Showing results for 
Search instead for 
Did you mean: 

Multitenant CE - unable to configure VRF Lite

Salvatore Amico

Hey everyone,

I'll explain a little bit of what we are trying to accomplish.  I work for a state service provider that supports transport for about 50 state agencies (customers).  Our network currently is running MPLS (OSPF IGP) in our core with 3 route reflectors.  Layer 3 MPSL VPNs are used for customer isolation.  All of our PEs are route reflector clients to each of these RRs.  Since we do not own media to each of our buildings, we are utilizing EVPL supplied by Verizon to connect our PEs to multiple CEs that typically house multiple customers.  We have a 1 Gbps EVPL circuit at our PE and typically a 10 or 100mbps EVPL circuit at the CE location.  Verizon assigns us a VLAN (EVC) for connection between the PE to each CE.  We then sub interface the EVPL interface on the PE with dot1q encapsulation for the assigned EVC.  The same is done on the CE side. 

The issue comes with supporting multiple customers at these sites.  Since we are sub interfacing the connection facing Verizon, we cannot create multiple sub interfaces (one for each customer's VRF) to connect back to the PE (VRF-Lite).  If we could, then we could run eBGP for each customer.  Instead these CEs peer with the RRs and have MPLS/OSPF extended down to them, essentially creating additional PEs.  Our RRs are up to about 120 of these extra peers.  This is clearly not very scalable either.

We have looked at a some solutions:

1)Create multiple GRE tunnels and use separate loopbacks for unique source/destination.  This will work, but now we have additional loopbacks to create and tunnels for each customer per location.

2) Create multiple GRE tunnels using the same  source and destination using tunnel keys.  It works, but my concern is  that by using keys, traffic will then be software switched rather than  hardware switched, which will not be very scalable. 

2) Have Verizon issue multiple EVCs, one for each customer at each site.  This also will work, however, there are limitations on how many EVCs that we can assign to a single EVPL circuit at the PE.  Currently a 1Gbps EVPL circuit can support up to 75 EVCs. this will not scale well.

3) Configuring Q-in-Q at both ends of the circuit in order to send multiple VLANs from the CE to the PE.  This will not work since the PE side will also need to be set to Q-in-Q and there would be no way to set multiple S tags for multiple locations.

We have an onsite CCIE SP and this is stumping him as well.

Any thoughts would be greatly appreciated!

Salvatore Amico

2 Replies 2



Just a wild thought here, but you could try running MPLS inside the EVC from Verizon. You'll lose a bit of available MTU with all the extra tagging & labelling bit you'll end up with more options?

I assume your CEs are MPLS capable?


Sent from Cisco Technical Support iPhone App

Marwan ALshawi
VIP Alumni
VIP Alumni

did you try mpls over DMVPN ? not sure if its ok to enable the CE tunnel interface with mpls

but in this case you can have on tunnel at the PE ( Hube ) and the CEs can connect to it over the mgre tunnel

using a vrf on the PE you can then redistribute customers routing to the relevant VRF/MP-BGP

also if you have multiple customers/VRF in a CE by enabling MPLS 0ver DMVPN you can label stack the traffic and have it end to end mpls with MP-BGP/VRFs separated

other option but not sure if its best practice is to enable mpls between multi tenant CEs and the PE and enable a L2VPN you can have multiple L2TPv3 or AToM tunnels identified by the VLAN ID

also Cisco ME serirse ethernet access switches can be used as a CE in this case

once a separate L2VPN is extended per customer/VRF from the CE to the PE you can rung over this virtual tunnel routing for end to end L3 communication

hope this help

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: