Solved: Re: VRF vs VRF Lite in Backbone

Learnercisco · ‎06-19-2020

My aim

Access to distribution: Layer 2

distribution to CORE: Layer 3 (i want to use VRF for VLAN (SVI) Layer 3 routing table seperation and OSPF for routing)

SAME VRF (TelePhone ) in 3 differenct LOCATIONS with non-overlapping IP Address

i wan to achieve route exchange of VRF Telephone in 3 different LOCATIONS

Example Scenario

My aim is to segrate the VLAN Traffice (SVI) in different Locations in campus network. i want to keep routes of different VLAN in one VRF Telephon in different Locations. i want to import/export routes for VRF Telephone in different Locations so that IP phones in two different locations can commuication with CUCM through Telephone VRF:

Core Switch: (VSS)

VLAN 10 (SVI)

VRF Name: Telephone

IP subnet 10.1.1.0/24

Devices: CUCM Cluster

Distribution cluster 1 (VSS): (from building 1-10 )

VLAN 20 (SVI)

VRF Name: Telephone

IP subnet 10.1.2.0/24

Devices: IP Phone

Distribution cluster 2: (VSS) ((from building 11-20 ))

VLAN 30 (SVI)

VRF Name: Telephone

IP subnet 10.1.2.0/24

Device: IP Phone

M question:

how can we do this configurtion if the distribution clusters has Layer 3 connectivity with CORE and OSPF is running betwwen them ( mean no layer 2 and subinterfaces between core and distribution).

how the VRF traffic will be commiunicate with transit subnets i.e (Layer 3 ethechannel) which will not be in a same VRF(Telephone).

Example Scenrario is attached

thanks in advance.

and my VLANs and IP Subnets are not overlapping from distribution to CORE.

CORE= VLAN 10: 10.10.10.1

Giuseppe Larosa · ‎06-19-2020

Hello @Learnercisco ,

1) yes core-distribution links in area 0 using ospf router-id = loopback address and advertising those loopbacks in OSPF

2) MPLS ip in global config and on core/distribution links

3) MP BGP the core switch can be configured as Route reflector server for the two distribution to avoid to configure a full mesh of BGP sessions.

Required address family vpnv4 and one address-family ipv4 vrf <vrf-name> for each defined VRF

You will need to activate the neighbors in address-family vpnv4.

The most important the MP BGP sessions must use the local loopback address as endpoint

neighbor x.x.x.x update-source loopback0

These loopback0 will be at the same time OSPF RID, LDP RID, BGP RID and BGP endpoints.

Hope to help

Giuseppe

View solution in original post

Giuseppe Larosa · ‎06-19-2020

Hello @Learnercisco ,

You have two options:

a) VRF lite

VRF lite requires end to end logical connectivity WITHIN the VRF topology so you would need VRF mapped subinterfaces on the links between the distribution nodes and the core.

To be noted you will also need a dedicated routing protocol process in the VRF Telephone to advertise the CUCM cluster from core and the VOIP phones subnets from distribution nodes.

This routing process can be a different OSPF process mapped in vrf Telephone.

b) Full MPLS L3VPN solution

It is more scalable (it can easily support additional VRFs in the future) but it is much more complex to configure:

You will need to configure loopback interfaces with /32 addresses on all distribution and core switch.

you will need to advertise these loopback addresses in OSPF. They must be unique in the routing domain.

You will need to enable LDP and MPLS using

mpls ip at global and interface level to make LDP to create the LSPs between the PE devices.

You will need to configure MP BGP in address family vpnv4 and in address family ipv4 vrf TELEPHONE.

The core should be a route reflector server.

In the vrf definition you need to enable address-family ipv4 and you need to configure the same value of route target for import and export on all devices to create the desired connectivity.

The only advantage is that you are not going to configure per VRF subinterfaces on links between distribution and core.

So if you think that in a short / medium term you will need additional VRFs option b is better, if you are sure that you only need to extend a single VRF topology between three locations option a) requires less work

Hope to help

Giuseppe

Learnercisco · ‎06-19-2020

Hi Giuseppe Larosa,

thanks for your valueable reply

A) VRF Lite, May i need to make the trunk between CORE/Distribution and i will make subinterfaces for each vlan including VRF.

b) Full MPLS L3VPN solution

do you recommend this solution in campus network, because i supposed this is will be used in ISP To connect multiple branches geograpichally.

because my requirment is to logically seprate vlan traffic and only management VLAN is allowed to communcate with other vlans.i have more ways to implement it but i suppose VRF method is better in security and managment point of view. .

thanks again

Giuseppe Larosa · ‎06-19-2020

Hello @Learnercisco ,

a) in VRF lite you will need a Vlan based subinterface for each "topology" one for global routing table and one for VRF Telephony at the moment and yes this usually requires the configuration of a trunk or vlan based subinterfaces (if supported)

b) the Full MPLS L3 VPN may be too heavy if for the moment you just have one VRF to support.

There are other options that include the use of IP Access lists applied to SVI interfaces.

Option A is likely what you can do.

Hope to help

Giuseppe

Learnercisco · ‎06-19-2020

Hi Giuseppe,

thanks i understand your solutions.

i have more VRF in the design, so i would go for MPLS VPN solutions. So what i understand from your solution:

1- Core and distribution will be in OSFP area0 having unique loop address (Confirm this)

2- i will run MPLS in the global and inside the interfaces or can be under OSPF process.

3- for MBGP , i will configure between CORE and distribution for each required VRFs which ipv4 and vpnv4

4- please clarify the above thanks.

thanks for yur support

Giuseppe Larosa · ‎06-19-2020

Hello @Learnercisco ,

1) yes core-distribution links in area 0 using ospf router-id = loopback address and advertising those loopbacks in OSPF

2) MPLS ip in global config and on core/distribution links

3) MP BGP the core switch can be configured as Route reflector server for the two distribution to avoid to configure a full mesh of BGP sessions.

Required address family vpnv4 and one address-family ipv4 vrf <vrf-name> for each defined VRF

You will need to activate the neighbors in address-family vpnv4.

The most important the MP BGP sessions must use the local loopback address as endpoint

neighbor x.x.x.x update-source loopback0

These loopback0 will be at the same time OSPF RID, LDP RID, BGP RID and BGP endpoints.

Hope to help

Giuseppe

Learnercisco · ‎06-21-2020

Hi Giuseppe

as you see that the three differnt IP subnets for Telephone like

Core VRF: Telephone

IP subnet: 10.1.1.0

Distribution cluster 1 VRF: Telephone

IP subnet: 10.1.2.0

Distribution cluster 2 VRF: Telephone

IP subnet: 10.1.3.0

how the below will be configured as we need same network for each VRF to establish ipv4 relationship under BGP

VPNv4 will be loopback no issues for vpnv4

Giuseppe suggestions

Required address family vpnv4 and one address-family ipv4 vrf <vrf-name> for each defined VRF

Giuseppe Larosa · ‎06-21-2020

Hello @Learnercisco ,

>> how the below will be configured as we need same network for each VRF to establish ipv4 relationship under BGP

No this is not needed at all

all you need to do is the following:

on each distribution :

router bgp 65000

neighbor <core-loopback> remote-as 65000

neighbor <core-loopback> update-source loop0

address-family ipv4 vrf Telephone

! the following command will advertise each connected L3 subnet in vrf Telephone

redistribute connected

address-family vpnv4

neighbor <core-loopback> activate

on core switch

router bgp 65000

neighbor <distrib1-loopback> remote-as 65000

neighbor <distrib1-loopback> update-source loop0

neighbor <distrib2-loopback> remote-as 65000

neighbor <distrib2-loopback> update-source loop0

address-family vpnv4

neighbor <distrib1-loopback> activate

neighbor <distrib1-loopback> route-reflector-client

neighbor <distrib2-loopback> activate

neighbor <distrib2-loopback> route-reflector-client

!

address-family ipv4 vrf Telephone

! the following command will advertise each connected L3 subnet in vrf Telephone

redistribute connected

on defining the vrf Telephony

vrf definition Telephony

rd 65000:1

address-family ipv4 unicast

route-target both 65000:100

All the "magic" is done by using the same route target on all PE routers to allow them to import the remote subnets in vrf Telephone.

With Full MPLS L3 VPN there is no need of an end to end IP connnectivity in VRF or to have a common subnet, BGP peering between PE nodes happen in GRT using loopbacks and af vpnv4. In the forwarding plane the LSPs pointing to the remote PE loopback = MP BGP next-hop is used to provide the external MPLS label.

MP BGP provides the second inner label in VPNv4 advertisement.

Hope to help

Giuseppe

Learnercisco · ‎06-22-2020

Hi @Giuseppe Larosa

Thanks for your suggestions .i really apprecaite your support.

. Could you suggest that we what will be the reconvergence time if primary CORE or Distribution fails in Virtual Switching System design.if standby takes over what the be the convergence time.

Device failover or Link/Path failover convergence time in VSS implementation

which implementation you will prefer for least converge time?

1- if we configure Simple VLAN Routing via OSFP Protocol & Access lsit for traffic filtering

2- if we configure VRF Lite by using OSPF process for each VRF (your suggested CASE A)

3- if we configure Full MPLS VPN, (your suggested CASE B)

This answer will help me to finalize the implementation in either way. Thanks once again