VRF lite or multi-vrf over a service provider MPLS network

Billy Dodson · ‎07-19-2011

We offer data center services to our customers. Most of our customer connect to our services via VPN or direct server access over the internet.

We have the need for some of our customers to come in over a service provider MPLS network.

The MPLS network is routed via BGP. I am trying to figure out how I can setup VRF, or something similar, to isolate each customer in their own routing table. I need to be able for the customers to have seperate default routes/gateway of last resort due to some customers wanting to use us for their internet service as well. Security is also a factor of course. I have read about creating VRF's for different purposes but I am unsure how to do this over the top of the service provider MPLS network. We route to the service povider via BGP, each customer attached to the MPLS network has a unique AS number, but every customer uses the same AS number of the provider as their neighbor.

Some customers will have multiple locations that will need to be able to communicate with each other, as well as our data center. Each customer is assigned their own VLAN at the data center. Currently our customers are SMB's and to keep things easy we re-ip the customers networks rather than worring about NAT. Some customers have domain controllers/DNS in our datacenter and NAT can create problems with internal DNS.

If anyone knows of any documents or examples that I could use to try and figure this out I would be very greatful.

Thanks,

Billy

Jon Marshall · ‎07-19-2011

Billy

Have a look at these design guides, especially the one on Path Isolation -

http://www.cisco.com/en/US/solutions/ns340/ns414/ns742/ns815/landing_cNet_virtualization.html

Jon

Marwan ALshawi · ‎07-19-2011

Hi Billy

in addition to the link provided by Jon

you need to plan you DC path to the Egde router/routers to aupport isolation and virtulization end to end

for example

if you want each customer to have its own routing table, its own services then form L2 prespective each customer services need to span it own vlan/vlans up to L3 interface of that vlan which supposed to be reside in that customer VRF

this device might be a distribution switch such as 6500 or nexus 7K for example if then this device connect to northbound router such as ISR or ASR for example for WAN connectivity to the ISP

then you need to have back to back connectivity between the distribution switch and the edge router to pass VRF routing

then in the edge router you will creat a VRF ( logically same name but it dose not has to be ) and then put the interface/subinterface connected to the ISP in the same VRF to peer with ISP ( this is for one customer ) same concept for each customer

servers --vlanx---distribution switch ---interface vlanx in vrf x-----edge router subinterface vlanx-vrfx-----subinterface--vrfx--ISP

this concept used in some Cisoc UCS and Nexus that support virtualized DC

if you have redundant edge routers and redundant distribution switches you might consider ruing MPLS with MPBGP between the distribution and edge routers for scalability and automation for HA

so each customer will be in a VRF then this VRF rotue will be passed bwteen these devices over VPNv4

VRF--DistSwitch1 --MPLS/IGP----1Edgerouter---VRF--ISP

VRF--DistSwitch2 --MPLS/IGP----2Edgerouter---VRF--ISP

if NATing firewalling required all can be supported using VRFs lite ( as above ) and VRF aware NAT

have a look at the bellow document i poted before in CSC about providing internet using MPLS-VPN/VRFs

https://supportforums.cisco.com/docs/DOC-8403

HTH

if helpful Rate

Billy Dodson · ‎07-27-2011

Thank you for your replies. I as able to get a solution going. I used the documentation from this site in case anyone else ever has a similar need.

http://blog.ine.com/2008/08/02/dmvpn-explained/

We used the configuration examples under the heading "mGRE + NHRP Phase 2 + EIGRP"