Solved: Merger data and Management VRF over single MPLS line

shubham-bhabad · ‎11-19-2024

Above is the Client requirement R1 is local router and R2 is remote router.

1) Clients want to separate data traffic and management traffic via VRF in local router and pass it over single MPLS link via separate ipsec data and management tunnel to remote router.

2) He wants remote router to have a IP within the same subnet 192.168.1.0/24 as the Management Intf of R1 local router

Could you please help routes from 2 difference VRF? how i can pass routes from 2 different VRF over single mpls link how to achieve this ? any example link/config available ?

M02@rt37 · ‎11-19-2024

Hello @shubham-bhabad

To separate data and management traffic via VRFs over a single MPLS link and ensure proper routing between R1 and R2, you could use VRF-aware IPsec tunnels. This solution involves creating 2 VRF on both routers: one for data and one for management ; and establishing separate IPsec tunnels for each VRF.

By encapsulating VRF-specific traffic into their respective tunnels, you ensure traffic segregation while using the same MPLS transport link.

On the local router (R1), VRF are created to separate routing tables for data and managemnt traffic. Interfaces are assigned to the respective VRFs based on their function, ensuring that data traffic and management traffic are isolated at L3. Each VRF will have its own unique RD (route distinguisher) and RT (toute target) to enable route differentiation and sharing between the routers.

To meet the requirement for R2 (remote router) to have an IP within the same management subnet (192.168.1.0/24), a VRF-aware IPsec tunnel is configured for the management VRF. This allows routes from the management subnet to traverse the MPLS link securely. Similarly, a separate VRF-aware IPsec tunnel is created for Data traffic to carry application or end-user traffic. On R2, VRF assignments are mirrored to maintain traffic separation, and an IP address from the management subnet is assigned to an interface in the management VRF.

Finally, route-leaking can be optionally configured if communication between VRFs is required on the remote side, allowing cross-VRF route exchange where necessary.

---

Steps to help you (adapt IP plan and description) :

1 Create VRF
#R1 (Local Router)
ip vrf Data
rd 1:1
route-target export 1:1
route-target import 1:1

ip vrf Management
rd 2:2
route-target export 2:2
route-target import 2:2

#R2 (Remote Router)
ip vrf Data
rd 1:1
route-target export 1:1
route-target import 1:1

ip vrf Management
rd 2:2
route-target export 2:2
route-target import 2:2

---

2. Configure interfaces for VRF
#R1
interface GigabitEthernet0/0
description Connection to LAN
vrf forwarding Data
ip address 10.1.1.1 255.255.255.0

interface GigabitEthernet0/1
description Connection to Management
vrf forwarding Management
ip address 192.168.1.1 255.255.255.0

#R2
interface GigabitEthernet0/0
description Connection to Data LAN
vrf forwarding Data
ip address 10.1.2.1 255.255.255.0

interface GigabitEthernet0/1
description Management IP
vrf forwarding Management
ip address 192.168.1.2 255.255.255.0

---

3. Configure VRF-Aware IPsec Tunnels
R1
interface Tunnel1
description Data Tunnel
vrf forwarding Data
ip address 172.16.1.1 255.255.255.252
tunnel source GigabitEthernet0/2
tunnel destination <R2 WAN IP>
tunnel mode ipsec ipv4
tunnel protection ipsec profile IPSEC-DATA

interface Tunnel2
description Management Tunnel
vrf forwarding Management
ip address 172.16.2.1 255.255.255.252
tunnel source GigabitEthernet0/2
tunnel destination <R2 WAN IP>
tunnel mode ipsec ipv4
tunnel protection ipsec profile IPSEC-MGMT

#R2
interface Tunnel1
description Data Tunnel
vrf forwarding Data
ip address 172.16.1.2 255.255.255.252
tunnel source GigabitEthernet0/2
tunnel destination <R1 WAN IP>
tunnel mode ipsec ipv4
tunnel protection ipsec profile IPSEC-DATA

interface Tunnel2
description Management Tunnel
vrf forwarding Management
ip address 172.16.2.2 255.255.255.252
tunnel source GigabitEthernet0/2
tunnel destination <R1 WAN IP>
tunnel mode ipsec ipv4
tunnel protection ipsec profile IPSEC-MGMT

Best regards
.ı|ı.ı|ı. If This Helps, Please Rate .ı|ı.ı|ı.

View solution in original post

M02@rt37 · ‎11-19-2024

Hello @shubham-bhabad

To separate data and management traffic via VRFs over a single MPLS link and ensure proper routing between R1 and R2, you could use VRF-aware IPsec tunnels. This solution involves creating 2 VRF on both routers: one for data and one for management ; and establishing separate IPsec tunnels for each VRF.

By encapsulating VRF-specific traffic into their respective tunnels, you ensure traffic segregation while using the same MPLS transport link.

On the local router (R1), VRF are created to separate routing tables for data and managemnt traffic. Interfaces are assigned to the respective VRFs based on their function, ensuring that data traffic and management traffic are isolated at L3. Each VRF will have its own unique RD (route distinguisher) and RT (toute target) to enable route differentiation and sharing between the routers.

To meet the requirement for R2 (remote router) to have an IP within the same management subnet (192.168.1.0/24), a VRF-aware IPsec tunnel is configured for the management VRF. This allows routes from the management subnet to traverse the MPLS link securely. Similarly, a separate VRF-aware IPsec tunnel is created for Data traffic to carry application or end-user traffic. On R2, VRF assignments are mirrored to maintain traffic separation, and an IP address from the management subnet is assigned to an interface in the management VRF.

Finally, route-leaking can be optionally configured if communication between VRFs is required on the remote side, allowing cross-VRF route exchange where necessary.

---

Steps to help you (adapt IP plan and description) :

1 Create VRF
#R1 (Local Router)
ip vrf Data
rd 1:1
route-target export 1:1
route-target import 1:1

ip vrf Management
rd 2:2
route-target export 2:2
route-target import 2:2

#R2 (Remote Router)
ip vrf Data
rd 1:1
route-target export 1:1
route-target import 1:1

ip vrf Management
rd 2:2
route-target export 2:2
route-target import 2:2

---

2. Configure interfaces for VRF
#R1
interface GigabitEthernet0/0
description Connection to LAN
vrf forwarding Data
ip address 10.1.1.1 255.255.255.0

interface GigabitEthernet0/1
description Connection to Management
vrf forwarding Management
ip address 192.168.1.1 255.255.255.0

#R2
interface GigabitEthernet0/0
description Connection to Data LAN
vrf forwarding Data
ip address 10.1.2.1 255.255.255.0

interface GigabitEthernet0/1
description Management IP
vrf forwarding Management
ip address 192.168.1.2 255.255.255.0

---

3. Configure VRF-Aware IPsec Tunnels
R1
interface Tunnel1
description Data Tunnel
vrf forwarding Data
ip address 172.16.1.1 255.255.255.252
tunnel source GigabitEthernet0/2
tunnel destination <R2 WAN IP>
tunnel mode ipsec ipv4
tunnel protection ipsec profile IPSEC-DATA

interface Tunnel2
description Management Tunnel
vrf forwarding Management
ip address 172.16.2.1 255.255.255.252
tunnel source GigabitEthernet0/2
tunnel destination <R2 WAN IP>
tunnel mode ipsec ipv4
tunnel protection ipsec profile IPSEC-MGMT

#R2
interface Tunnel1
description Data Tunnel
vrf forwarding Data
ip address 172.16.1.2 255.255.255.252
tunnel source GigabitEthernet0/2
tunnel destination <R1 WAN IP>
tunnel mode ipsec ipv4
tunnel protection ipsec profile IPSEC-DATA

interface Tunnel2
description Management Tunnel
vrf forwarding Management
ip address 172.16.2.2 255.255.255.252
tunnel source GigabitEthernet0/2
tunnel destination <R1 WAN IP>
tunnel mode ipsec ipv4
tunnel protection ipsec profile IPSEC-MGMT

Best regards
.ı|ı.ı|ı. If This Helps, Please Rate .ı|ı.ı|ı.