Go Premium for a chance to win a PS4. Enter to Win

x
  • Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 395
  • Last Modified:

VRF configuration problem

Hi, I want to setup VRF between two sites. Please see diagram below.

VPN1 -----router1--------WAN-------router2-------VPN1
                  |                                                         |
VPN2 -------|                                                         |------VPN2


And I have the configuration on router 1,
My question is,
    1. for VRF sharing the same WAN, Do I need to add this to VRF like my configuration or do I need to removed the WAN in VRF?
    2. Is there something wrong with my configuration since this is not working.  

router 1
ip vrf vpn1
 rd 100:1
 route-target export 100:1
 route-target import 100:1
 route-target import 300:3

ip vrf vpn2
 rd 200:2
 route-target export 200:2
 route-target import 200:2
 route-target import 300:3

ip vrf shared
 rd 300:3
 route-target export 300:3
 route-target import 300:3
 route-target import 200:2
 route-target import 100:1


int g0/0
 description telco
  ip vrf forwarding shared
  ip address 10.1.1.1 255.255.255.252
 
int g0/1.37
  ip vrf forwarding vpn1
  ip address 172.16.37.254 255.255.255.0

int g0/1.441
  ip vrf forwarding vpn1
  ip address 172.16.44.254 255.255.255.128
 
int g0/1.341
  ip vrf forwarding vpn1
  ip address 172.16.34.254 255.255.255.128

 
int g0/1.48
  ip vrf forwarding vpn2
  ip address 172.15.48.254 255.255.255.0
 
router eigrp 99
  address-family ipv4 vpn1
   network 172.16.37.0 0.0.0.255
   network 172.16.44.0 0.0.0.128
   network 172.16.34.0 0.0.0.128
   autonomous system 10
   no auto-summary
   exit-address-family
  address-family ipv4 vpn2
   network 172.15.48.0 0.0.0.255
   no auto-summary
   autonomous system 20
   exit-address-family
  address-family ipv4 shared
   network 10.1.1.0 0.0.0.3
   no auto-summary
   autonomous system 30
   exit-address-family

router bgp 65001
 no synchronization
 bgp log-neighbor-changes
 neighbor 10.1.1.2 remote-as 65001
 no auto-summary
 address-family ipv4 vrf vpn1
   redistribute eigrp 10
   no synchronization
   exit-address-family
 address-family ipv4 vrf spis
   redistribute eigrp 20
   no synchronization
   exit-address-family
   address-family ipv4 vrf shared
   redistribute eigrp 30
   no synchronization
   exit-address-family


router 2
 
 
int g0/0
 description telco
  ip vrf forwarding shared
  ip address 10.1.1.2 255.255.255.252
 
int g0/1.36
  ip vrf forwarding vpn1
  ip address 172.16.36.254 255.255.255.0
 
int g0/1.47
  ip vrf forwarding vpn2
  ip address 172.15.47.254 255.255.255.0
 
router eigrp 99
  address-family ipv4 vpn1
   network 172.16.36.0 0.0.0.255
   autonomous system 10
   no auto-summary
   exit-address-family
  address-family ipv4 vpn2
   network 172.15.47.0 0.0.0.255
   no auto-summary
   autonomous system 20
   exit-address-family
  address-family ipv4 shared
   network 10.1.1.0 0.0.0.3
   no auto-summary
   autonomous system 30
   exit-address-family

router bgp 65001
 no synchronization
 bgp log-neighbor-changes
 neighbor 10.1.1.2 remote-as 65001
 no auto-summary
 address-family ipv4 vrf vpn1
   redistribute eigrp 10
   no synchronization
   exit-address-family
 address-family ipv4 vrf spis
   redistribute eigrp 20
   no synchronization
   exit-address-family
   address-family ipv4 vrf shared
   redistribute eigrp 30
   no synchronization
   exit-address-family
0
Brian Garcia
Asked:
Brian Garcia
4 Solutions
 
Brian GarciaTechnology Support SpecialistAuthor Commented:
I've also added:
router eigrp 99
 address-family ipv4 vpn1
 redistribute bgp 65510 metric 100000 100 255 1 1500
  address-family ipv4 vpn2
redistribute bgp 65510 metric 100000 100 255 1 1500
  address-family ipv4 shared
redistribute bgp 65510 metric 100000 100 255 1 1500
0
 
harbor235Commented:
If the service providers is providing you with multi-vpn/vrf capabilities then they typically present you with a sub-interface for each VPN. You should also be bgp peering for each vpn/vrf. You can consolidate all routes into one routing table or continue to keep them segmented.

Is the telco ASN the same as yours? is the real world or a lab?


So it
0
 
QuoriCommented:
Fundamentally this isn't going to work as intended, as the extended community carrying the route target's isn't going to be maintained through the SP WAN so when it spits out the otherside of the WAN it will all just land in the "shared" VRF,

If you really want this to work, GRE tunnel across the WAN between the two sites. Enable MPLS on the BGP tunnel as well as build a VPNv4 peering between the two edge routers across the GRE tunnel targeting loopback interfaces for the peering.

Otherwise, if this is a lab, enable MPLS directly on the link.
0
Independent Software Vendors: We Want Your Opinion

We value your feedback.

Take our survey and automatically be enter to win anyone of the following:
Yeti Cooler, Amazon eGift Card, and Movie eGift Card!

 
Garry GlendownConsulting and Network/Security SpecialistCommented:
Judging from the IPs, the WAN connection is a Point-2-Point connection ... do you know how large the packets may be for the communication? Some lines may only be set to 1500 bytes, which would cause a reduction of the IP packet size by at least 4 bytes (for one label). Also, I'm missing some more or less important stuff like "mpls ip" on the physical interface ...

As for the routing protocol, for directly connected devices, I usually do not use BGP (except via route reflector) but rather run an IGP (OSPF in our case) on the VRF subinterfaces ...

What do you get if you run "show mpls ldp neighbor"? Without the "mpls ip" on the interfaces I assume you won't see any neighbors. Does that change once you put the command in on both sides?

Also, I do not understand what you are actually trying to achieve with the subinterfaces ...
0
 
Brian GarciaTechnology Support SpecialistAuthor Commented:
Hi all,
This will soon be a live network. We are now setting up connection to our new bldg. We have two customers that must shared one Metro-E line going to our main site. Based on security policies, their traffic must not reach other, hence, I used VRF. I'm new to VRF and we're waiting for the TELCO to finish it's job so we can interconnect the two sites.
Do you guys have configuration example relating this concern?
Basically, VPN1 must only reach VPN1 and VPN2 must only reach VPN2. But they share the same Metro-E line. So how do I go about it? Will I need to have the interface for the shared line be part of a VRF or not?

VPN1 -----router1--------WAN-------router2-------VPN1
                  |                                                         |
VPN2 -------|                                                         |------VPN2
0
 
Garry GlendownConsulting and Network/Security SpecialistCommented:
Can you give any information about the link/line? Is it a L2 link (i.e., could you do VLAN tagging?) or is it an L3 link? Check my earlier questions and recommendations ...
0
 
Brian GarciaTechnology Support SpecialistAuthor Commented:
Hi guys,
Thank you for entertaining my questions. I have resolved this using the link - http://routerjockey.com/2009/11/19/cisco-mpls-vrf-configuration-and-demo/.
0
 
Brian GarciaTechnology Support SpecialistAuthor Commented:
The link solve my problem.
0

Featured Post

Free Tool: Site Down Detector

Helpful to verify reports of your own downtime, or to double check a downed website you are trying to access.

One of a set of tools we are providing to everyone as a way of saying thank you for being a part of the community.

Tackle projects and never again get stuck behind a technical roadblock.
Join Now