Hi Hector,

This is a fairly new installation. The enclave server was installed on Wednesday and I have not done anything on the network side. The configs are very basic from what I have been able to research from the internet.  I need to create the vrf environment and 2 different laptops need to be able to access this vrf.

Q: Is the 10.12.4.x that “Enclave server” network?

A: No, it would probably be 10.100.x.x

Q: In this MPLS L3 VPN environment, A: Yes

Q: on which VRF the “Enclave server” currently resides and what Route-Targets are associated with it?

A: Please read above.

On your PE (term in MPLS jargon to refer to the Provider Edge device) you can create 2 new VRFs and advertise its directly connected networks using BGP VPNv4 with the below configuration:

vrf definition Boss1
rd 1:1
route-target both 1:1
address-family ipv4
exit-address-family

vrf definition Boss2
rd 2:2
route-target both 2:2
address-family ipv4
exit-address-family

interface FastEthernet0/0.1
no shut
encapsulation dot1Q 100
vrf forwarding Boss1
ip address 10.0.0.1 255.255.255.0
exit
interface FastEthernet0/0.2
no shut
encapsulation dot1Q 200
vrf forwarding Boss2
ip address 10.0.0.1 255.255.255.0
exit

router bgp <AS>

 address-family ipv4 vrf Boss1

  redistribute connected

 address-family ipv4 vrf Boss2

  redistribute connected

Hi Hector,

Concerning the (Provider Edge device), are you referring to our MPLS Router (ASR 1001) at our data center? Does the VRF only need to be configured at (L3)? If so, how do I allow the specific MAC address from my boss's laptop access to the enclave server using VRF?

Just to let you know: At our DC we have an MPLS Router (ASR 1001), Core switch (Nexus 6000) and a 5525 ASA Firewall. At our offices, we have a ISR 4431 Router, 3850 switch, and a 5525 ASA Firewall.

Thanks,

Cliff

Hi @Cliff2018,

Q: "Concerning the (Provider Edge device), are you referring to our MPLS Router (ASR 1001) at our data center?"

A: You can identify the Provider Edge in MPLS L3 VPN as the device which has the customer's VRFs configured, it advertises those via BGP VPNv4 to either Route Reflectors (most commonly) or other PEs and has LDP configured to exchange the mpls outer labels with the MPLS core.

Q: "Does the VRF only need to be configured at (L3)"

A: The VRF is actually a L3 configuration only.

Q: "how do I allow the specific MAC address from my boss's laptop access to the enclave server using VRF?"

A: That cannot be done by VRFs. If you are looking to MAC address filtering, you can perform that at Layer 2 level either on the Layer 2 Switch your boss laptop connects to using the Port-Security feature or on your WiFI Access Points or WLC that manages the WiFi in your Network. In my opinion, restrict access to applications is more commonly done based on IP addresses or Layer 4 information (TCP/UDP ports) in a Firewall or on the application server itself rather than based on MAC addresses.

Q: "Just to let you know: At our DC we have an MPLS Router (ASR 1001), Core switch (Nexus 6000) and a 5525 ASA Firewall. At our offices, we have a ISR 4431 Router, 3850 switch, and a 5525 ASA Firewall."

A: It sounds to me that the VRFs configuration you initially requested is just a small part of the work you have to perform to make your boss' laptop have connectivity to this new "Enclave server” application.

In my personal opinion you do not really need two VRFs configured on the PE device for your bosses but just one.

I'd suggest you to trace the network path and confirm what you really need to configure in the network to make sure your bosses have access to the application. Once that done and your bosses can have access to the application, you can then work on restricting access to only them for security purposes.

Hello Cliff,

VRFs can support overlapping IP addresses for different customers / different VPNs but not in the same VPN.

In the same VPN you would need NAT to support overlapping subnets.

How the return packet from the server can be routed to the correct VRF Boss1 and Boss2 if both are using local connected network 10.0.0.0/24 ?

What is more important to understand is that once one PC is placed in a VRF it is not in the global routing table anymore.

The server should be placed in a VRF that imports the route-targets 1:1 and 2:2 but the two VRFs Boss1 and Boss2 should use different IP subnets. like 10.0.0.0/24 and 10.0.1.0/24.to build a working configuration.

But when each of the two managers want to reach the internet additional configuration is needed to perform route leakage between each VRF and a default route coming from the global routing table.

If this is not acceptable for your managers look for the usage of Private Vlan and put the two Boss on a secondary isolated Vlan so that they cannot speak to each other at OSI layer2 but only with the default gateway.

This might be the easiest solution if all they want is to avoid the other guy to be able to listen to their own traffic.

Hope to help

Giuseppe

Hi Giuseppe,

Below are my updated configs. Also, my boss will not allow me to use VLAN's.

vrf definition Boss1
rd 1:1
route-target both 1:1
address-family ipv4
exit-address-family

vrf definition Boss2
rd 2:2
route-target both 2:2
address-family ipv4
exit-address-family

interface FastEthernet0/0.1
no shut
encapsulation dot1Q 100
vrf forwarding Boss1
ip address 10.100.1.1 255.255.255.0
exit

interface FastEthernet0/0.2
no shut
encapsulation dot1Q 200
vrf forwarding Boss2
ip address 10.100.2.2 255.255.255.0
exit

router bgp 65001
address-family ipv4 vrf Boss1
redistribute connected
address-family ipv4 vrf Boss2
redistribute connected

Concerning, "perform route leakage between each VRF and a default route coming from the global routing table." Could you please provide me some basic configs or a place where I can find out how to configure this?

Thank you,

Cliff

Hello Cliff,

you have made a progress as now the IP subnets in the two VRFs are different.

However, the two managers will likely want to access the Internet or other resources that are in the global routing table.

>> Concerning, "perform route leakage between each VRF and a default route coming from the global routing table." Could you please provide me some basic configs or a place where I can find out how to configure this?

You can follow the below document that provides you the full context on how to allow VRF users to access the internet.

https://community.cisco.com/t5/service-providers-documents/mpls-l3vpn-internet-access-option-1/ta-p/3823551

The simplest approach is to use static routing with additional parameters to perform the route leakage between each defined VRF and the global routing table.

ip route vrf BOSS1 0.0.0.0 0.0.0.0 192.168.12.2 global

ip route vrf BOSS2 0.0.0.0 0.0.0.0 192.168.12.2 global

You need also to ensure the return path to your subnets in VRF from the global routing table.

see also the following document

https://community.cisco.com/t5/service-providers-documents/providing-internet-access-for-mpls-l3-vpns/ta-p/3109924

In both documents they use NAT so the return path to VRFs is solved without a routing configuration.

on the remote PE node that is hosting the Enclave server you need the following

vrf definition Enclave-Server
rd 3:3
route-target import  1:1

route-target import  2:2

route-target export 3:3
address-family ipv4
exit-address-family

+

MP BGP configuration for AF vrf Enclave-Server

Note:

you need an end to end MPLS path between the local PE and the datacenter PE (mpls ip on all links between them)

You need a VPNv4 MP iBGP session between local PE and remote data center PE directly or via route reflector.

You need to activate the neighbor and to send community extended (route targets are extended communities).

Local PE node vrf BOSS1 and vrf BOSS2 must add a route-target import 3:3 to accept the routes coming from the datacenter PE via VPNv4 advertisements.

I know we are missing the return path for internet access from global routing table to the VRFs.

I will try to add it later

Edit:

a possible approach is to use PBR policy based routing on the global routing table interface that receives traffic destined to a VRF subnet

see the following thread

https://community.cisco.com/t5/switching/route-leaking-from-global-to-vrf-using-static-routes-only/td-p/2924086?dtid=osscdc000283

The key command in the route-map is the set vrf <vrf-name> that allows to move the traffic to the desired VRF.

In your case the route-map should use two blocks one for vrf BOSS1 and one for VRF BOSS2.

!access-list to select traffic
ip access-list extended to-BOSS1
permit ip any 10.100.1.0 0.0.0.255

p access-list extended to-BOSS2
permit ip any 10.100.2.0 0.0.0.255

!Route map to set the vrf
route-map TO-VRFs permit 10
match ip address to-BOSS1
set vrf BOSS1

route-map TO-VRFs permit 20
match ip address to-BOSS2
set vrf BOSS2

The route-map has to be applied on the local PE node on an interface on the return path from the internet.

PBR works only inbound.

Hope to help

Giuseppe

Hi Giuseppe,

Below are the configures I have put together so far.

Data Center MPLS Router:

vrf definition Boss1
rd 1:1
route-target both 1:1
address-family ipv4
exit-address-family

vrf definition Boss2
rd 2:2
route-target both 2:2
address-family ipv4
exit-address-family

interface FastEthernet0/0.1
no shut
encapsulation dot1Q 100
vrf forwarding Boss1
ip address 10.100.12.30 255.255.255.0
exit

interface FastEthernet0/0.2
no shut
encapsulation dot1Q 200
vrf forwarding Boss2
ip address 10.100.12.31 255.255.255.0
exit

vrf definition Enclave-Server
rd 3:3
route-target import 1:1
route-target import 2:2
route-target export 3:3
address-family ipv4
exit-address-family

ip route vrf BOSS1 0.0.0.0 0.0.0.0 10.100.12.30 global
ip route vrf BOSS2 0.0.0.0 0.0.0.0 10.200.12.31 global

router bgp 65001
address-family ipv4 vrf Boss1
redistribute connected
address-family ipv4 vrf Boss2
redistribute connected

-----------------------------------------------------------
Firewall (Local):

Route-map vrf Enclave-Server

access-list to select traffic
ip access-list extended to-BOSS1
permit ip any 10.100.12.30 0.0.0.255

access-list extended to-BOSS2
permit ip any 10.100.12.31 0.0.0.255

Route map to set the vrf
route-map TO-VRFs permit 10
match ip address to-BOSS1
set vrf BOSS1

route-map TO-VRFs permit 20
match ip address to-BOSS2
set vrf BOSS2

====================================

I'm a little fuzzy on the remaining configs. I did review the information & links you provide which were helpful. But I still need some guidance on the remaining configures to get this completed for my boss. You mentioned in your "Notes" the below area's. 

Note:

you need an end to end MPLS path between the local PE and the datacenter PE (mpls ip on all links between them)

You need a VPNv4 MP iBGP session between local PE and remote data center PE directly or via route reflector.

You need to activate the neighbor and to send community extended (route targets are extended communities).

Local PE node vrf BOSS1 and vrf BOSS2 must add a route-target import 3:3 to accept the routes coming from the datacenter PE via VPNv4 advertisements.

I know we are missing the return path for internet access from global routing table to the VRFs.

Based on my configures, could you please break down what are the remaining configurations needed to complete the VRF?

Thanks again for all you help!

Cliff

Hello Cliff,

I tried to explain you some basic concepts about the need to have DIFFERENT IP subnets in the two VRFs BOSS1 and BOSS2

I see again an overlapping subnet. You may have made a typing error.

A)

use different subnets under VRF access links like 10.100.12.0/24 and 10.200.12.0/24

interface FastEthernet0/0.1
no shut
encapsulation dot1Q 100
vrf forwarding Boss1
ip address 10.100.12.30 255.255.255.0
exit

interface FastEthernet0/0.2
no shut
encapsulation dot1Q 200
vrf forwarding Boss2
ip address 10.200.12.31 255.255.255.0
exit

B)   VRF definitions need to be changed to import routes from the server VRF RT 3:3

vrf definition Boss1
rd 1:1
route-target import 1:1

route-target import 3:3

route-target export 1:1
address-family ipv4
exit-address-family

vrf definition Boss2
rd 2:2
route-target import 2:2

route-target import 3:3

route-target export 2:2
address-family ipv4
exit-address-family

C) Default static routes are wrong, they must use an IP next-hop in the global routing table. That is the meaning of global keyword

ip route vrf  BOSS1 0.0.0.0 0.0.0.0 10.100.12.30 global
ip route vrf BOSS2 0.0.0.0 0.0.0.0 10.200.12.31 global

They must become ( please note that VRF names are case sensitive so BOSS1 is not equal to Boss1)

ip route vrf Boss1 0.0.0.0 0.0.0.0 10.100.x.y global
ip route vrf Boss2 0.0.0.0 0.0.0.0 10.100.x.y global

Where 10.100.x.y is an IP address reachable via global routing table on your router.

show ip arp 10.100.x.y  must have an entry and must be a device connected in GRT to the router not an IP address of the router itself.

D)  How the firewall is connected to the MPLS router ?

The firewall will likely not support MPLS.

You need to define additional Vlan subinterfaces to be mapped in VRF Boss1 and Boss2 to communicate with the firewall. This is called VRF lite.

Can you post a network diagram to make clear the network scenario ?

Hope to help

Giuseppe

Hi Paul,

I have place my answers below your questions.

Q: you say your boss needs you to create a vrf  for him to be able to establish connection to a server in your data centre

A: Yes

Q: Are you sure a vrf is required ?

A: Yes

Q: Is the main goal for this connection so that only your two bosses have direct connection to this server from the office hence the suggested vrf?

A: Yes

Q: Is this server is to be stood up on an exiting advertised network within the data centre?

A: Yes

if so a simple routed access-list could be applicable  here ?

Q: So once I configure the VRF, then I would configure a ACL?

Thanks,

Cliff