Multi-VRF CE Overview
MPLS-VPNs provide security and privacy as traffic travels through the provider network. The CE router has no mechanism to guarantee private networks across the traditional LAN network. Traditionally to provide privacy, either a switch needed to be deployed and each client be placed in a separate VLAN or a separate CE router is needed per each client’s organization or IP address grouping attaching to a PE. Figure 5 and 6 shows the traditional solutions for LAN security within an MPLS-VPN network design.
These solutions are both costly to the customer as additional equipment is needed and requires more network management and provisioning of each client site.Multi-VRF CE is a new feature, introduced in Cisco IOS release 12.2(4)T, that addresses these issues.
Multi-VRF CE extends limited PE functionality to a CE router in an MPLS-VPN model. A CE router now has the ability to maintain separate VRF tables in order to extend the privacy and security of an MPLS-VPN down to a branch office rather than just at the PE router node.
CE routers use VRF interfaces to form a VLAN-like configuration on the customer side. Each VRF on the CE router is mapped to a VRF on the PE router.With Multi-VRF CE, the CE router can only configure VRF interfaces and support VRF routing tables. Multi-VRF CE extends SOME of the PE functionality to the CE router—there is no label exchange, there is no LDP adjacency, there is no labeled packet flow between PE and CE. The only PE-like functionality that is supported is the ability to have multiple VRFs on the CE router so that different routing decisions can be made. The packets are sent toward the PE as IP packets.
Operational Model
Figure 7 illustrates one method in which Multi-VRF CE can be used at the CE router. The connection from the PE router to the provider network uses the same path that was discussed in the MPLS-VPN overview section.
Multi-VRF CE extends limited PE functionality to a CE router in an MPLS-VPN model. A CE router now has the ability to maintain separate VRF tables in order to extend the privacy and security of an MPLS-VPN down to a branch office rather than just at the PE router node.
CE routers use VRF interfaces to form a VLAN-like configuration on the customer side. Each VRF on the CE router is mapped to a VRF on the PE router.With Multi-VRF CE, the CE router can only configure VRF interfaces and support VRF routing tables. Multi-VRF CE extends SOME of the PE functionality to the CE router—there is no label exchange, there is no LDP adjacency, there is no labeled packet flow between PE and CE. The only PE-like functionality that is supported is the ability to have multiple VRFs on the CE router so that different routing decisions can be made. The packets are sent toward the PE as IP packets.
Operational Model
Figure 7 illustrates one method in which Multi-VRF CE can be used at the CE router. The connection from the PE router to the provider network uses the same path that was discussed in the MPLS-VPN overview section.
The CE router using Multi-VRF CE can segment its LAN traffic by placing each client or organization with its own IP address space either on separate Ethernet interfaces such as Client 5 or through one Fast Ethernet interface segmented into multiple sub-interfaces. Each sub-interface contains its own IP address space to separate each different client. When receiving an outbound customer data packet from a directly attached interface, the CE router then performs a route lookup in the VRF that is associated with that site. The specific VRF is determined by the interface or sub-interface over which the data packet is received. Support for multiple forwarding tables makes it easy for the CE router to provide the per-VPN segregation of routing information before it is sent to the PE router. The use of a T1 line with multiple point-to-point sub-interfaces allows traffic from the CE router to the PE router to be segmented into each separate VRF.
Using Figure 7, the data path is as follows from the Clients to the PE router with Multi-VRF CE configured on the CE router.
- CE-VRF learns Client 1’s VPN Red routes from a sub-interface of the Fast Ethernet interface directly attached to CE-VRF. CE-VRF then installs these routes into VRF Red.
- PE 1 learns Client 1’s VPN Red routes from the CE-VRF and installs then into VRF Red.
- Local VPN Blue routes from Client 2 are not associated with VPN Red and are not imported into VRF Red
In this model, the CE router associates a specific VRF by the clients connected to its interfaces and exchanges that
information with the PE router. Routes are installed in the VRF on the Multi-VRF CE. There also needs to be a routing
protocol or a static route that propagates routes from a specific VRF on the Multi-VRF router to the same VRF on the PE router.
information with the PE router. Routes are installed in the VRF on the Multi-VRF CE. There also needs to be a routing
protocol or a static route that propagates routes from a specific VRF on the Multi-VRF router to the same VRF on the PE router.
Benefits of Multi-VRF CE
- Without the use of cryptographic techniques (IPSec), security on customer’s LAN is equivalent to that supported by existing Layer 2 (ATM or Frame Relay) connections with out the use of an additional switch.
- Only one CE router is needed thus simplifying provisioning and network management rather than a multiple CE router solution.
- CE router has VRF functionality to provide VPN routing information. Less routing updates to manage.
- Overlapping Customer address spaces VPN customers often manage their own networks and use private address spaces. If customers do not use globally unique IP addresses, the same 32-bit IPv4 address can be used to identify different systems in different VPNs. The result can be routing difficulties because BGP assumes that each IPv4 address it carries is globally unique. To solve this problem, MPLS-VPNs supports a mechanism that converts nonunique IP address into globally unique addresses by combining the use of VPN-IPv4 address family with the deployment of Multiprotocol BGP Extensions (MP-BGP).
- No need for NAT to allow support of overlapping IP address space. However, NAT may still be required in order to send traffic to the Internet.
- Extends PE routers. A Multi-VRF router could use 5 different OSPF processes to connect to 5 different customers in the same site, and then use BGP to propagate the routes to the PE router.
