05-22-2007 10:13 AM
Can someone please help me with the configuration of vrf-lite both at CE and PE. I am using eigrp as routing protocol between my CE and PE.
Solved! Go to Solution.
05-22-2007 11:58 AM
Hi,
To give you an example of running VRF-Lite with EIGRP:
ip vrf test
 rd 
interface x
ip vrf forwarding test
ip address t.t.t.t
!
router eigrp 
no auto-summary
!
address-family ipv4 vrf test
network t.t.t.t
no auto-summary
 autonomous-system 
exit-address-family
!
HTH, please do rate all helpful replies,
Mohammed Mahmoud.
05-22-2007 11:07 AM
Hi,
You don't need VRF-lite on a PE, as the PE would have MPLS/VRF on it (if we are talking about an MPLS provider), accordingly you need VRF-lite on CE (multi-VRF router), all that you need is to create VRF and use EIGRP address-family.
But please note that AFAIK VRF-lite is not supported with EIGRP on some platforms and IOSs.
HTH, please do rate all helpful replies,
Mohammed Mahmoud.
05-22-2007 11:58 AM
Hi,
To give you an example of running VRF-Lite with EIGRP:
ip vrf test
 rd 
interface x
ip vrf forwarding test
ip address t.t.t.t
!
router eigrp 
no auto-summary
!
address-family ipv4 vrf test
network t.t.t.t
no auto-summary
 autonomous-system 
exit-address-family
!
HTH, please do rate all helpful replies,
Mohammed Mahmoud.
05-22-2007 08:51 PM
hi Mohammed,
Could you please also give an example using BGP and OSPF. Currently I'm in the offering into costumer which one is better..
thanks
05-22-2007 11:02 PM
Hi,
Sure, you are very welcomed:
1.VRF-Lite with OSPF:
ip vrf test
 rd 
interface x
ip vrf forwarding test
ip address t.t.t.t
router ospf 
log-adjacency-changes
network t.t.t.t 0.0.0.255 area 0
2.VRF-Lite with BGP:
ip vrf test
 rd 
interface x
ip vrf forwarding test
ip address t.t.t.t
router bgp 
address-family ipv4 vrf test
neighbor 
network 
HTH, please do rate all helpful replies using the scroll box on the right,
Mohammed Mahmoud.
05-22-2007 11:45 PM
Hi Mohammed,
Just a little add-on:
CE config with VRF-lite:
1.VRF-Lite with OSPF:
ip vrf test
rd 
interface x
ip vrf forwarding test
ip address t.t.t.t
router ospf 
log-adjacency-changes
network t.t.t.t 0.0.0.0 area 0
capability vrf-lite
The latter command ignores the down bit set by the PE. Otherwise you might end up with networks not installed in the IP routing table.
PE config:
ip vrf test
rd 
interface x
ip vrf forwarding test
ip address t.t.t.t
router ospf 
domain-id 0.0.0.1
network t.t.t.t 0.0.0.0 area 0
redistribute bgp 
router bgp 
address-family ipv4 vrf test
redistribute ospf 
Hope this helps! Please rate all posts.
Regards, Martin
05-22-2007 11:55 PM
Hi Martin,
You are completely right, i felt like forgetting something that caused me a lot of pain in the past :)
BR,
Mohammed Mahmoud.
05-23-2007 07:43 AM
Hi Mohammed,
You have been a great help.
Thanks.
05-23-2007 10:10 AM
Hi,
You are very welcomed, please never hesitate if you have further questions.
BR,
Mohammed Mahmoud.
10-28-2007 06:09 PM
Do you guys have any example for PE and CE vrf-lite with multiple subinterfaces on a shared single DS3 or T1 circuit. each sub-int runs its own BGP instance with traffic shaping and QoS.
thanks.
10-29-2007 05:44 AM
frame-relay switching
!
interface serial0/0/0
encapsulation frame-relay
interface serial0/0/0.1 point-to-point
ip vrf forwarding A
ip address x.x.x.x x.x.x.x
frame-relay interface-dlci 100
!
!
interface serial0/0/0
encapsulation frame-relay
interface serial0/0/0.2 point-to-point
ip vrf forwarding B
ip address y.y.y.y y.y.y.y
frame-relay interface-dlci 101
!
And So on for further interfaces.
!
router bgp 1
no synchronization
bgp log-neighbor-changes
no auto-summary
!
address-family ipv4 vrf A
neighbor x.x.x.x remote-as x
no synchronization
exit-address-family
!
address-family ipv4 vrf B
neighbor y.y.y.y remote-as y
no synchronization
exit-address-family
!
And so on for further VRF's
Here is a reference guide to configure shaping for VOIP...you can modify the values to match your requirements.
http://www.cisco.com/en/US/products/sw/iosswrel/ps1839/products_feature_guide09186a0080110bc6.html
HTH-Cheers,
Swaroop
08-14-2007 07:21 PM
Martin, I had a number of challenges getting VRF-Lite to work with bgp communicating between a 6500 and a 3845. Mainly i'm able to see bgp routes between vrf's but no ip routes are hitting the targeted endpoint. In this case the critical endpoint being the internet via a global services vrf that would include a wan link currently point to a Service Provider. Since BGP is providing inter vrf routes, I feel their's an issue with routes not fully being installed in the table. Here's an example configuration at the routing table in question. I believe i may be missing a neighbor statement for each vpn, but the cisco document concerning vrf-lite doesnt show it as a requirement.
router bgp 1
no synchronization
bgp log-neighbor-changes
no auto-summary
!
address-family ipv4 vrf Global.Test
redistribute connected
no auto-summary
no synchronization
exit-address-family
!
address-family ipv4 vrf Global.Services
redistribute connected
redistribute static
no auto-summary
no synchronization
exit-address-family
!
address-family ipv4 vrf Global.Internal.Test
redistribute connected
no auto-summary
no synchronization
exit-address-family
!
address-family ipv4 vrf DPOR
redistribute connected
no auto-summary
no synchronization
exit-address-family
!
address-family ipv4 vrf BOA
redistribute connected
no auto-summary
no synchronization
exit-address-family
The Global.Services VRF is the vrf which would have connectivity to the internet. Yet when attaching the internet link to the vrf, im not able to get to the WAN Internet. Thoughts, the following is the bgp vpn table and respect vrf statements and bgp statements. Thanks.
Neil.
Perimeter.CNTR.Edge-Data#sh ip bgp vpnv4 all
BGP table version is 66, local router ID is 166.61.195.129
Status codes: s suppressed, d damped, h history, * valid, > best, i - internal,
r RIB-failure, S Stale
Origin codes: i - IGP, e - EGP, ? - incomplete
Network Next Hop Metric LocPrf Weight Path
Route Distinguisher: 22:100 (default for vrf BOA)
*> 8.8.2.8/32 0.0.0.0 0 32768 ?
*> 8.8.9.8/32 0.0.0.0 0 32768 ?
*> 172.16.4.8/30 0.0.0.0 0 32768 ?
*> 172.16.4.24/30 0.0.0.0 0 32768 ?
*> 172.18.4.20/30 0.0.0.0 0 32768 ?
*> 206.113.135.64/30
0.0.0.0 0 32768 ?
Route Distinguisher: 25:100 (default for vrf DPOR)
*> 8.8.5.8/32 0.0.0.0 0 32768 ?
*> 8.8.9.8/32 0.0.0.0 0 32768 ?
*> 172.17.4.20/30 0.0.0.0 0 32768 ?
*> 172.18.4.20/30 0.0.0.0 0 32768 ?
*> 206.113.135.64/30
0.0.0.0 0 32768 ?
Route Distinguisher: 50:200 (default for vrf Global.Services)
*> 8.8.9.8/32 0.0.0.0 0 32768 ?
Network Next Hop Metric LocPrf Weight Path
*> 172.18.4.20/30 0.0.0.0 0 32768 ?
*> 206.113.135.64/30
0.0.0.0 0 32768 ?
Route Distinguisher: 90:400 (default for vrf Global.Internal.Test)
*> 8.8.10.8/32 0.0.0.0 0 32768 ?
*> 172.18.4.24/30 0.0.0.0 0 32768 ?
Perimeter.CNTR.Edge-Data#sh run
ip vrf BOA
description BOA Perimeter-Center VRF Production Environment
rd 22:100
route-target export 22:100
route-target import 22:100
route-target import 50:200
ip vrf DPOR
description DPOR Perimter-Center VRF Production Environment
rd 25:100
route-target export 25:100
route-target import 25:100
route-target import 50:200
ip vrf Global.Services
description Perimeter Center Global IP Services
rd 50:200
route-target export 50:200
route-target export 22:100
route-target export 25:100
route-target import 50:200
08-15-2007 12:02 AM
Hi Neil,
Some comments and questions:
1) Use private AS numbers (64512 - 65535) for BGP, RDs and RTs. What you are doing is like using illegal IP addresses - would not hurt in the beginning but could grow into a major pain some years later requiring major migration steps.
2) You only give the control plane configuration, i.e. VRF and BGP. Where is the data plane config, i.e. interfaces? In VRF lite you need to interconnect the VRFs between two routers, not only the global routing table. This means in case you have R1 - R2 - R3 then you need a separate (sub-)interface per VRF between R1 and R2 and between R2 and R3.
3) The routing between VRF enabled routers needs to be hop-by-hop, i.e. you need to apply to your VRFs the same routing design rules as with normal routers. This can cause some headache, depending on the protocol chosen, f.e. with 50 VRFs you would need 50 OSPF processes on every VRF-lite router.
So what does the rest of your topology look like and what addresses the issues I mention? Not addressing them would explain your connectivity issues.
Regards, Martin
08-15-2007 08:17 AM
Thanks for the Advance on ASN Numbering. Routing Process Info is as follows, they basically represent an array of organizations moving into a single building, their in need of obviously separate virtual routing domains. With the Global Services VRF functioning as a Internet Gateway VRF for all other VRF Environments.
This Servers as an example of each separate organizational interface configuration. Also included is a static route pointing all IP Services to the Internet Gateway.
interface Vlan29
description Global Test VRF LAN Environment
ip vrf forwarding Global.Services
ip address 192.168.29.17 255.255.255.240
interface GigabitEthernet1/48.329
description Global IP Services Test VRF
encapsulation dot1Q 329
ip vrf forwarding Global.Services
ip address 172.18.4.21 255.255.255.252
ip ospf network broadcast
ip ospf cost 1
ip ospf priority 0
!
router ospf 29 vrf Global.Services
log-adjacency-changes
capability vrf-lite
redistribute connected
redistribute static
network 172.18.4.20 0.0.0.3 area 0
network 192.168.29.16 0.0.0.15 area 1
ip route vrf Global.Services 206.113.135.65 255.255.255.255 GigabitEthernet1/48.329 172.18.4.22
Other Side of Data center WAN
interface GigabitEthernet0/0.329
description description Global IP Services Test VRF
encapsulation dot1Q 329
ip vrf forwarding Global.Services
ip address 172.18.4.22 255.255.255.252
ip ospf network broadcast
ip ospf cost 1
bridge-group 29
!
Additionally Their is an export map for delivery from Side 1 (3845) to Side 2(6500) of the Wan. Bonus Question does the export route map have to exist of both sides of the configuration from a VRF Standpoint.
route-map Global.Services.Route-MAP permit 10
match ip address prefix-list DPOR.Prefix
!
route-map Global.Services.Route-MAP permit 20
match ip address prefix-list BOA.Prefix
ip prefix-list BOA.Prefix seq 10 permit 192.168.1.0/24
!
ip prefix-list DPOR.Prefix seq 10 permit 172.16.0.0/16
!
ip vrf Global.Services
description Perimeter Center Global IP Services
rd 50:200
export map Global.Services.Route-MAP
route-target export 50:200
route-target import 50:200
route-target import 22:100
route-target import 25:100
VRF Global Services was put on the Internet Facing Interface of the Router, yet internet address we're not pingable or accessesable. When reconfigured to another more basic VRF Configuration, the internet works.
Thanks Martin - Neil Barnett / Internetwork Archetype
08-15-2007 09:28 AM
Reading through your notes and to summarize, you have couple of customer in a building aggregating on a 6500 which connects to a 3800 which in turn connects to the internet. (I have to assume the topology in the absence of the topo diag :-) )
In this case, you would be having VRF's configured only in the 6500, one vrf per customer on their SVI and one VRF for the internet on the interface which connects to the 3800.
In each customer VRF you would be importing the internet reachability provided through the global services vrf and exporting the source routes to the global services vrf. ( I believe the natting is taken care of to reach the internet as the source would be a private ip).
If this is the case as described above then you shouldnt be having any problems as its quite straight forward.
If your case is a little different than described then can you pls attach a running config of 6500 and 3800 (with hostnames so its easy to identify the config with the devices) and the topology map.
HTH-Cheers,
Swaroop
 
					
				
				
			
		
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide