Solved

VRF configuration problem

Posted on 2014-02-08
8
364 Views
Last Modified: 2014-03-26
Hi, I want to setup VRF between two sites. Please see diagram below.

VPN1 -----router1--------WAN-------router2-------VPN1
                  |                                                         |
VPN2 -------|                                                         |------VPN2


And I have the configuration on router 1,
My question is,
    1. for VRF sharing the same WAN, Do I need to add this to VRF like my configuration or do I need to removed the WAN in VRF?
    2. Is there something wrong with my configuration since this is not working.  

router 1
ip vrf vpn1
 rd 100:1
 route-target export 100:1
 route-target import 100:1
 route-target import 300:3

ip vrf vpn2
 rd 200:2
 route-target export 200:2
 route-target import 200:2
 route-target import 300:3

ip vrf shared
 rd 300:3
 route-target export 300:3
 route-target import 300:3
 route-target import 200:2
 route-target import 100:1


int g0/0
 description telco
  ip vrf forwarding shared
  ip address 10.1.1.1 255.255.255.252
 
int g0/1.37
  ip vrf forwarding vpn1
  ip address 172.16.37.254 255.255.255.0

int g0/1.441
  ip vrf forwarding vpn1
  ip address 172.16.44.254 255.255.255.128
 
int g0/1.341
  ip vrf forwarding vpn1
  ip address 172.16.34.254 255.255.255.128

 
int g0/1.48
  ip vrf forwarding vpn2
  ip address 172.15.48.254 255.255.255.0
 
router eigrp 99
  address-family ipv4 vpn1
   network 172.16.37.0 0.0.0.255
   network 172.16.44.0 0.0.0.128
   network 172.16.34.0 0.0.0.128
   autonomous system 10
   no auto-summary
   exit-address-family
  address-family ipv4 vpn2
   network 172.15.48.0 0.0.0.255
   no auto-summary
   autonomous system 20
   exit-address-family
  address-family ipv4 shared
   network 10.1.1.0 0.0.0.3
   no auto-summary
   autonomous system 30
   exit-address-family

router bgp 65001
 no synchronization
 bgp log-neighbor-changes
 neighbor 10.1.1.2 remote-as 65001
 no auto-summary
 address-family ipv4 vrf vpn1
   redistribute eigrp 10
   no synchronization
   exit-address-family
 address-family ipv4 vrf spis
   redistribute eigrp 20
   no synchronization
   exit-address-family
   address-family ipv4 vrf shared
   redistribute eigrp 30
   no synchronization
   exit-address-family


router 2
 
 
int g0/0
 description telco
  ip vrf forwarding shared
  ip address 10.1.1.2 255.255.255.252
 
int g0/1.36
  ip vrf forwarding vpn1
  ip address 172.16.36.254 255.255.255.0
 
int g0/1.47
  ip vrf forwarding vpn2
  ip address 172.15.47.254 255.255.255.0
 
router eigrp 99
  address-family ipv4 vpn1
   network 172.16.36.0 0.0.0.255
   autonomous system 10
   no auto-summary
   exit-address-family
  address-family ipv4 vpn2
   network 172.15.47.0 0.0.0.255
   no auto-summary
   autonomous system 20
   exit-address-family
  address-family ipv4 shared
   network 10.1.1.0 0.0.0.3
   no auto-summary
   autonomous system 30
   exit-address-family

router bgp 65001
 no synchronization
 bgp log-neighbor-changes
 neighbor 10.1.1.2 remote-as 65001
 no auto-summary
 address-family ipv4 vrf vpn1
   redistribute eigrp 10
   no synchronization
   exit-address-family
 address-family ipv4 vrf spis
   redistribute eigrp 20
   no synchronization
   exit-address-family
   address-family ipv4 vrf shared
   redistribute eigrp 30
   no synchronization
   exit-address-family
0
Comment
Question by:jb_yow
8 Comments
 
LVL 3

Author Comment

by:jb_yow
ID: 39844014
I've also added:
router eigrp 99
 address-family ipv4 vpn1
 redistribute bgp 65510 metric 100000 100 255 1 1500
  address-family ipv4 vpn2
redistribute bgp 65510 metric 100000 100 255 1 1500
  address-family ipv4 shared
redistribute bgp 65510 metric 100000 100 255 1 1500
0
 
LVL 32

Assisted Solution

by:harbor235
harbor235 earned 167 total points
ID: 39844708
If the service providers is providing you with multi-vpn/vrf capabilities then they typically present you with a sub-interface for each VPN. You should also be bgp peering for each vpn/vrf. You can consolidate all routes into one routing table or continue to keep them segmented.

Is the telco ASN the same as yours? is the real world or a lab?


So it
0
 
LVL 13

Assisted Solution

by:Quori
Quori earned 167 total points
ID: 39844836
Fundamentally this isn't going to work as intended, as the extended community carrying the route target's isn't going to be maintained through the SP WAN so when it spits out the otherside of the WAN it will all just land in the "shared" VRF,

If you really want this to work, GRE tunnel across the WAN between the two sites. Enable MPLS on the BGP tunnel as well as build a VPNv4 peering between the two edge routers across the GRE tunnel targeting loopback interfaces for the peering.

Otherwise, if this is a lab, enable MPLS directly on the link.
0
 
LVL 17

Assisted Solution

by:Garry-G
Garry-G earned 166 total points
ID: 39844991
Judging from the IPs, the WAN connection is a Point-2-Point connection ... do you know how large the packets may be for the communication? Some lines may only be set to 1500 bytes, which would cause a reduction of the IP packet size by at least 4 bytes (for one label). Also, I'm missing some more or less important stuff like "mpls ip" on the physical interface ...

As for the routing protocol, for directly connected devices, I usually do not use BGP (except via route reflector) but rather run an IGP (OSPF in our case) on the VRF subinterfaces ...

What do you get if you run "show mpls ldp neighbor"? Without the "mpls ip" on the interfaces I assume you won't see any neighbors. Does that change once you put the command in on both sides?

Also, I do not understand what you are actually trying to achieve with the subinterfaces ...
0
Network it in WD Red

There's an industry-leading WD Red drive for every compatible NAS system to help fulfill your data storage needs. With drives up to 8TB, WD Red offers a wide array of solutions for customers looking to build the biggest, best-performing NAS storage solution.  

 
LVL 3

Author Comment

by:jb_yow
ID: 39846170
Hi all,
This will soon be a live network. We are now setting up connection to our new bldg. We have two customers that must shared one Metro-E line going to our main site. Based on security policies, their traffic must not reach other, hence, I used VRF. I'm new to VRF and we're waiting for the TELCO to finish it's job so we can interconnect the two sites.
Do you guys have configuration example relating this concern?
Basically, VPN1 must only reach VPN1 and VPN2 must only reach VPN2. But they share the same Metro-E line. So how do I go about it? Will I need to have the interface for the shared line be part of a VRF or not?

VPN1 -----router1--------WAN-------router2-------VPN1
                  |                                                         |
VPN2 -------|                                                         |------VPN2
0
 
LVL 17

Expert Comment

by:Garry-G
ID: 39848316
Can you give any information about the link/line? Is it a L2 link (i.e., could you do VLAN tagging?) or is it an L3 link? Check my earlier questions and recommendations ...
0
 
LVL 3

Accepted Solution

by:
jb_yow earned 0 total points
ID: 39944846
Hi guys,
Thank you for entertaining my questions. I have resolved this using the link - http://routerjockey.com/2009/11/19/cisco-mpls-vrf-configuration-and-demo/.
0
 
LVL 3

Author Closing Comment

by:jb_yow
ID: 39955430
The link solve my problem.
0

Featured Post

Free Trending Threat Insights Every Day

Enhance your security with threat intelligence from the web. Get trending threat insights on hackers, exploits, and suspicious IP addresses delivered to your inbox with our free Cyber Daily.

Join & Write a Comment

Suggested Solutions

Title # Comments Views Activity
BGP with 2 ISP's on Same Cisco Router 15 63
RCA to HDMI 4 52
FTP output from Wireshak 6 47
How to setup PLEX PLUS on 2 computers 2 11
Every server (virtual or physical) needs a console: and the console can be provided through hardware directly connected, software for remote connections, local connections, through a KVM, etc. This document explains the different types of consol…
Don’t let your business fall victim to the coming apocalypse – use our Survival Guide for the Fax Apocalypse to identify the risks and signs of zombie fax activities at your business.
Sending a Secure fax is easy with eFax Corporate (http://www.enterprise.efax.com). First, Just open a new email message.  In the To field, type your recipient's fax number @efaxsend.com. You can even send a secure international fax — just include t…
Internet Business Fax to Email Made Easy - With eFax Corporate (http://www.enterprise.efax.com), you'll receive a dedicated online fax number, which is used the same way as a typical analog fax number. You'll receive secure faxes in your email, fr…

707 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

13 Experts available now in Live!

Get 1:1 Help Now