VRF-lite into L3 VPN network

Anuar Shahrin · ‎01-22-2014

Hi All,

I have an issue with a design in our network. Any input will be much appriciated.

The design : Site S and Site B is connected via L3 VPN provided by ISP. The integration is by BGP and the ISP has provide us with our own Private AS number.

Site A has 2 vlan, and same goes site B.

My question is, how can we separate the network of VLAN_1 and VLAN_2 across the VPN network?

EG: VLAN_2 site B should not be able to ping VLAN_1 sites A network.

We are looking into VRF Lite, but it seems like we have to configure the ISP PE as well. is there any way that we can advertised the routes along with the VRF into the BGP?

We are trying to seperate the network in the router as well, not only just denying the network by ACL.

Sample BGP config in site A same goes Site B

router bgp 65XXX

no synchronization

bgp log-neighbor-changes

network 10.8.40.0 mask 255.255.255.0

network 10.8.100.42 mask 255.255.255.255

neighbor 10.10.2.1 remote-as 2XXXX

neighbor 10.10.2.1 soft-reconfiguration inbound

neighbor 10.10.2.1 route-map BACKUP in

no auto-summary

!

ip forward-protocol nd

ip route 0.0.0.0 0.0.0.0 10.10.2.1

!

Harold Ritter · ‎01-22-2014

Hi Anuar,

VRF lite would certainly do the job. You need to ask the SP to provide you with an additional VPN though. This will probably not come for free but will provide you with complete isolation between the two VLANs.

Regards

Harold Ritter
Sr Technical Leader
CCIE 4168 (R&S, SP)
harold@cisco.com
México móvil: +52 1 55 8312 4915
Cisco México
Paseo de la Reforma 222
Piso 19
Cuauhtémoc, Juárez
Ciudad de México, 06600
México

Anuar Shahrin · ‎01-22-2014

Hi Harold,

Thank you for the reply. the bold part is the problem now since we are trying to avoid any configuration changes at ISP's PE router. is there any other way that we can redistribute the local VRF into the network as well?

Harold Ritter wrote:

VRF lite would certainly do the job. You need to ask the SP to provide you with an additional VPN though. This will probably not come for free but will provide you with complete isolation between the two VLANs.

Harold Ritter · ‎01-22-2014

Anuar,

Another option would be to create an overlay network between the two CEs using GRE tunnels to make sure the PEs won't route between the two VRF, which it will by default. A different tunnel would need to be created and associated to each VRF. The BGP session would still need to be run from the global routing table and would provide routing information required to bring the tunnels up. This would not require any intervention from the SP.

Regards

Harold Ritter
Sr Technical Leader
CCIE 4168 (R&S, SP)
harold@cisco.com
México móvil: +52 1 55 8312 4915
Cisco México
Paseo de la Reforma 222
Piso 19
Cuauhtémoc, Juárez
Ciudad de México, 06600
México

Anuar Shahrin · ‎01-22-2014

Thanks for the suggestion Harold, going to give it a try in the lab first before going to full production. We need to consider quite a few things expecially multicast traffic.

Thank you so much for our input

Harold Ritter · ‎01-23-2014

Hi Anuar,

I am glad I could help. Do not hesitate to let us know if you need more details on the proposed solution.

Regards

Harold Ritter
Sr Technical Leader
CCIE 4168 (R&S, SP)
harold@cisco.com
México móvil: +52 1 55 8312 4915
Cisco México
Paseo de la Reforma 222
Piso 19
Cuauhtémoc, Juárez
Ciudad de México, 06600
México