cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
4662
Views
7
Helpful
7
Replies

VRF based design

Hi Guys,

I am working on one Enterprise network design where virutualization is main concern.so we decided for EVN but unfVortunately only 32 EVN are supported from cisco. We moved back to Old VRF technology.

Requirement for VRF is around 600 in numbers and its a entriprise network. My concern is whether VRF or VRF lite is good in this scenario.

Main concentration is some sets for vlans (EX: 2,3,4,5) vlans should mapped to one VRF  and so on. There is only two core swithes which need to run VRF that switches is also in VSS mode.

Please advice on the above scenario.

Thanks in Advance

7 Replies 7

sean_evershed
Level 7
Level 7

Hi,

The Path Ioslation design guide offers advice on the topic:

http://www.cisco.com/en/US/docs/solutions/Enterprise/Network_Virtualization/PathIsol.html

It states that if the "goal is to provide hub-and-spoke connectivity, VRF-Lite and GRE are a very good option". If however the goal is, "to provide any-to-any type of connectivity inside each virtual network, MPLS VPN represents a better option."

You have made no mention of your distribution and access tiers. The guide also states that,

"In designs where the platforms deployed at the  distribution layer are not MPLS capable, the use of some other technique  (such as VRF-lite) is required to extend the VRF isolation to a PE  device deployed in the core."

Don't forget to rate all posts that are helpful.

Cheers

Sean

Thanks for the reply Sean.

Its a collapsed core design and in the core two 650x in VSS mode and connected to 2960 switches. For sure 2960 has no VRF.

Planning to Layer 2 VLAN to the VRF in the core lets says VLAN 2,3,4,5 will have respective SVI interface and these will be mapped to VRF Red-Zone and VLAN 6,7,8.10 will be mapped to Green-Zone VRF.

Both the VRF will not have permissions to communicate with each other.

Main concept for this design is Traffic sepration. EVN was the good choice but has limitation only upto 32. so new which will be recommended design VRF or VRF Lite.

Any suggestions?

Hi,

Given that you plan to deploy 600 VRFs MPLS VPN may be a better option than VRF Lite.

There are some good VRF references to be found at Cisco Live:

https://www.ciscolive365.com/connect/publicDashboard.ww

Have a look at BRKRST-2069, Network Virtualisation Design Concepts. It makes the following recommendations for VRF Lite:

- Used for small number of VRFs, ie less than 8.

- The hop count is small, usually 1 or 2.

- Seen frequently between the Access and Distribution layers.

MPLS VPNs are used for:

- Large number of VRFs.

- Any to any connectivity across an MPLS enabled Core.

Cheers

Sean

Hi Sean,

In this design there is only two 6500 switches which will have VRF configuration and these two are in VSS mode so we can consider it as one box.

Do i just need to enable MPLS in core because there is no other devices which will act liko P or PE. Rest of the switches i.e.2960 are L2 switches.

I did some labs to make sure things will work fine. Your comments on this will be helpful

ip vrf green

rd 2:2

route-target export 2:2

route-target import 1:1

route-target import 3:3

!

ip vrf red

rd 1:1

route-target export 1:1

route-target import 2:2

route-target import 3:3

!

ip vrf shared

rd 3:3

route-target export 3:3

route-target import 1:1

route-target import 2:2

!

interface Loopback150

ip vrf forwarding shared

ip address 172.16.16.1 255.255.255.0

!

interface GigabitEthernet9/1

switchport

switchport trunk allowed vlan 1-109,111-4094

switchport mode trunk

spanning-tree guard root

!

!

interface Vlan90

ip vrf forwarding red

ip address 192.168.90.1 255.255.255.0

!

interface Vlan91

description VRF-Green-Interface

ip vrf forwarding green

ip address 192.168.91.1 255.255.255.0

!

router ospf 91 vrf green

redistribute bgp 65000 subnets

network 0.0.0.0 255.255.255.255 area 0

!

router ospf 90 vrf red

redistribute bgp 65000 subnets

network 0.0.0.0 255.255.255.255 area 0

!

router ospf 150 vrf shared

redistribute bgp 65000 subnets

network 0.0.0.0 255.255.255.255 area 0

!

router bgp 65000

bgp router-id 1.1.1.1

bgp log-neighbor-changes

!

address-family ipv4 vrf green

  redistribute connected

  redistribute ospf 91

exit-address-family

!

address-family ipv4 vrf red

  redistribute connected

   redistribute ospf 90

exit-address-family

!

address-family ipv4 vrf shared

  redistribute connected

  redistribute ospf 150

  exit-address-family

!

CC-CORE-SW1#

CC-CORE-SW1#

CC-CORE-SW1#sh ip v   bgp vp

CC-CORE-SW1#sh ip bgp vpnv4 all

BGP table version is 10, local router ID is 1.1.1.1

Status codes: s suppressed, d damped, h history, * valid, > best, i - internal,

              r RIB-failure, S Stale, m multipath, b backup-path, x best-external, f RT-Filter

Origin codes: i - IGP, e - EGP, ? - incomplete

   Network          Next Hop            Metric LocPrf Weight Path

Route Distinguisher: 1:1 (default for vrf red)

*> 172.16.16.0/24   0.0.0.0                  0         32768 ?

*> 192.168.90.0     0.0.0.0                  0         32768 ?

*> 192.168.91.0     0.0.0.0                  0         32768 ?

Route Distinguisher: 2:2 (default for vrf green)

*> 172.16.16.0/24   0.0.0.0                  0         32768 ?

*> 192.168.90.0     0.0.0.0                  0         32768 ?

*> 192.168.91.0     0.0.0.0                  0         32768 ?

Route Distinguisher: 3:3 (default for vrf shared)

*> 172.16.16.0/24   0.0.0.0                  0         32768 ?

*> 192.168.90.0     0.0.0.0                  0         32768 ?

*> 192.168.91.0     0.0.0.0                  0         32768 ?

CC-CORE-SW1#

CC-CORE-SW1#

CC-CORE-SW1#sh ip bgp

CC-CORE-SW1#sh ip route vrf green

Routing Table: green

Codes: L - local, C - connected, S - static, R - RIP, M - mobile, B - BGP

       D - EIGRP, EX - EIGRP external, O - OSPF, IA - OSPF inter area

       N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2

       E1 - OSPF external type 1, E2 - OSPF external type 2

       i - IS-IS, su - IS-IS summary, L1 - IS-IS level-1, L2 - IS-IS level-2

       ia - IS-IS inter area, * - candidate default, U - per-user static route

       o - ODR, P - periodic downloaded static route, H - NHRP, l - LISP

       + - replicated route, % - next hop override

Gateway of last resort is not set

      172.16.0.0/16 is variably subnetted, 2 subnets, 2 masks

B        172.16.16.0/24 is directly connected (shared), 00:26:27, Loopback150

L        172.16.16.1/32 is directly connected, Loopback150

      192.168.90.0/24 is variably subnetted, 2 subnets, 2 masks

B        192.168.90.0/24 is directly connected (red), 00:26:27, Vlan90

L        192.168.90.1/32 is directly connected, Vlan90

      192.168.91.0/24 is variably subnetted, 2 subnets, 2 masks

C        192.168.91.0/24 is directly connected, Vlan91

L        192.168.91.1/32 is directly connected, Vlan91

CC-CORE-SW1#

CC-CORE-SW1#sh ip route vrf red

Routing Table: red

Codes: L - local, C - connected, S - static, R - RIP, M - mobile, B - BGP

       D - EIGRP, EX - EIGRP external, O - OSPF, IA - OSPF inter area

       N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2

       E1 - OSPF external type 1, E2 - OSPF external type 2

       i - IS-IS, su - IS-IS summary, L1 - IS-IS level-1, L2 - IS-IS level-2

       ia - IS-IS inter area, * - candidate default, U - per-user static route

       o - ODR, P - periodic downloaded static route, H - NHRP, l - LISP

       + - replicated route, % - next hop override

Gateway of last resort is not set

      172.16.0.0/16 is variably subnetted, 2 subnets, 2 masks

B        172.16.16.0/24 is directly connected (shared), 00:26:30, Loopback150

L        172.16.16.1/32 is directly connected, Loopback150

      192.168.90.0/24 is variably subnetted, 2 subnets, 2 masks

C        192.168.90.0/24 is directly connected, Vlan90

L        192.168.90.1/32 is directly connected, Vlan90

      192.168.91.0/24 is variably subnetted, 2 subnets, 2 masks

B        192.168.91.0/24 is directly connected (green), 00:26:30, Vlan91

L        192.168.91.1/32 is directly connected, Vlan91

CC-CORE-SW1#sh ip route vrf shared

Routing Table: shared

Codes: L - local, C - connected, S - static, R - RIP, M - mobile, B - BGP

       D - EIGRP, EX - EIGRP external, O - OSPF, IA - OSPF inter area

       N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2

       E1 - OSPF external type 1, E2 - OSPF external type 2

       i - IS-IS, su - IS-IS summary, L1 - IS-IS level-1, L2 - IS-IS level-2

       ia - IS-IS inter area, * - candidate default, U - per-user static route

       o - ODR, P - periodic downloaded static route, H - NHRP, l - LISP

       + - replicated route, % - next hop override

Gateway of last resort is not set

      172.16.0.0/16 is variably subnetted, 2 subnets, 2 masks

C        172.16.16.0/24 is directly connected, Loopback150

L        172.16.16.1/32 is directly connected, Loopback150

      192.168.90.0/24 is variably subnetted, 2 subnets, 2 masks

B        192.168.90.0/24 is directly connected (red), 00:26:35, Vlan90

L        192.168.90.1/32 is directly connected, Vlan90

      192.168.91.0/24 is variably subnetted, 2 subnets, 2 masks

B        192.168.91.0/24 is directly connected (green), 00:26:35, Vlan91

L        192.168.91.1/32 is directly connected, Vlan91

CC-CORE-SW1#

I

Based on what you described about your network VRF lite is the way you go where you define the required VRFs in the core/distribution VSS and then assign it to the respective SVIs for end to end path isolation no need to mpls or tunneling because you are not spanning multiple layer 3 nodes

Hope this help

Sent from Cisco Technical Support iPad App

Hi Marwanshawi,

Thanks for the reply,

Its a big residential compound and for each unit (total 600 units) there is one vrf in order to keep isolation among all units traffic.

It is collapsed core network design  and core is in VSS mode (with two 650x switches). Mapping for SVI to VRF will be done in Core.

I am in discussion with pre sales engineer and he suggested VRF with MPLS but i am also in confusion when there is only one switch (2 650x in VSS) so what is the need of MPLS. Will MPLS work in this solution or just i have to go with simple VRF lite solution for 600 VRF and mapping of some SVI with it.

For router leaking, BGP will be used with redistribute connected command at require places.

Looking for you advice on it and it will help if you can provide any supportive document for this solution.

.

Can you elobrate what does it mean "because you are not spanning multiple layer 3 nodes" i did not get it

Thanks.

Regards,

FRK

Hi

If you are not going to expand your core/distribution to multiple switches (vss pair considered one logical switch) then no need to use MPLS

Keep it simple

And your right that local bgp can be used in the vss collapsed core for route leaking if required

Sent from Cisco Technical Support iPad App

Review Cisco Networking for a $25 gift card