Solved: Re: CPE Management VRF (one more)

sultan-shaikh · ‎09-09-2008

Hi Friends,

Sorry for starting one more thread on the same. I know that this topic has already been beaten to death here.

So here is the problem:

I have 2 back to back connected 7600s, let's say PE-1 and PE-2.

I have configured a Management VRF on PE-1 and pulled in Loopback 0 and another interface connected to my Management (10.253.2.0 network).

I have configured a test VPN (VRF-101) between PE-1 and PE-2 and have connected 2 CPE devices (2800s). PE-1 to CPE-1 and PE-2 to CPE-2 is eBGP.

My VPN is working fine with both CPE loopback and LAN routes advertised across.

I want to manage these CPEs, here is the configuration I created, (after going through this forum!), unfortunately for me it is not working.

PE-1 Configuration:-

ip vrf Management-VRF

rd 65000:500

export map MgmtLAN

route-target export 65000:500

route-target export 65000:161

route-target import 65000:500

route-target import 65000:162

!

ip vrf VRF-101

rd 65000:101

export map MgmtLoopbacks

route-target export 65000:101

route-target import 65000:101

route-target import 65000:161

!

interface Loopback0

description System Control Interface

ip address 10.253.254.1 255.255.255.255

!

interface Loopback1

description MGMT Control Interface

ip vrf forwarding Management-VRF

ip address 10.253.250.1 255.255.255.255

interface GigabitEthernet5/2

description To NMS_MGMT_CE01

ip vrf forwarding Management-VRF

ip address 10.253.255.5 255.255.255.252

address-family ipv4 vrf Management-VRF

no synchronization

bgp router-id 10.253.250.1

redistribute connected

redistribute static

neighbor 10.253.255.6 remote-as 65000

neighbor 10.253.255.6 activate

neighbor 10.253.255.6 send-community both

exit-address-family

!

address-family ipv4 vrf VRF-101

no synchronization

redistribute connected

redistribute static

exit-address-family

!

access-list 1 permit 10.253.254.0 0.0.0.255 log

access-list 2 permit 10.253.224.2

access-list 2 permit 10.253.224.1

!

route-map MgmtLAN permit 10

match ip address 1

set extcommunity rt 65000:161

!

route-map MgmtLoopbacks permit 10

match ip address 2

set extcommunity rt 65000:162 additive

PE-2 Configuration:-

ip vrf VRF-101

rd 65000:101

route-target export 65000:101

route-target import 65000:101

interface Loopback0

ip address 10.253.254.65 255.255.255.255

interface GigabitEthernet2/1/1.101

encapsulation dot1Q 101

ip vrf forwarding VRF-101

ip address 10.1.0.2 255.255.255.252

address-family ipv4 vrf VRF-101

no synchronization

redistribute connected

redistribute static

neighbor 10.1.0.1 remote-as xxx

neighbor 10.1.0.1 activate

neighbor 10.1.0.1 next-hop-self

exit-address-family

Requesting some help in understanding this.

Thanks

Cheers

~sultan

romccallum · ‎09-09-2008

ok so the loopback from CPE 1 is in the management table. Use the same logic on PE2 to bring in the loopback of CPE 2. I presume from your initial post that even tho you have CPE 1's loopback in the table that you cannot ping it? If this is the case then have a little think about what is your source address of your ping :)

View solution in original post

romccallum · ‎09-09-2008

you leak the ip addresses of your servers out of your vrf so for instance route-map then add an ext-comm of say 999 or 666 :) Then all you do is import that wherever you want to manage.

View solution in original post

romccallum · ‎09-09-2008

on PE1 there is no bgp to the CPE. On PE2 there IS bgp to the CPE but no route map changing the ext comm

sultan-shaikh · ‎09-09-2008

Hi Robert,

Thanks for your response, between PE-1 and CPE-1 there is static routing hence no BGP. I have added appropriate routes, am getting loopback and LAN routes of CPE across the VPN.

Requesting you to please let me know what route-map am I supposed to give.

Also, I am getting CPE-1 loopback in Managment VRF but not for CPE-2.

Please reply...

Thanks

Cheers

~sultan

romccallum · ‎09-09-2008

ok so the loopback from CPE 1 is in the management table. Use the same logic on PE2 to bring in the loopback of CPE 2. I presume from your initial post that even tho you have CPE 1's loopback in the table that you cannot ping it? If this is the case then have a little think about what is your source address of your ping :)

sultan-shaikh · ‎09-09-2008

Hi Robert,

That was quick !!!

Yes, I have the CPE-1 in Management table, and I can also ping the same, the source being PE-1's loopback interface, which I had 'pulled' in Management VRF.

CPE-2 is not in the Management table, so as I understand you are suggesting that I configure acls and route-maps in PE-2 (as I have done on PE-1), in that case even if the route comes in it will have 'next-hop' as, I presume, PE-2 loopback, and my source would be PE-1 loopback?? !!

I am sorry if I am sounding confused...

Thanks

Cheers,

~sultan

romccallum · ‎09-09-2008

bang on mate. Once the route is in you shall only be able to ping from PE1's loopback address as this shall be propogated into the CPE's.

sultan-shaikh · ‎09-09-2008

So how do I get my Management servers to ping to CPE devices?

I will be working on this again today and update the forum...

Thanks

Cheers,

~sultan

romccallum · ‎09-09-2008

you leak the ip addresses of your servers out of your vrf so for instance route-map then add an ext-comm of say 999 or 666 :) Then all you do is import that wherever you want to manage.

sultan-shaikh · ‎09-16-2008

Hi Robert,

Thanks a ton for your insightful comments they really helped a lot.

Further this book was also of great help MPLS VPN Security, specifically Chapter 8, really articulates the basis for this kind of configuration.

Thanks

Cheers

~sultan

romccallum · ‎09-16-2008

np sultan best of luck.