MPLS VPN , Inter VRF routing

slal · ‎06-01-2006

Hi,

I am configuring MPLS VPN. It has 3 VRFs, VRF-A, VRF-B, and VRF-Internet.

VRF's A and B talk to VRF-Internet via RT import/export feature, ie.,

route leaking.

VRF-Internet is connected to an ISP with a CE router and has default out to

Internet.

VRF-A and VRF-B import default route from VRF-Internet. There is no routing

between VRF-A and VRF-B. But VRF-Internet knows route for VRF-A and VRF-B.

Will VRF-A be able to communicate to VRF-B via VRF-Internet? If they don't

what is stopping this? Any mBGP restrictions or rules?

I know you cannot export a route which is learnt via another VRF route leak.

Thanks

Sanjay

olorunloba · ‎06-02-2006

No. VRF-A will not communicate with VRF-B via VRF-Internet. The reason being that VPN lables are not allocated to routes learnt via MP-BGP.

mheusinger · ‎06-02-2006

Hello,

they could get connectivity. The reason is, that f.e. traffic from VRF-A to VRF-B will follow the default route, label switched to the first router outside VRF-internet doing IP lookup. This router will have a longest match for networks in VRF-B pointing back to the internet VRF into your MPLS cloud. The path back - VRF-B to VRF-A - is established in the same manner. Thus IP connectivity can be established through the first IP router connected to the VRF-Internet.

You could prevent this by applying an access-list on the outgoing interface in VRF-Internet denying inter-VRF traffic.

Hope this helps! Please rate all posts.

Regards, Martin

slal · ‎06-04-2006

Hi,

I agree with you. Sometimes get confused with non MPLS / native routing. I did briefly test and there was no communication between VRF-A and VRF-B.

Cheers

slal

osman-kh1 · ‎06-03-2006

MPLS LER wich is the Edge MPLS router when it runs CEF with tag switching, will attach a label to the default route learnt from the CE so in this case a label is attached to the default route and CEF will also keep a fast switched entry for the default pointing to the next hop interface which is the CE router interface from where the LER has learnt the route.

Therefore, when VRF-A or VRF-B send packets which follow the default route from VRF-Internet, then the Layer-3 lookup will not happen on the VRF-Internet LER router, it will PoP the label and CEF will send the packet to the next hop interface which will be the CE router...

I hope this Answers your query

Usman

CCNP (Sydney, Australia)

olorunloba · ‎06-04-2006

Very nice explanation. Martin I quite agree with you also. My point though is that VRF-A and VRF-B cannot communicate unless the packet reaches the Internet CE router. This implies that connectivity between the 2 VPNs is dependent on the routing table of the CE for VRF-Internet.

The IP address space used by the VPNs should not be known by the Internet CE route table (This could be private IP addresses), hence connectivity would not be possible between the VPNs. However, the Public IP address, used for connectivity to the Internet would be known, and there would be connectivity between these.

However again, it is my opinion that it is desired that there should be connectivity between the public ip addresses. If not, your customers will not be able to communicate to each other. This situation can be worse, if they are locally hosting services such as email and web. You might get calls that a customer cannot access the website of another of your customer.

Anyway, with proper route-targets configuration, the SP network should have routed the packets across the core, and not through the Internet CE (via default route). This can avoid the situation noted above.

slal · ‎06-04-2006

Thanks for good explanation Usman.