Looking for config guide : CE Cisco Router with Multiple Telco provided private VPNs in a single physical circuit
A customer of mine is moving their people from Office A to Office B, but is leaving the servers at Office A.
There are 5 networks in 3 different security zones that need to exist at Office B for the users, but the companies procurement department has vetoed using a Layer 2 type service because it's not in the current contract with their Telco provider. :/
Net 1 - 100mb - Security Zone 1
Net 2 - 100mb - Security Zone 1
Net 3 - 100mb - Security Zone 2
Net 4 - 10mb - Security Zone 3
Net 5 - 10mb - Security Zone 3
The nets are all class C. All the systems at Office B are new, and having different IP addresses is (amazingly / apparently) not a problem.
The Telco provider has sold them a pair of diverse 300 MB Ethernet MPLS circuits with three private VPNs which will be connected to two new Cisco 4431's at Office A and Office B that will both connect to all 5 network switches at Office A. These routers will not directly route any packets between the 5 nets / 3 zones (there are other existing routers and firewalls at Office A that will do those tasks if needed), they are purely for connectivity between Office A and Office B.
Within the order notes for the circuits, I see the wording "Each MPLS CE router will utilize the Multi-VRF feature to segment traffic by application. A total of 3 VPN's will be utilized."
I have no problems with routing protocol features (EIGRP or BGP) on high availability networks, and although I have never configured it before, I think I understand Multi-VRF after reading some guides, but for some reason I can't find guides on how you configure a router interface for a single MPLS physical circuit that contains multiple telco-provided-private VPNs (thus not needing customer created IPsec tunnels).
Capture.JPG
There are 5 networks in 3 different security zones that need to exist at Office B for the users, but the companies procurement department has vetoed using a Layer 2 type service because it's not in the current contract with their Telco provider. :/
Net 1 - 100mb - Security Zone 1
Net 2 - 100mb - Security Zone 1
Net 3 - 100mb - Security Zone 2
Net 4 - 10mb - Security Zone 3
Net 5 - 10mb - Security Zone 3
The nets are all class C. All the systems at Office B are new, and having different IP addresses is (amazingly / apparently) not a problem.
The Telco provider has sold them a pair of diverse 300 MB Ethernet MPLS circuits with three private VPNs which will be connected to two new Cisco 4431's at Office A and Office B that will both connect to all 5 network switches at Office A. These routers will not directly route any packets between the 5 nets / 3 zones (there are other existing routers and firewalls at Office A that will do those tasks if needed), they are purely for connectivity between Office A and Office B.
Within the order notes for the circuits, I see the wording "Each MPLS CE router will utilize the Multi-VRF feature to segment traffic by application. A total of 3 VPN's will be utilized."
I have no problems with routing protocol features (EIGRP or BGP) on high availability networks, and although I have never configured it before, I think I understand Multi-VRF after reading some guides, but for some reason I can't find guides on how you configure a router interface for a single MPLS physical circuit that contains multiple telco-provided-private VPNs (thus not needing customer created IPsec tunnels).
Capture.JPG
If this is a case where the ISP is using Ethernet Virtual Circuits, then the only thing you are doing on the CE router is tagging the traffic to a specific vlan tag. The ISP PE will pick it up and assign it to the assigned service instance to transfer across their MPLS to the other office.
ASKER
@Soulja,
> Usually the CE router does nothing in regards to "VRFing" in the typical MPLS scenario.
This would explain why I am finding a lot of PE configuration examples, and few/no CE configuration examples.
>The PE router is usually where the vrf breakout begins. Is your requirement in this scenario different?
Unfortunately, I am not familiar enough to know what is usual.
The requirement was to keep the traffic in the 3 security zones "as separate as possible", which based on the notes in the circuit orders - the designers and Telco interpreted as using Multi-VRF on the CE routers.
Does that help?
> Usually the CE router does nothing in regards to "VRFing" in the typical MPLS scenario.
This would explain why I am finding a lot of PE configuration examples, and few/no CE configuration examples.
>The PE router is usually where the vrf breakout begins. Is your requirement in this scenario different?
Unfortunately, I am not familiar enough to know what is usual.
The requirement was to keep the traffic in the 3 security zones "as separate as possible", which based on the notes in the circuit orders - the designers and Telco interpreted as using Multi-VRF on the CE routers.
Does that help?
ASKER
@Soulja,
> If this is a case where the ISP is using Ethernet Virtual Circuits ...
I have not seen that terminology anywhere in the documentation that the designer left or in the Telco order. :/
> If this is a case where the ISP is using Ethernet Virtual Circuits ...
I have not seen that terminology anywhere in the documentation that the designer left or in the Telco order. :/
ASKER
Did my diagram get attached? Re-trying to attach ...
Capture.JPG
Capture.JPG
@Author
How is your current CE routing peering with your PE, or how are they requesting for it to be peered. BGP I assume?
How is your current CE routing peering with your PE, or how are they requesting for it to be peered. BGP I assume?
ASKER
@Soulja,
This is all new, but yes, it will be BGP.
This is all new, but yes, it will be BGP.
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER
@Soulja,
> The provider router at your sites, you state are just there for connectivity
Sorry, the description I gave was not clear, the Telco did not sell them the routers, just the circuit. The 4431 routers in both offices are CE not PE.
> What information has the provider provided with how you will interface with them.
The circuits are not yet released to us, they are being installed this today/tomorrow, and I don't have this information yet.
The provider has only given me the diagram which was co-created with the person who designed this, and the order notes. I am trying to research this so I know what information I need from the Telco provider and in general have a clue how to configure the routers. :)
More will be given when the circuits are released to me (I hope), but I was not aware this is a unusual config when I asked the question.
> The provider router at your sites, you state are just there for connectivity
Sorry, the description I gave was not clear, the Telco did not sell them the routers, just the circuit. The 4431 routers in both offices are CE not PE.
> What information has the provider provided with how you will interface with them.
The circuits are not yet released to us, they are being installed this today/tomorrow, and I don't have this information yet.
The provider has only given me the diagram which was co-created with the person who designed this, and the order notes. I am trying to research this so I know what information I need from the Telco provider and in general have a clue how to configure the routers. :)
More will be given when the circuits are released to me (I hope), but I was not aware this is a unusual config when I asked the question.
@mrmystery44
The information you obtain regarding the circuit will help greatly. This may not be an unusual config afterall once we see what they are asking.
The information you obtain regarding the circuit will help greatly. This may not be an unusual config afterall once we see what they are asking.
Any update?
Author abandoned
ASKER
So, it ends up that this was delivered using dot1q trunking between CE and PE routers.
I apologize for abandoning the question. Soulja was very helpful.
I apologize for abandoning the question. Soulja was very helpful.
I need clarification. Usually the CE router does nothing in regards to "VRFing" in the typical MPLS scenario. The PE router is usually where the vrf breakout begins. Is your requirement in this scenario different?