fully being installed in the table. Here's an example configuration at the routing table in question. I believe i may be missing a neighbor statement for each vpn, but the cisco document concerning vrf-lite doesnt show it as a requirement.

router bgp 1

no synchronization

bgp log-neighbor-changes

no auto-summary

!

address-family ipv4 vrf Global.Test

redistribute connected

no auto-summary

no synchronization

exit-address-family

!

address-family ipv4 vrf Global.Services

redistribute connected

redistribute static

no auto-summary

no synchronization

exit-address-family

!

address-family ipv4 vrf Global.Internal.Test

redistribute connected

no auto-summary

no synchronization

exit-address-family

!

address-family ipv4 vrf DPOR

redistribute connected

no auto-summary

no synchronization

exit-address-family

!

address-family ipv4 vrf BOA

redistribute connected

no auto-summary

no synchronization

exit-address-family

The Global.Services VRF is the vrf which would have connectivity to the internet. Yet when attaching the internet link to the vrf, im not able to get to the WAN Internet. Thoughts, the following is the bgp vpn table and respect vrf statements and bgp statements. Thanks.

Neil.

Perimeter.CNTR.Edge-Data#sh ip bgp vpnv4 all

BGP table version is 66, local router ID is 166.61.195.129

Status codes: s suppressed, d damped, h history, * valid, > best, i - internal,

r RIB-failure, S Stale

Origin codes: i - IGP, e - EGP, ? - incomplete

Network Next Hop Metric LocPrf Weight Path

Route Distinguisher: 22:100 (default for vrf BOA)

*> 8.8.2.8/32 0.0.0.0 0 32768 ?

*> 8.8.9.8/32 0.0.0.0 0 32768 ?

*> 172.16.4.8/30 0.0.0.0 0 32768 ?

*> 172.16.4.24/30 0.0.0.0 0 32768 ?

*> 172.18.4.20/30 0.0.0.0 0 32768 ?

*> 206.113.135.64/30

0.0.0.0 0 32768 ?

Route Distinguisher: 25:100 (default for vrf DPOR)

*> 8.8.5.8/32 0.0.0.0 0 32768 ?

*> 8.8.9.8/32 0.0.0.0 0 32768 ?

*> 172.17.4.20/30 0.0.0.0 0 32768 ?

*> 172.18.4.20/30 0.0.0.0 0 32768 ?

*> 206.113.135.64/30

0.0.0.0 0 32768 ?

Route Distinguisher: 50:200 (default for vrf Global.Services)

*> 8.8.9.8/32 0.0.0.0 0 32768 ?

Network Next Hop Metric LocPrf Weight Path

*> 172.18.4.20/30 0.0.0.0 0 32768 ?

*> 206.113.135.64/30

0.0.0.0 0 32768 ?

Route Distinguisher: 90:400 (default for vrf Global.Internal.Test)

*> 8.8.10.8/32 0.0.0.0 0 32768 ?

*> 172.18.4.24/30 0.0.0.0 0 32768 ?

Perimeter.CNTR.Edge-Data#sh run

ip vrf BOA

description BOA Perimeter-Center VRF Production Environment

rd 22:100

route-target export 22:100

route-target import 22:100

route-target import 50:200

ip vrf DPOR

description DPOR Perimter-Center VRF Production Environment

rd 25:100

route-target export 25:100

route-target import 25:100

route-target import 50:200

ip vrf Global.Services

description Perimeter Center Global IP Services

rd 50:200

route-target export 50:200

route-target export 22:100

route-target export 25:100

route-target import 50:200

Cisco Employee

Re: VRF-lite

Hi Neil,

Some comments and questions:

1) Use private AS numbers (64512 - 65535) for BGP, RDs and RTs. What you are doing is like using illegal IP addresses - would not hurt in the beginning but could grow into a major pain some years later requiring major migration steps.

2) You only give the control plane configuration, i.e. VRF and BGP. Where is the data plane config, i.e. interfaces? In VRF lite you need to interconnect the VRFs between two routers, not only the global routing table. This means in case you have R1 - R2 - R3 then you need a separate (sub-)interface per VRF between R1 and R2 and between R2 and R3.

3) The routing between VRF enabled routers needs to be hop-by-hop, i.e. you need to apply to your VRFs the same routing design rules as with normal routers. This can cause some headache, depending on the protocol chosen, f.e. with 50 VRFs you would need 50 OSPF processes on every VRF-lite router.

So what does the rest of your topology look like and what addresses the issues I mention? Not addressing them would explain your connectivity issues.

Regards, Martin

New Member

Re: VRF-lite

Thanks for the Advance on ASN Numbering. Routing Process Info is as follows, they basically represent an array of organizations moving into a single building, their in need of obviously separate virtual routing domains. With the Global Services VRF functioning as a Internet Gateway VRF for all other VRF Environments.

This Servers as an example of each separate organizational interface configuration. Also included is a static route pointing all IP Services to the Internet Gateway.

interface Vlan29

description Global Test VRF LAN Environment

ip vrf forwarding Global.Services

ip address 192.168.29.17 255.255.255.240

interface GigabitEthernet1/48.329

description Global IP Services Test VRF

encapsulation dot1Q 329

ip vrf forwarding Global.Services

ip address 172.18.4.21 255.255.255.252

ip ospf network broadcast

ip ospf cost 1

ip ospf priority 0

!

router ospf 29 vrf Global.Services

log-adjacency-changes

capability vrf-lite

redistribute connected

redistribute static

network 172.18.4.20 0.0.0.3 area 0

network 192.168.29.16 0.0.0.15 area 1

ip route vrf Global.Services 206.113.135.65 255.255.255.255 GigabitEthernet1/48.329 172.18.4.22

Other Side of Data center WAN

interface GigabitEthernet0/0.329

description description Global IP Services Test VRF

encapsulation dot1Q 329

ip vrf forwarding Global.Services

ip address 172.18.4.22 255.255.255.252

ip ospf network broadcast

ip ospf cost 1

bridge-group 29

!

Additionally Their is an export map for delivery from Side 1 (3845) to Side 2(6500) of the Wan. Bonus Question does the export route map have to exist of both sides of the configuration from a VRF Standpoint.

route-map Global.Services.Route-MAP permit 10

match ip address prefix-list DPOR.Prefix

!

route-map Global.Services.Route-MAP permit 20

match ip address prefix-list BOA.Prefix

ip prefix-list BOA.Prefix seq 10 permit 192.168.1.0/24

!

ip prefix-list DPOR.Prefix seq 10 permit 172.16.0.0/16

!

ip vrf Global.Services

description Perimeter Center Global IP Services

rd 50:200

export map Global.Services.Route-MAP

route-target export 50:200

route-target import 50:200

route-target import 22:100

route-target import 25:100

VRF Global Services was put on the Internet Facing Interface of the Router, yet internet address we're not pingable or accessesable. When reconfigured to another more basic VRF Configuration, the internet works.

Thanks Martin - Neil Barnett / Internetwork Archetype

Re: VRF-lite

Reading through your notes and to summarize, you have couple of customer in a building aggregating on a 6500 which connects to a 3800 which in turn connects to the internet. (I have to assume the topology in the absence of the topo diag :-) )

In this case, you would be having VRF's configured only in the 6500, one vrf per customer on their SVI and one VRF for the internet on the interface which connects to the 3800.

In each customer VRF you would be importing the internet reachability provided through the global services vrf and exporting the source routes to the global services vrf. ( I believe the natting is taken care of to reach the internet as the source would be a private ip).

If this is the case as described above then you shouldnt be having any problems as its quite straight forward.

If your case is a little different than described then can you pls attach a running config of 6500 and 3800 (with hostnames so its easy to identify the config with the devices) and the topology map.

HTH-Cheers,

Swaroop

Re: VRF-lite

Taking a closer look at the output given from this host : Perimeter.CNTR.Edge-Data

Route Distinguisher: 50:200 (default for vrf Global.Services)

*> 8.8.9.8/32 0.0.0.0 0 32768 ?

Network Next Hop Metric LocPrf Weight Path

*> 172.18.4.20/30 0.0.0.0 0 32768 ?

*> 206.113.135.64/30

0.0.0.0 0 32768 ?

This doesnt have the local routes of your customer VRF's like 8.8.5.8, 8.8.2.8 and the reason i suspect is this config on the global services vrf.

ip vrf Global.Services

description Perimeter Center Global IP Services

rd 50:200

route-target export 50:200

route-target export 22:100 <--------you are exporting this, but you should be importing.

route-target export 25:100 <--------you are exporting this, but you should be importing.

route-target import 50:200

Once you change the above RT to import the local routing on this device between all the connected VRF's should happen fine.

HTH-Cheers,

Swaroop

New Member

Re: VRF-lite

Thanks for the information. I no longer have access to the equipment. But was dogged by why this configuration wouldn't work. From my general understanding, coming from a logical perspective the Global Services VRF Should be importing routes from the targeted VRF's it intends to provide "services" to, in this case internet. While the export map shown earlier should be configured on the ip vrf Global.Services export map for return routes heading toward the VRF's recieving internet connectivity from the Global.Services VRF.

New Member

Re: VRF-lite

Hi, Martin and Mohammed

Can you use 2x VRF-Lite enabled routers or L3 switches to make a P-2-P WAN connection without PEs in between. And just use the two vrf-lite routers to provide the routing segregation, no MPLS LDP, etc?

Thanks.

1069
Views
42
Helpful
17
Replies
CreatePlease to create content