Cisco Support Community
Showing results for 
Search instead for 
Did you mean: 
Community Member

Metro Ethernet VPN via MPLS VRF's

Hello All,

We have deployed VPN's via ethernet and we integrate that via dot1q VLAN's on a subinterface on a GigEthernet. We then make those a member of a specific vrf forwarding VPN for example.

interface GigabitEthernet0/1.101

description VPN-CUST1

encapsulation dot1Q 101

ip vrf forwarding VPN-CUST1

ip address

ip address secondary

no cdp enable


The client only wants the Head Office to see the branches, but not branch to branch for commercial and technical reasons eg. viruses/snooping etc. In our ATM subinterfaces, each branch has one subif so each has a different VRF and RD, we then just import the RD to the head office. But with VLAN based branches, we can't do it like this. I hope I had made it clear somehow. The question is, is there any other option to achieve this on a VLAN based subif VPN's? We are thinking of creating a subif VLAN for each branch but what if there are thousand branches, our VLANs will be exhausted easily. Hoping for your insights regarding this.



Re: Metro Ethernet VPN via MPLS VRF's

The VRF Selection feature removes the association between a VPN and an interface. Before the VRF Selection feature was introduced, the following implementation was used to route outgoing MPLS VPN packets to different destinations:

A policy-based router (PBR) is attached to the customer edge (CE) router.

The egress side of the PBR router side has VLANs connected to a PE.

The PBR router uses a policy-based route map to select the correct output (VLAN) interface and each VLAN is under a specific VRF

CreatePlease to create content