11-09-2009 08:13 AM - edited 03-04-2019 06:39 AM
Hi All,
I was working on this to make this thing work in better and comprehensive way. There are two solutions to this problem which i would like to share and have suggestions on these solution
The scenario is this:-
1.When CE and PE are both under your control and want to accomplish the isolation on CE device. This solution only works when both CE and PE are under control that means you are the service provider .
Solution: VRF- Lite Solution
This solution can be implemented in two ways:-
a) By creating sub interfaces at PE interface and assigning each sub- interface to each VRF's. On CE device you can either create sub-interfaces or a TRUNK(in case of this you need to have VLANS assigned to VRF's on CE device)
b) By creating a TRUNK on between PE and CE, then create VLAN interfaces assigned to each VRF's
Note: Out of which the first (a) compromises scalability, wherein we go on creating sub-interfaces for each VRF. Its cumbersome to create and manage when you are dealing with more than 10 VRF's. The second (b) is more scalable solution however the response time of the network decreases as well as hindering monitoring. For example: when you have created one VLAN for a customer say CUSTA and you have many links connecting this customer connected to the same PE router. In this case the VLAN interface does not go down unless all its assigned interfaces go down (although there are port based monitoring tools). The second thing this if you have noticed although it is possible to create multiple VLANS for the same customers with different subnet masks, it would hinder management, and would possibly avoid and create only one VLAN interface assigned to CUSTA and assign all its interfaces to that particular VLAN. By doing this we are creating a single broadcast domain for all this interfaces, thus decreasing the response time again.
2. When the CE router is connected to a service provider which is providing MPLS L3 VPN based service and you need to accomplish network segregation or isolate networks at customer end i.e. CE.
Solution : This is where it gets interesting. I have made it work I don't know yet how it works. I even don't if it is CSC model, but I think so.
The key to this solution is the send-label command. In this scenario the service provider configuration is shown in the diagram. The ISP 2 configuration is below.
Note-When we are done with this configuration on CSC PE 1 router and CSC CE 1 router we get this message which verifies the neighbor is up-â*Mar 1 00:26:01.799: %BGP-5-ADJCHANGE: neighbor 10.240.5.2 vpn vrf ISP2 Upâ on CSC PE 1 router. There is more weird things I have observed in this solution for e.g.:- the LDP neighborship is not formed, the BGP on the service provider does shows BGP neighbor status as IDLE. Etc. And one more thing i would like to add is that the ISP 1 is unaware of the vrf's created on CE.
This is still a mystery to me and I am trying to find how actually it works and I need you guys to help me doing this and come up with suggestion on each of these scenarios especially un- reveal the mystery of the last one.
Attached are the .vsd diagram and .jpeg diagram. Both are the same.
Have nice day!
Nishant
Solved! Go to Solution.
11-09-2009 09:07 AM
Hello Nishant,
a correct configuration would require send-labels also on CSC-CE/subPE devices.
see
for this reason the session stays in idle on CSC PE side for capabilitises mismatch.
Hope to help
Giuseppe
11-09-2009 08:19 AM
I had to continue in the next ..bcoz the limit is up to 4000 words.
The CSC CE 1 configuration is below.
#This interface is assigned to CUSTA VRF#
interface FastEthernet0/0
ip vrf forwarding CUSTA
ip address 10.100.1.1 255.255.255.0
duplex auto
speed auto
!
# This interface is connected to the CSC PE 1 router #
interface Serial0/0
ip address 10.240.5.2 255.255.255.252
clock rate 2000000
!
router bgp 65010
no bgp default ipv4-unicast
bgp log-neighbor-changes
# This is remote CSC CE 2 router neighbor for which we need to activate only under VPv4 address-family#
neighbor 10.110.250.1 remote-as 65010
neighbor 10.110.250.1 update-source Loopback0
neighbor 10.240.5.1 remote-as 9829
!
address-family ipv4 vrf CUSTB
redistribute connected
redistribute static
no synchronization
exit-address-family
!
address-family ipv4 vrf CUSTA
redistribute connected
redistribute static
no synchronization
exit-address-family
Have nice day!
Nishant
11-09-2009 08:32 AM
Hello Nishant,
a) 10 VRFs cumbersome low threshold yours ..
b) when you use send-labels you are going to use CSC with BGP used for label exchange.
messages are caused by BGP sessions resets caused by the need to exchange new capabilities
Hope to help
Giuseppe
11-09-2009 09:07 AM
Hello Nishant,
a correct configuration would require send-labels also on CSC-CE/subPE devices.
see
for this reason the session stays in idle on CSC PE side for capabilitises mismatch.
Hope to help
Giuseppe
11-09-2009 09:57 PM
Hi Giuseppe
I will try using send-label on CSC-CE and will let you Knw.Now i got confirmed its CSC Model!
That was a great link to use, however i have a query-Do all service provoders have this kind of configurations done on their end?
Nishant
Have a nice day!
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide