Still celebrating National IT Professionals Day with 3 months of free Premium Membership. Use Code ITDAY17

x
?
Solved

VRF configuration problem

Posted on 2014-02-08
8
Medium Priority
?
393 Views
Last Modified: 2014-03-26
Hi, I want to setup VRF between two sites. Please see diagram below.

VPN1 -----router1--------WAN-------router2-------VPN1
                  |                                                         |
VPN2 -------|                                                         |------VPN2


And I have the configuration on router 1,
My question is,
    1. for VRF sharing the same WAN, Do I need to add this to VRF like my configuration or do I need to removed the WAN in VRF?
    2. Is there something wrong with my configuration since this is not working.  

router 1
ip vrf vpn1
 rd 100:1
 route-target export 100:1
 route-target import 100:1
 route-target import 300:3

ip vrf vpn2
 rd 200:2
 route-target export 200:2
 route-target import 200:2
 route-target import 300:3

ip vrf shared
 rd 300:3
 route-target export 300:3
 route-target import 300:3
 route-target import 200:2
 route-target import 100:1


int g0/0
 description telco
  ip vrf forwarding shared
  ip address 10.1.1.1 255.255.255.252
 
int g0/1.37
  ip vrf forwarding vpn1
  ip address 172.16.37.254 255.255.255.0

int g0/1.441
  ip vrf forwarding vpn1
  ip address 172.16.44.254 255.255.255.128
 
int g0/1.341
  ip vrf forwarding vpn1
  ip address 172.16.34.254 255.255.255.128

 
int g0/1.48
  ip vrf forwarding vpn2
  ip address 172.15.48.254 255.255.255.0
 
router eigrp 99
  address-family ipv4 vpn1
   network 172.16.37.0 0.0.0.255
   network 172.16.44.0 0.0.0.128
   network 172.16.34.0 0.0.0.128
   autonomous system 10
   no auto-summary
   exit-address-family
  address-family ipv4 vpn2
   network 172.15.48.0 0.0.0.255
   no auto-summary
   autonomous system 20
   exit-address-family
  address-family ipv4 shared
   network 10.1.1.0 0.0.0.3
   no auto-summary
   autonomous system 30
   exit-address-family

router bgp 65001
 no synchronization
 bgp log-neighbor-changes
 neighbor 10.1.1.2 remote-as 65001
 no auto-summary
 address-family ipv4 vrf vpn1
   redistribute eigrp 10
   no synchronization
   exit-address-family
 address-family ipv4 vrf spis
   redistribute eigrp 20
   no synchronization
   exit-address-family
   address-family ipv4 vrf shared
   redistribute eigrp 30
   no synchronization
   exit-address-family


router 2
 
 
int g0/0
 description telco
  ip vrf forwarding shared
  ip address 10.1.1.2 255.255.255.252
 
int g0/1.36
  ip vrf forwarding vpn1
  ip address 172.16.36.254 255.255.255.0
 
int g0/1.47
  ip vrf forwarding vpn2
  ip address 172.15.47.254 255.255.255.0
 
router eigrp 99
  address-family ipv4 vpn1
   network 172.16.36.0 0.0.0.255
   autonomous system 10
   no auto-summary
   exit-address-family
  address-family ipv4 vpn2
   network 172.15.47.0 0.0.0.255
   no auto-summary
   autonomous system 20
   exit-address-family
  address-family ipv4 shared
   network 10.1.1.0 0.0.0.3
   no auto-summary
   autonomous system 30
   exit-address-family

router bgp 65001
 no synchronization
 bgp log-neighbor-changes
 neighbor 10.1.1.2 remote-as 65001
 no auto-summary
 address-family ipv4 vrf vpn1
   redistribute eigrp 10
   no synchronization
   exit-address-family
 address-family ipv4 vrf spis
   redistribute eigrp 20
   no synchronization
   exit-address-family
   address-family ipv4 vrf shared
   redistribute eigrp 30
   no synchronization
   exit-address-family
0
Comment
Question by:Brian Garcia
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
8 Comments
 
LVL 3

Author Comment

by:Brian Garcia
ID: 39844014
I've also added:
router eigrp 99
 address-family ipv4 vpn1
 redistribute bgp 65510 metric 100000 100 255 1 1500
  address-family ipv4 vpn2
redistribute bgp 65510 metric 100000 100 255 1 1500
  address-family ipv4 shared
redistribute bgp 65510 metric 100000 100 255 1 1500
0
 
LVL 32

Assisted Solution

by:harbor235
harbor235 earned 501 total points
ID: 39844708
If the service providers is providing you with multi-vpn/vrf capabilities then they typically present you with a sub-interface for each VPN. You should also be bgp peering for each vpn/vrf. You can consolidate all routes into one routing table or continue to keep them segmented.

Is the telco ASN the same as yours? is the real world or a lab?


So it
0
 
LVL 13

Assisted Solution

by:Quori
Quori earned 501 total points
ID: 39844836
Fundamentally this isn't going to work as intended, as the extended community carrying the route target's isn't going to be maintained through the SP WAN so when it spits out the otherside of the WAN it will all just land in the "shared" VRF,

If you really want this to work, GRE tunnel across the WAN between the two sites. Enable MPLS on the BGP tunnel as well as build a VPNv4 peering between the two edge routers across the GRE tunnel targeting loopback interfaces for the peering.

Otherwise, if this is a lab, enable MPLS directly on the link.
0
Protect Your Retail Business and Reputation

Wi-Fi access doesn't just impact your business & customer experience, it can also affect your security.  Join us for an informative webinar to learn more about the top threats and trends impacting retail today, and the key solutions to protecting retail networks and reputations.

 
LVL 18

Assisted Solution

by:Garry Glendown
Garry Glendown earned 498 total points
ID: 39844991
Judging from the IPs, the WAN connection is a Point-2-Point connection ... do you know how large the packets may be for the communication? Some lines may only be set to 1500 bytes, which would cause a reduction of the IP packet size by at least 4 bytes (for one label). Also, I'm missing some more or less important stuff like "mpls ip" on the physical interface ...

As for the routing protocol, for directly connected devices, I usually do not use BGP (except via route reflector) but rather run an IGP (OSPF in our case) on the VRF subinterfaces ...

What do you get if you run "show mpls ldp neighbor"? Without the "mpls ip" on the interfaces I assume you won't see any neighbors. Does that change once you put the command in on both sides?

Also, I do not understand what you are actually trying to achieve with the subinterfaces ...
0
 
LVL 3

Author Comment

by:Brian Garcia
ID: 39846170
Hi all,
This will soon be a live network. We are now setting up connection to our new bldg. We have two customers that must shared one Metro-E line going to our main site. Based on security policies, their traffic must not reach other, hence, I used VRF. I'm new to VRF and we're waiting for the TELCO to finish it's job so we can interconnect the two sites.
Do you guys have configuration example relating this concern?
Basically, VPN1 must only reach VPN1 and VPN2 must only reach VPN2. But they share the same Metro-E line. So how do I go about it? Will I need to have the interface for the shared line be part of a VRF or not?

VPN1 -----router1--------WAN-------router2-------VPN1
                  |                                                         |
VPN2 -------|                                                         |------VPN2
0
 
LVL 18

Expert Comment

by:Garry Glendown
ID: 39848316
Can you give any information about the link/line? Is it a L2 link (i.e., could you do VLAN tagging?) or is it an L3 link? Check my earlier questions and recommendations ...
0
 
LVL 3

Accepted Solution

by:
Brian Garcia earned 0 total points
ID: 39944846
Hi guys,
Thank you for entertaining my questions. I have resolved this using the link - http://routerjockey.com/2009/11/19/cisco-mpls-vrf-configuration-and-demo/.
0
 
LVL 3

Author Closing Comment

by:Brian Garcia
ID: 39955430
The link solve my problem.
0

Featured Post

Eye-catchers on the conference table

Challenge: The i-unit group was not satisfied with the audio quality during remote meetings. They were looking for a portable solution with excellent audio quality for use in their conference room but also at their client’s offices.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Outsource Your Fax Infrastructure to the Cloud (And come out looking like an IT Hero!) Relative to the many demands on today’s IT teams, spending capital, time and resources to maintain physical fax servers and infrastructure is not a high priority.
If your business is like most, chances are you still need to maintain a fax infrastructure for your staff. It’s hard to believe that a communication technology that was thriving in the mid-80s could still be an essential part of your team’s modern I…
Internet Business Fax to Email Made Easy - With  eFax Corporate (http://www.enterprise.efax.com), you'll receive a dedicated online fax number, which is used the same way as a typical analog fax number. You'll receive secure faxes in your email, f…
Internet Business Fax to Email Made Easy - With eFax Corporate (http://www.enterprise.efax.com), you'll receive a dedicated online fax number, which is used the same way as a typical analog fax number. You'll receive secure faxes in your email, fr…
Suggested Courses

664 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question