Awesome. Thanks for the info

Steve Neff · ‎10-22-2015

We currently use EIGRP in our network. We have a partner per say, joining our network and we want to keep their routing separate and hidden. Was wondering if there was a way to use VRF's in our current EIGRP network? Our Cisco rep provided us with a MPLS type plan using BGP, etc. but we are thinking this may be too much overhead if we can avoid it. Below is an example (GNS3 test) of what I am looking for or trying to do. I just want to use our normal EIGRP network and have it carry VRF's for this partner. Any suggestions to keeping a setup like that simple without having to enable MPLS and BGP throughout or network? Thanks for any advice!

# R1

ip vrf North
rd 1:1

interface Loopback10
ip vrf forwarding North
ip address 172.16.10.1 255.255.255.0

interface FastEthernet0/0
ip address 1.1.1.1 255.255.255.252
!

router eigrp 300
network 1.1.1.0 0.0.0.3
network 10.0.0.0
no auto-summary
!
address-family ipv4 vrf North
network 172.16.10.1 255.255.255.0
no auto-summary
autonomous-system 1
exit

# R2

ip vrf North
rd 1:1

interface Loopback20
ip vrf forwarding North
ip address 172.16.20.1 255.255.255.0

interface FastEthernet0/0
ip address 1.1.1.2 255.255.255.252
!

router eigrp 300
network 1.1.1.0 0.0.0.3
network 10.0.0.0
no auto-summary
!
address-family ipv4 vrf North
network 172.16.20.1 255.255.255.0
no auto-summary
autonomous-system 1
exit

Jon Marshall · ‎10-22-2015

Yes you can do this and use a separate a VRF under the EIGRP process for the partner.

With VRF-Lite you must configure each L3 hop as you go along which is why administratively it can be more of an overhead then MPLS where you only configure the PE routers.

However what this means is that each L3 device where you need the partner routing must use either -

1) trunks to interconnect to other L3 devices and then you can place the partner SVIs for the vlans in their own VRF

or

2) subinterfaces because again you need to allocate a specific subinterface to the partner VRF.

If you had two L3 devices connected with a normal P2P link then there is no way to keep the partner traffic separate.

You could use GRE tunnels if you needed to get across a certain number of L3 devices using L3 P2P links and you couldn't reconfigure them and some of the more recent switches support EVPN as well.

Hope I haven't confused the issue too much.

By all means feel free to ask for clarification :-)

Jon

Steve Neff · ‎10-22-2015

Awesome. Thanks for the info. I kind of figured that looking into my options and playing around with VRF's and EIGRP. Wasn't sure if I was missing something in particular to get it to work correctly. Makes sense. Thanks for the advice!

Peter Paluch · ‎10-22-2015

Hi Steve,

Running EIGRP in VRFs is absolutely fine but that's not really where the problem lies. You can create VRFs on a single router to keep your and your customer's routes placed into different routing tables, and run EIGRP separate in each of these VRFs. The problem, however, is in how the customer's traffic shall be carried through your own network and still be somehow distinguished and differentiated from your own traffic, so that your traffic is handled by a different VRF than the customer's traffic.

With MPLS, you would need to create the VRFs just on the edge routers where the customer's traffic enters and exits your network, and even the BGP would be required only between these edge routers.

Without MPLS, things get much more awkward. You will need to create a separate VRF on each one of your routers that is to carry the customer's traffic, not just the edge routers as with MPLS. In addition, you will need to start virtualizing your interfaces so that one subinterface continues to carry your traffic while some other subinterface carries the customer's traffic, and these subinterfaces would be tied on each router to the corresponding VRF. It will work but the administrative hassle is considerably higher.

To simplify this somewhat, Cisco has actually created something they call EVN - Easy Virtual Networking. Read more about it here:

http://www.cisco.com/c/en/us/products/collateral/ios-nx-os-software/layer-3-vpns-l3vpn/whitepaper_c11-638769.html

What they do here is exactly what you're trying to do: VPNs using VRFs without MPLS. The idea is that different VRFs are assigned different unique VLAN IDs (tags), and the tagging is performed automatically on all core-facing interfaces. You don't need to create subinterfaces on the core links. It's a nifty feature, this EVN, but it is still more configurationally intensive than running MPLS, and depending on the platforms you're running in your network, it may not be deployable.

So in my opinion, the choice reduces to either running MPLS, or using EVN.

Best regards,
Peter

Jon Marshall · ‎10-22-2015

Just to add.

Peter has explained better than I did why VRF-Lite is not the best and perhaps I should have emphasised that.

What I didn't notice was that your current router configuration would not work because as explained by both of us you need to use trunks or subinterfaces to keep the traffic separate.

Jon

Steve Neff · ‎10-22-2015

That will be helpful! I will definitely look into it. Just trying to keep it simple and not as a "one off" for future employees, etc. It's not every day we get are hands into MPLS stuff. Thanks again!

EIGRP with VRF-Lite