cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
4910
Views
42
Helpful
17
Replies

VRF-lite

Can someone please help me with the configuration of vrf-lite both at CE and PE. I am using eigrp as routing protocol between my CE and PE.

1 Accepted Solution

Accepted Solutions

Hi,

To give you an example of running VRF-Lite with EIGRP:

ip vrf test

rd

interface x

ip vrf forwarding test

ip address t.t.t.t

!

router eigrp

no auto-summary

!

address-family ipv4 vrf test

network t.t.t.t

no auto-summary

autonomous-system

exit-address-family

!

HTH, please do rate all helpful replies,

Mohammed Mahmoud.

View solution in original post

17 Replies 17

mohammedmahmoud
Level 11
Level 11

Hi,

You don't need VRF-lite on a PE, as the PE would have MPLS/VRF on it (if we are talking about an MPLS provider), accordingly you need VRF-lite on CE (multi-VRF router), all that you need is to create VRF and use EIGRP address-family.

But please note that AFAIK VRF-lite is not supported with EIGRP on some platforms and IOSs.

HTH, please do rate all helpful replies,

Mohammed Mahmoud.

Hi,

To give you an example of running VRF-Lite with EIGRP:

ip vrf test

rd

interface x

ip vrf forwarding test

ip address t.t.t.t

!

router eigrp

no auto-summary

!

address-family ipv4 vrf test

network t.t.t.t

no auto-summary

autonomous-system

exit-address-family

!

HTH, please do rate all helpful replies,

Mohammed Mahmoud.

hi Mohammed,

Could you please also give an example using BGP and OSPF. Currently I'm in the offering into costumer which one is better..

thanks

Hi,

Sure, you are very welcomed:

1.VRF-Lite with OSPF:

ip vrf test

rd

interface x

ip vrf forwarding test

ip address t.t.t.t

router ospf vrf test

log-adjacency-changes

network t.t.t.t 0.0.0.255 area 0

2.VRF-Lite with BGP:

ip vrf test

rd

interface x

ip vrf forwarding test

ip address t.t.t.t

router bgp

address-family ipv4 vrf test

neighbor remote-as

network mask

HTH, please do rate all helpful replies using the scroll box on the right,

Mohammed Mahmoud.

Hi Mohammed,

Just a little add-on:

CE config with VRF-lite:

1.VRF-Lite with OSPF:

ip vrf test

rd

interface x

ip vrf forwarding test

ip address t.t.t.t

router ospf vrf test

log-adjacency-changes

network t.t.t.t 0.0.0.0 area 0

capability vrf-lite

The latter command ignores the down bit set by the PE. Otherwise you might end up with networks not installed in the IP routing table.

PE config:

ip vrf test

rd

interface x

ip vrf forwarding test

ip address t.t.t.t

router ospf vrf test

domain-id 0.0.0.1

network t.t.t.t 0.0.0.0 area 0

redistribute bgp subnets

router bgp

address-family ipv4 vrf test

redistribute ospf vrf test match internal external 1 external 2

Hope this helps! Please rate all posts.

Regards, Martin

Hi Martin,

You are completely right, i felt like forgetting something that caused me a lot of pain in the past :)

BR,

Mohammed Mahmoud.

Hi Mohammed,

You have been a great help.

Thanks.

Hi,

You are very welcomed, please never hesitate if you have further questions.

BR,

Mohammed Mahmoud.

Do you guys have any example for PE and CE vrf-lite with multiple subinterfaces on a shared single DS3 or T1 circuit. each sub-int runs its own BGP instance with traffic shaping and QoS.

thanks.

frame-relay switching

!

interface serial0/0/0

encapsulation frame-relay

interface serial0/0/0.1 point-to-point

ip vrf forwarding A

ip address x.x.x.x x.x.x.x

frame-relay interface-dlci 100

!

!

interface serial0/0/0

encapsulation frame-relay

interface serial0/0/0.2 point-to-point

ip vrf forwarding B

ip address y.y.y.y y.y.y.y

frame-relay interface-dlci 101

!

And So on for further interfaces.

!

router bgp 1

no synchronization

bgp log-neighbor-changes

no auto-summary

!

address-family ipv4 vrf A

neighbor x.x.x.x remote-as x

no synchronization

exit-address-family

!

address-family ipv4 vrf B

neighbor y.y.y.y remote-as y

no synchronization

exit-address-family

!

And so on for further VRF's

Here is a reference guide to configure shaping for VOIP...you can modify the values to match your requirements.

http://www.cisco.com/en/US/products/sw/iosswrel/ps1839/products_feature_guide09186a0080110bc6.html

HTH-Cheers,

Swaroop

Martin, I had a number of challenges getting VRF-Lite to work with bgp communicating between a 6500 and a 3845. Mainly i'm able to see bgp routes between vrf's but no ip routes are hitting the targeted endpoint. In this case the critical endpoint being the internet via a global services vrf that would include a wan link currently point to a Service Provider. Since BGP is providing inter vrf routes, I feel their's an issue with routes not fully being installed in the table. Here's an example configuration at the routing table in question. I believe i may be missing a neighbor statement for each vpn, but the cisco document concerning vrf-lite doesnt show it as a requirement.

router bgp 1

no synchronization

bgp log-neighbor-changes

no auto-summary

!

address-family ipv4 vrf Global.Test

redistribute connected

no auto-summary

no synchronization

exit-address-family

!

address-family ipv4 vrf Global.Services

redistribute connected

redistribute static

no auto-summary

no synchronization

exit-address-family

!

address-family ipv4 vrf Global.Internal.Test

redistribute connected

no auto-summary

no synchronization

exit-address-family

!

address-family ipv4 vrf DPOR

redistribute connected

no auto-summary

no synchronization

exit-address-family

!

address-family ipv4 vrf BOA

redistribute connected

no auto-summary

no synchronization

exit-address-family

The Global.Services VRF is the vrf which would have connectivity to the internet. Yet when attaching the internet link to the vrf, im not able to get to the WAN Internet. Thoughts, the following is the bgp vpn table and respect vrf statements and bgp statements. Thanks.

Neil.

Perimeter.CNTR.Edge-Data#sh ip bgp vpnv4 all

BGP table version is 66, local router ID is 166.61.195.129

Status codes: s suppressed, d damped, h history, * valid, > best, i - internal,

r RIB-failure, S Stale

Origin codes: i - IGP, e - EGP, ? - incomplete

Network Next Hop Metric LocPrf Weight Path

Route Distinguisher: 22:100 (default for vrf BOA)

*> 8.8.2.8/32 0.0.0.0 0 32768 ?

*> 8.8.9.8/32 0.0.0.0 0 32768 ?

*> 172.16.4.8/30 0.0.0.0 0 32768 ?

*> 172.16.4.24/30 0.0.0.0 0 32768 ?

*> 172.18.4.20/30 0.0.0.0 0 32768 ?

*> 206.113.135.64/30

0.0.0.0 0 32768 ?

Route Distinguisher: 25:100 (default for vrf DPOR)

*> 8.8.5.8/32 0.0.0.0 0 32768 ?

*> 8.8.9.8/32 0.0.0.0 0 32768 ?

*> 172.17.4.20/30 0.0.0.0 0 32768 ?

*> 172.18.4.20/30 0.0.0.0 0 32768 ?

*> 206.113.135.64/30

0.0.0.0 0 32768 ?

Route Distinguisher: 50:200 (default for vrf Global.Services)

*> 8.8.9.8/32 0.0.0.0 0 32768 ?

Network Next Hop Metric LocPrf Weight Path

*> 172.18.4.20/30 0.0.0.0 0 32768 ?

*> 206.113.135.64/30

0.0.0.0 0 32768 ?

Route Distinguisher: 90:400 (default for vrf Global.Internal.Test)

*> 8.8.10.8/32 0.0.0.0 0 32768 ?

*> 172.18.4.24/30 0.0.0.0 0 32768 ?

Perimeter.CNTR.Edge-Data#sh run

ip vrf BOA

description BOA Perimeter-Center VRF Production Environment

rd 22:100

route-target export 22:100

route-target import 22:100

route-target import 50:200

ip vrf DPOR

description DPOR Perimter-Center VRF Production Environment

rd 25:100

route-target export 25:100

route-target import 25:100

route-target import 50:200

ip vrf Global.Services

description Perimeter Center Global IP Services

rd 50:200

route-target export 50:200

route-target export 22:100

route-target export 25:100

route-target import 50:200

mheusing
Cisco Employee
Cisco Employee

Hi Neil,

Some comments and questions:

1) Use private AS numbers (64512 - 65535) for BGP, RDs and RTs. What you are doing is like using illegal IP addresses - would not hurt in the beginning but could grow into a major pain some years later requiring major migration steps.

2) You only give the control plane configuration, i.e. VRF and BGP. Where is the data plane config, i.e. interfaces? In VRF lite you need to interconnect the VRFs between two routers, not only the global routing table. This means in case you have R1 - R2 - R3 then you need a separate (sub-)interface per VRF between R1 and R2 and between R2 and R3.

3) The routing between VRF enabled routers needs to be hop-by-hop, i.e. you need to apply to your VRFs the same routing design rules as with normal routers. This can cause some headache, depending on the protocol chosen, f.e. with 50 VRFs you would need 50 OSPF processes on every VRF-lite router.

So what does the rest of your topology look like and what addresses the issues I mention? Not addressing them would explain your connectivity issues.

Regards, Martin

Thanks for the Advance on ASN Numbering. Routing Process Info is as follows, they basically represent an array of organizations moving into a single building, their in need of obviously separate virtual routing domains. With the Global Services VRF functioning as a Internet Gateway VRF for all other VRF Environments.

This Servers as an example of each separate organizational interface configuration. Also included is a static route pointing all IP Services to the Internet Gateway.

interface Vlan29

description Global Test VRF LAN Environment

ip vrf forwarding Global.Services

ip address 192.168.29.17 255.255.255.240

interface GigabitEthernet1/48.329

description Global IP Services Test VRF

encapsulation dot1Q 329

ip vrf forwarding Global.Services

ip address 172.18.4.21 255.255.255.252

ip ospf network broadcast

ip ospf cost 1

ip ospf priority 0

!

router ospf 29 vrf Global.Services

log-adjacency-changes

capability vrf-lite

redistribute connected

redistribute static

network 172.18.4.20 0.0.0.3 area 0

network 192.168.29.16 0.0.0.15 area 1

ip route vrf Global.Services 206.113.135.65 255.255.255.255 GigabitEthernet1/48.329 172.18.4.22

Other Side of Data center WAN

interface GigabitEthernet0/0.329

description description Global IP Services Test VRF

encapsulation dot1Q 329

ip vrf forwarding Global.Services

ip address 172.18.4.22 255.255.255.252

ip ospf network broadcast

ip ospf cost 1

bridge-group 29

!

Additionally Their is an export map for delivery from Side 1 (3845) to Side 2(6500) of the Wan. Bonus Question does the export route map have to exist of both sides of the configuration from a VRF Standpoint.

route-map Global.Services.Route-MAP permit 10

match ip address prefix-list DPOR.Prefix

!

route-map Global.Services.Route-MAP permit 20

match ip address prefix-list BOA.Prefix

ip prefix-list BOA.Prefix seq 10 permit 192.168.1.0/24

!

ip prefix-list DPOR.Prefix seq 10 permit 172.16.0.0/16

!

ip vrf Global.Services

description Perimeter Center Global IP Services

rd 50:200

export map Global.Services.Route-MAP

route-target export 50:200

route-target import 50:200

route-target import 22:100

route-target import 25:100

VRF Global Services was put on the Internet Facing Interface of the Router, yet internet address we're not pingable or accessesable. When reconfigured to another more basic VRF Configuration, the internet works.

Thanks Martin - Neil Barnett / Internetwork Archetype

Reading through your notes and to summarize, you have couple of customer in a building aggregating on a 6500 which connects to a 3800 which in turn connects to the internet. (I have to assume the topology in the absence of the topo diag :-) )

In this case, you would be having VRF's configured only in the 6500, one vrf per customer on their SVI and one VRF for the internet on the interface which connects to the 3800.

In each customer VRF you would be importing the internet reachability provided through the global services vrf and exporting the source routes to the global services vrf. ( I believe the natting is taken care of to reach the internet as the source would be a private ip).

If this is the case as described above then you shouldnt be having any problems as its quite straight forward.

If your case is a little different than described then can you pls attach a running config of 6500 and 3800 (with hostnames so its easy to identify the config with the devices) and the topology map.

HTH-Cheers,

Swaroop