06-19-2020 02:52 AM - edited 06-19-2020 02:56 AM
My aim
Access to distribution: Layer 2
distribution to CORE: Layer 3 (i want to use VRF for VLAN (SVI) Layer 3 routing table seperation and OSPF for routing)
SAME VRF (TelePhone ) in 3 differenct LOCATIONS with non-overlapping IP Address
i wan to achieve route exchange of VRF Telephone in 3 different LOCATIONS
Example Scenario
My aim is to segrate the VLAN Traffice (SVI) in different Locations in campus network. i want to keep routes of different VLAN in one VRF Telephon in different Locations. i want to import/export routes for VRF Telephone in different Locations so that IP phones in two different locations can commuication with CUCM through Telephone VRF:
Core Switch: (VSS)
VLAN 10 (SVI)
VRF Name: Telephone
IP subnet 10.1.1.0/24
Devices: CUCM Cluster
Distribution cluster 1 (VSS): (from building 1-10 )
VLAN 20 (SVI)
VRF Name: Telephone
IP subnet 10.1.2.0/24
Devices: IP Phone
Distribution cluster 2: (VSS) ((from building 11-20 ))
VLAN 30 (SVI)
VRF Name: Telephone
IP subnet 10.1.2.0/24
Device: IP Phone
M question:
how can we do this configurtion if the distribution clusters has Layer 3 connectivity with CORE and OSPF is running betwwen them ( mean no layer 2 and subinterfaces between core and distribution).
how the VRF traffic will be commiunicate with transit subnets i.e (Layer 3 ethechannel) which will not be in a same VRF(Telephone).
Example Scenrario is attached
thanks in advance.
and my VLANs and IP Subnets are not overlapping from distribution to CORE.
CORE= VLAN 10: 10.10.10.1
Solved! Go to Solution.
06-19-2020 07:38 AM
Hello @Learnercisco ,
1) yes core-distribution links in area 0 using ospf router-id = loopback address and advertising those loopbacks in OSPF
2) MPLS ip in global config and on core/distribution links
3) MP BGP the core switch can be configured as Route reflector server for the two distribution to avoid to configure a full mesh of BGP sessions.
Required address family vpnv4 and one address-family ipv4 vrf <vrf-name> for each defined VRF
You will need to activate the neighbors in address-family vpnv4.
The most important the MP BGP sessions must use the local loopback address as endpoint
neighbor x.x.x.x update-source loopback0
These loopback0 will be at the same time OSPF RID, LDP RID, BGP RID and BGP endpoints.
Hope to help
Giuseppe
06-19-2020 05:33 AM - edited 06-19-2020 05:34 AM
Hello @Learnercisco ,
You have two options:
a) VRF lite
VRF lite requires end to end logical connectivity WITHIN the VRF topology so you would need VRF mapped subinterfaces on the links between the distribution nodes and the core.
To be noted you will also need a dedicated routing protocol process in the VRF Telephone to advertise the CUCM cluster from core and the VOIP phones subnets from distribution nodes.
This routing process can be a different OSPF process mapped in vrf Telephone.
b) Full MPLS L3VPN solution
It is more scalable (it can easily support additional VRFs in the future) but it is much more complex to configure:
You will need to configure loopback interfaces with /32 addresses on all distribution and core switch.
you will need to advertise these loopback addresses in OSPF. They must be unique in the routing domain.
You will need to enable LDP and MPLS using
mpls ip at global and interface level to make LDP to create the LSPs between the PE devices.
You will need to configure MP BGP in address family vpnv4 and in address family ipv4 vrf TELEPHONE.
The core should be a route reflector server.
In the vrf definition you need to enable address-family ipv4 and you need to configure the same value of route target for import and export on all devices to create the desired connectivity.
The only advantage is that you are not going to configure per VRF subinterfaces on links between distribution and core.
So if you think that in a short / medium term you will need additional VRFs option b is better, if you are sure that you only need to extend a single VRF topology between three locations option a) requires less work
Hope to help
Giuseppe
06-19-2020 05:48 AM
Hi Giuseppe Larosa,
thanks for your valueable reply
A) VRF Lite, May i need to make the trunk between CORE/Distribution and i will make subinterfaces for each vlan including VRF.
b) Full MPLS L3VPN solution
do you recommend this solution in campus network, because i supposed this is will be used in ISP To connect multiple branches geograpichally.
because my requirment is to logically seprate vlan traffic and only management VLAN is allowed to communcate with other vlans.i have more ways to implement it but i suppose VRF method is better in security and managment point of view. .
thanks again
06-19-2020 06:48 AM
Hello @Learnercisco ,
a) in VRF lite you will need a Vlan based subinterface for each "topology" one for global routing table and one for VRF Telephony at the moment and yes this usually requires the configuration of a trunk or vlan based subinterfaces (if supported)
b) the Full MPLS L3 VPN may be too heavy if for the moment you just have one VRF to support.
There are other options that include the use of IP Access lists applied to SVI interfaces.
Option A is likely what you can do.
Hope to help
Giuseppe
06-19-2020 07:23 AM
Hi Giuseppe,
thanks i understand your solutions.
i have more VRF in the design, so i would go for MPLS VPN solutions. So what i understand from your solution:
1- Core and distribution will be in OSFP area0 having unique loop address (Confirm this)
2- i will run MPLS in the global and inside the interfaces or can be under OSPF process.
3- for MBGP , i will configure between CORE and distribution for each required VRFs which ipv4 and vpnv4
4- please clarify the above thanks.
thanks for yur support
06-19-2020 07:38 AM
Hello @Learnercisco ,
1) yes core-distribution links in area 0 using ospf router-id = loopback address and advertising those loopbacks in OSPF
2) MPLS ip in global config and on core/distribution links
3) MP BGP the core switch can be configured as Route reflector server for the two distribution to avoid to configure a full mesh of BGP sessions.
Required address family vpnv4 and one address-family ipv4 vrf <vrf-name> for each defined VRF
You will need to activate the neighbors in address-family vpnv4.
The most important the MP BGP sessions must use the local loopback address as endpoint
neighbor x.x.x.x update-source loopback0
These loopback0 will be at the same time OSPF RID, LDP RID, BGP RID and BGP endpoints.
Hope to help
Giuseppe
06-21-2020 12:08 AM
Hi Giuseppe
as you see that the three differnt IP subnets for Telephone like
Core VRF: Telephone
IP subnet: 10.1.1.0
Distribution cluster 1 VRF: Telephone
IP subnet: 10.1.2.0
Distribution cluster 2 VRF: Telephone
IP subnet: 10.1.3.0
how the below will be configured as we need same network for each VRF to establish ipv4 relationship under BGP
VPNv4 will be loopback no issues for vpnv4
Giuseppe suggestions
Required address family vpnv4 and one address-family ipv4 vrf <vrf-name> for each defined VRF
06-21-2020 11:42 AM
Hello @Learnercisco ,
>> how the below will be configured as we need same network for each VRF to establish ipv4 relationship under BGP
No this is not needed at all
all you need to do is the following:
on each distribution :
router bgp 65000
neighbor <core-loopback> remote-as 65000
neighbor <core-loopback> update-source loop0
address-family ipv4 vrf Telephone
! the following command will advertise each connected L3 subnet in vrf Telephone
redistribute connected
address-family vpnv4
neighbor <core-loopback> activate
on core switch
router bgp 65000
neighbor <distrib1-loopback> remote-as 65000
neighbor <distrib1-loopback> update-source loop0
neighbor <distrib2-loopback> remote-as 65000
neighbor <distrib2-loopback> update-source loop0
address-family vpnv4
neighbor <distrib1-loopback> activate
neighbor <distrib1-loopback> route-reflector-client
neighbor <distrib2-loopback> activate
neighbor <distrib2-loopback> route-reflector-client
!
address-family ipv4 vrf Telephone
! the following command will advertise each connected L3 subnet in vrf Telephone
redistribute connected
on defining the vrf Telephony
vrf definition Telephony
rd 65000:1
address-family ipv4 unicast
route-target both 65000:100
All the "magic" is done by using the same route target on all PE routers to allow them to import the remote subnets in vrf Telephone.
With Full MPLS L3 VPN there is no need of an end to end IP connnectivity in VRF or to have a common subnet, BGP peering between PE nodes happen in GRT using loopbacks and af vpnv4. In the forwarding plane the LSPs pointing to the remote PE loopback = MP BGP next-hop is used to provide the external MPLS label.
MP BGP provides the second inner label in VPNv4 advertisement.
Hope to help
Giuseppe
06-22-2020 05:13 AM - edited 06-22-2020 05:14 AM
Thanks for your suggestions .i really apprecaite your support.
. Could you suggest that we what will be the reconvergence time if primary CORE or Distribution fails in Virtual Switching System design.if standby takes over what the be the convergence time.
Device failover or Link/Path failover convergence time in VSS implementation
which implementation you will prefer for least converge time?
1- if we configure Simple VLAN Routing via OSFP Protocol & Access lsit for traffic filtering
2- if we configure VRF Lite by using OSPF process for each VRF (your suggested CASE A)
3- if we configure Full MPLS VPN, (your suggested CASE B)
This answer will help me to finalize the implementation in either way. Thanks once again
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide