Multi-VRF CE Requirements
Supported Platforms
The following is a list of router platforms supported at the provider edge.
• Cisco 1700 Series as of 12.2(8)YN and higher
• Cisco 2600 series
• Cisco 3600 series
• Cisco 3700 Series as of 12.2(8)T and higher
• Cisco 7200 series
• Cisco 7500 series
Minimum IOS Required
Multi-VRF CE is introduced in Cisco IOS release 12.2(4)T.
Note: A PLUS feature set is required for this feature.
Memory Requirements
Flash
- The feature set chosen determines the amount of flash needed.
- Check CCO (http://www.cisco.com) for the minimum flash requirements per each IOS release
- Maximum DRAM memory for each platform is recommended.
Assume a single service provider has an IP backbone to deliver MPLS-VPN Services to different enterprises. There are 2 PE routers in the network and one 2611 configured for Multi-VRF CE
In this test set up, the 2611-CE4 represents a typical branch office with several hosts connected to it. For example, the host 2621-CE-6-e0/1.11 could represent the HR organization; whereas, host 2621-CE-6-e0/1.12 could represent Finances. Both hosts connect to the 2611-CE-4 via the Ethernet interface but both hosts’ data requires that it remain private.
VXR-CE-East represents a typical corporate office where multiple branch offices connect via the MPLS network.
RSP-PE-East-4 and 3640-PE-West-1 represent PE routers and perform all PE functionality that has been discussed in the MPLS-VPN Overview Section.
The following policies describe the desired inter-site connectivity for this case study.
• All sub-interfaces off the 2621-CE-6 can communicate with VXR-CE-East but not with each other.
• 2611-CE-5 can communicate with VXR-CE-East but not with any host off 2621-CE-6• All Traffic off 2611-CE-4 is segmented into 5 separate VRFs (labeled vrflite1-5)
Frame Relay over T1 point-to-point sub-interfaces is used to connect 3640-PE-WEST1 and 2611-CE-4. Ethernet is used to connect 2621-CE-6 to 2611-CE-4. 802.1Q sub-interfaces comprise 4 of the 5 Ethernet connections from 2621-CE-6 to 2611-CE-4.
Duplicate IP address spaces were given to two hosts [2621-CE-6-e0/1.11 and 2611-CE-5] to show the benefit of the VRF feature with respect to IP addresses. These two connections use OSPF as the routing protocol to exchange updates with 2611-C-4. All other hosts off 2611-CE-4 use a combination of OSPF, EBGP, RIPv2 and static routes as show in the charts within Figure 8. These routes are redistributed into OSPF at 2611-CE-4. The T1 interface between 3640-PE-WEST-1 and 2611-CE-4 is segmented into 5 point-to-point Frame Relay sub-interfaces which are mapped directly to each separate VRF attached to the Ethernet hosts off 2611-CE-4. OSPF is the routing protocol for each of the Frame Relay links. BGP is redistributed into OSPF on the 3640-PE-WEST-1 to allow routes to propagate from the separate Ethernet hosts. This route redistribution allows a certain VRF off of 2611-CE-4 to have a connection to a remote host across the MPLS core on the same VRF.
Configurations
The configurations for 3640-PE-WEST-1, 2611-CE-4, 2621-CE-6, and 2611-CE-5 are listed below. The configurations for RSP-PE-EAST-1 and VXR-CE-EAST are not shown, as they are not pertinent to the Multi-VRF CE configuration. You can find sample configurations for these routers at http://www.cisco.com/go/mpls
3640-PE-WEST-1
3640-PE-WEST-1#sh run
hostname 3640-PE-WEST-1
ip subnet-zero
!
ip vrf v11
rd 11:1
route-target export 11:1
route-target import 11:1
!
ip vrf v12
rd 12:1
route-target export 12:1
route-target import 12:1
!
ip vrf v13
rd 13:1
route-target export 13:1
route-target import 13:1
!
ip vrf v14
rd 14:1
route-target export 14:1
route-target import 14:1
!
ip vrf v15
rd 15:1
route-target export 15:1
route-target import 15:1
!
ip cef
!
controller T1 2/0
framing esf
linecode b8zs
channel-group 0 timeslots 1-24
!
interface Loopback0
description Router ID
ip address 10.13.1.65 255.255.255.255
!
interface FastEthernet1/0
description FE to GSR-P-CENTRAL-A - 4.16
ip address 10.13.4.18 255.255.255.252
duplex auto
speed auto
!
interface Serial2/0:0
description T1 connection to CE - VRF_Lite
no ip address
encapsulation frame-relay
!
interface Serial2/0:0.1 point-to-point
description PE to VRF_Lite CE connection 1
ip vrf forwarding v11
ip address 220.1.65.5 255.255.255.252
frame-relay interface-dlci 21
router bgp 1
no synchronization
no bgp default ipv4-unicast
bgp log-neighbor-changes
neighbor 10.13.1.48 remote-as 1
neighbor 10.13.1.48 update-source Loopback0
neighbor 10.13.1.48 activate
neighbor 10.13.1.61 remote-as 1
neighbor 10.13.1.61 update-source Loopback0
neighbor 10.13.1.61 activate
no auto-summary
!
address-family ipv4 vrf v15
redistribute ospf 15
default-metric 10
no auto-summary
no synchronization
exit-address-family
!
address-family ipv4 vrf v14
redistribute ospf 14 match internal external 1 external 2
default-metric 10
no auto-summary
no synchronization
exit-address-family
!
address-family ipv4 vrf v13
redistribute ospf 13 match internal external 1 external 2
default-metric 10
no auto-summary
no synchronization
exit-address-family
!
address-family ipv4 vrf v12
redistribute ospf 12 match internal external 1 external 2
default-metric 10
no auto-summary
no synchronization
exit-address-family
!
address-family ipv4 vrf v11
redistribute ospf 11
default-metric 10
no auto-summary
no synchronization
exit-address-family
!
address-family vpnv4
neighbor 10.13.1.48 activate
neighbor 10.13.1.48 send-community extended
neighbor 10.13.1.61 activate
neighbor 10.13.1.61 send-community extended
no auto-summary
exit-address-family
!
ip classless
no ip http server
ntp clock-period 17179973
end
2621-CE-4
2611-CE-4#sh run
hostname 2611-CE-4
!
ip vrf vrflite1
rd 81:81
route-target export 81:81
route-target import 81:81
!
ip vrf vrflite2
rd 82:82
route-target export 82:82
route-target import 82:82
!
ip vrf vrflite3
rd 83:83
route-target export 83:83
route-target import 83:83
!
ip vrf vrflite4
rd 84:84
route-target export 84:84
route-target import 84:84
!
ip vrf vrflite5
rd 85:85
route-target export 85:85
route-target import 85:85
ip cef
frame-relay switching
cns event-service server
!
interface Loopback0
description Router ID
ip address 10.13.1.74 255.255.255.255
!
interface Serial0/0
description T1 connection to PE - VRF_Lite
no ip address
encapsulation frame-relay
no fair-queue
service-module t1 clock source internal
service-module t1 timeslots 1-24 speed 56
frame-relay intf-type dce
!
interface Serial0/0.1 point-to-point
description VRF_Lite CE to PE connection 1
ip vrf forwarding vrflite1
ip address 220.1.65.6 255.255.255.252
frame-relay interface-dlci 21
!
interface Serial0/0.2 point-to-point
description VRF_Lite CE to PE connection 2
ip vrf forwarding vrflite2
ip address 220.1.65.10 255.255.255.252
frame-relay interface-dlci 22
!
interface Serial0/0.3 point-to-point
description VRF_Lite CE to PE connection 3
ip vrf forwarding vrflite3
ip address 220.1.65.14 255.255.255.252
frame-relay interface-dlci 23
!
interface Serial0/0.4 point-to-point
description VRF_Lite CE to PE connection 4
ip vrf forwarding vrflite4
ip address 220.1.65.18 255.255.255.252
frame-relay interface-dlci 24
!
interface Serial0/0.5 point-to-point
description VRF_Lite CE to PE connection 5
ip vrf forwarding vrflite5
ip address 220.1.65.22 255.255.255.252
frame-relay interface-dlci 25
!
interface Ethernet0/1
description Subinterfaces to Host CE
no ip address
half-duplex
!
interface Ethernet0/1.11
description VRF_Lite CE to host 1 (dup addr)
encapsulation dot1Q 11
ip vrf forwarding vrflite1
ip address 192.1.1.1 255.255.255.0
!
interface Ethernet0/1.12
description VRF_Lite CE to host 2
encapsulation dot1Q 12
ip vrf forwarding vrflite2
ip address 192.1.2.1 255.255.255.0
!
interface Ethernet0/1.13
description VRF_Lite CE to host 3
encapsulation dot1Q 13
ip vrf forwarding vrflite3
ip address 192.1.3.1 255.255.255.0
!
interface Ethernet0/1.14
description VRF_Lite CE to host 4
encapsulation dot1Q 14
ip vrf forwarding vrflite4
ip address 192.1.4.1 255.255.255.0
!
interface Ethernet1/0
description VRF_Lite CE to host 5 (dup addr)
ip vrf forwarding vrflite5
ip address 192.1.1.1 255.255.255.0
half-duplex
!
router ospf 11 vrf vrflite1
log-adjacency-changes
area 11 virtual-link 220.1.65.5
network 192.1.1.0 0.0.0.255 area 0
network 220.1.65.4 0.0.0.3 area 11
!
router ospf 12 vrf vrflite2
log-adjacency-changes
redistribute rip subnets
network 220.1.65.8 0.0.0.3 area 12
!
router ospf 13 vrf vrflite3
log-adjacency-changes
redistribute bgp 13 subnets
network 220.1.65.12 0.0.0.3 area 13
!
router ospf 14 vrf vrflite4
log-adjacency-changes
redistribute connected
redistribute static subnets
network 220.1.65.16 0.0.0.3 area 14
!
router ospf 15 vrf vrflite5
log-adjacency-changes
area 15 virtual-link 220.1.65.21
network 192.1.1.0 0.0.0.255 area 0
network 220.1.65.20 0.0.0.3 area 15
!
router rip
version 2
!
address-family ipv4 vrf vrflite2
version 2
redistribute ospf 12
network 192.1.2.0
default-metric 1
no auto-summary
exit-address-family
!
router bgp 13
bgp log-neighbor-changes
!
address-family ipv4 vrf vrflite5
no auto-summary
no synchronization
exit-address-family
!
address-family ipv4 vrf vrflite4
no auto-summary
no synchronization
exit-address-family
!
address-family ipv4 vrf vrflite3
redistribute ospf 13 match internal
neighbor 192.1.3.2 remote-as 3
neighbor 192.1.3.2 activate
no auto-summary
no synchronization
network 192.1.3.0
exit-address-family
!
address-family ipv4 vrf vrflite2
no auto-summary
no synchronization
exit-address-family
!
address-family ipv4 vrf vrflite1
no auto-summary
no synchronization
exit-address-family
!
ip classless
ip route vrf vrflite4 4.4.4.0 255.255.255.0 192.1.4.2
2611-CE-5
2611-CE-5#sh run
hostname 2611-CE-5
!
ip cef
!
interface Loopback0
description Router ID
ip address 10.13.1.75 255.255.255.255
!
interface Ethernet1/0
description Host to VRF_Lite CE 5 (dup addr)
ip address 192.1.1.2 255.255.255.0
half-duplex
!
router ospf 5
log-adjacency-changes
network 192.1.1.0 0.0.0.255 area 0
!
ip classless
2621-CE-6
hostname 2621-CE-6
!
memory-size iomem 30
ip subnet-zero
ip cef
!
interface Loopback0
description Router ID
ip address 10.13.1.76 255.255.255.255
!
interface Loopback41
description Host 4 loopback 1
ip address 4.4.4.1 255.255.255.252
!
interface Loopback42
description Host 4 loopback 2
ip address 4.4.4.5 255.255.255.252
!
interface Loopback43
description Host 4 loopback 3
ip address 4.4.4.9 255.255.255.252
!
interface Ethernet0/1
description Subinterfaces to Multi-VRF CE CE
no ip address
half-duplex
!
interface Ethernet0/1.11
description Host to VRF_Lite CE 1 (dup addr)
encapsulation dot1Q 11
ip address 192.1.1.2 255.255.255.0
!
interface Ethernet0/1.12
description Host to VRF_Lite CE 2
encapsulation dot1Q 12
ip address 192.1.2.2 255.255.255.0
!
interface Ethernet0/1.13
description Host to VRF_Lite CE 3
encapsulation dot1Q 13
ip address 192.1.3.2 255.255.255.0
!
interface Ethernet0/1.14
description Host to VRF_Lite CE 4
encapsulation dot1Q 14
ip address 192.1.4.2 255.255.255.0
!
router ospf 1
log-adjacency-changes
network 192.1.1.0 0.0.0.255 area 0
!
router rip
version 2
network 192.1.2.0
!
router bgp 3
bgp log-neighbor-changes
neighbor 192.1.3.1 remote-as 13
neighbor 192.1.3.1 update-source Ethernet0/1.13
!
ip classless
ip route 220.1.65.16 255.255.255.252 192.1.4.1
Network Connectivity: To verify that there is connectivity between the VXR-CE-EAST and 3640-PE-WEST-1 and 2611-CE-4, several show commands are necessary.
For more detail explanations on show commands for a MPLS network, see http://www.cisco.com/univercd/cc/td/doc/product/software/ios120/120newft/120t/120t5/vpn.htm
Show IP route vrf v15 | include 200.15.44.4
3640-PE-WEST-1#sh ip route vrf v15 | include 200.15.44.4
B 200.15.44.4 [200/0] via 10.13.1.44, 00:16:59
Show ip route vrf v15 200.15.44.4
3640-PE-WEST-1#sh ip route vrf v15 200.15.44.4
Routing entry for 200.15.44.4/30
Known via "bgp 1", distance 200, metric 0, type internal
Redistributing via ospf 15
Advertised by ospf 15 subnets
Last update from 10.13.1.44 00:17:10 ago
Routing Descriptor Blocks:
* 10.13.1.44 (Default-IP-Routing-Table), from 10.13.1.48, 00:17:10 ago
Route metric is 0, traffic share count is 1
AS Hops 0
Show ip cef vrf v15 200.15.44.4
3640-PE-WEST-1#sh ip cef vrf v15 200.15.44.4
200.15.44.4/30, version 283, cached adjacency 10.13.4.17
0 packets, 0 bytes
tag information set
local tag: VPN-route-head
fast tag rewrite with Fa1/0, 10.13.4.17, tags imposed: {56 5899}
via 10.13.1.44, 0 dependencies, recursive
next hop 10.13.4.17, FastEthernet1/0 via 10.13.1.44/32
valid cached adjacency
tag rewrite with Fa1/0, 10.13.4.17, tags imposed: {56 5899}
Show ip route | include 200.15.44.4
2611-CE-5#sh ip route | include 200.15.44.4
O E2 200.15.44.4 [110/1] via 192.1.1.1, 00:16:16, Ethernet1/0
2611-CE-5#sh ip route 200.15.44.4
Routing entry for 200.15.44.4/30
Known via "ospf 5", distance 110, metric 1
Tag Complete, Path Length == 1, AS 1, , type extern 2, forward metric 84
Last update from 192.1.1.1 on Ethernet1/0, 00:02:12 ago
Routing Descriptor Blocks:
* 192.1.1.1, from 220.1.65.21, 00:02:12 ago, via Ethernet1/0
Route metric is 1, traffic share count is 1
Show ip cef 200.15.44.4
2611-CE-5#sh ip cef 200.15.44.4
200.15.44.4/30, version 406, cached adjacency 192.1.1.1
0 packets, 0 bytes
via 192.1.1.1, Ethernet1/0, 0 dependencies
next hop 192.1.1.1, Ethernet1/0
valid cached adjacency
Verifying Network Connectivity: To verify that a host 2611-CE-5 is connected to VXR-CE-EAST as simple ping and trace route are necessary.
A ping command to the 200.15.44.4 /30 network from our host CE (2611-CE-5):
2611-CE-5#ping 200.15.44.4
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 200.15.44.4, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 4/6/8 ms
And a trace route from the destination network to the host CE shows the path taken and the tags used along the way:
RSP-PE-EAST-4#traceroute vrf v15 192.1.1.2
Type escape sequence to abort.
Tracing the route to 192.1.1.2
1 10.13.6.161 [MPLS: Labels 90/117 Exp 0] 4 msec 8 msec 4 msec
2 10.13.3.161 0 msec 4 msec 4 msec
3 10.13.3.137 [MPLS: Labels 31/117 Exp 0] 4 msec 8 msec 4 msec
4 10.13.2.25 [MPLS: Labels 62/117 Exp 0] 4 msec 4 msec 4 msec
5 * * *
6 10.13.2.6 [MPLS: Labels 19/117 Exp 0] 4 msec 4 msec 4 msec
7 220.1.65.21 4 msec 4 msec 0 msec
8 220.1.65.22 4 msec 4 msec 4 msec
9 192.1.1.2 4 msec * 4 msec
Application Study: Multi-Access Application
In this case study, a multi-dwelling environment discussed where one physical infrastructure can server several type customers. This application can be used to segment Internet and Intranet traffic in a either a local branch office or a multi-dwelling unit where the CE router is the entry and exit point to a Service Provider’s network.
In Figure 9, only one Fast Ethernet is configured on the Host CE router, which is segmented into two sub-interfaces. ATM or Frame Relay can be used to connect the Host CE router to the PE router. The PE router then connects to the MPLS core as stated in the MPLS-VPN overview. RIPv2, OSPF and static routing can be used as a routing protocol between the Host CE router and the PE router.
Segmentation occurs in two places in this design:
In this application, one Fast Ethernet sub-interface is segmented for DMZ traffic where users are allowed an Internet
connection. NAT is used to keep the local LAN’s ip address space private while connecting to the Internet. One Fast Ethernet sub-interface is segmented for customer Intranet traffic. This sub-interface is to access only a company’s Intranet; thereby, controlling who accesses the privately maintained network. The local LAN ip address space is also kept private without the use of NAT.
This type of solution is a combined Internet and Intranet service offering that is a more elegant and easier to configure and maintain solution that policy routing or the use of a switch.
Segmentation occurs in two places in this design:
- Separate Sub-interfaces either via Frame Relay or ATM.: The traffic from the Host CE router to the PE router is separated via separate sub-interfaces so that data can maintain security. Each sub-interface is associated with its own VRF, which is forwarded to the PE router
- Fast Ethernet Sub-interfaces: The traffic from the local LAN is separated into separate sub-interfaces. There is no need for a switch as each sub-interface is designated is own VRF.
In this application, one Fast Ethernet sub-interface is segmented for DMZ traffic where users are allowed an Internet
connection. NAT is used to keep the local LAN’s ip address space private while connecting to the Internet. One Fast Ethernet sub-interface is segmented for customer Intranet traffic. This sub-interface is to access only a company’s Intranet; thereby, controlling who accesses the privately maintained network. The local LAN ip address space is also kept private without the use of NAT.
This type of solution is a combined Internet and Intranet service offering that is a more elegant and easier to configure and maintain solution that policy routing or the use of a switch.
Additional Resources
MPLS Virtual Private Networks
http://www.cisco.com/univercd/cc/td/doc/product/software/ios120/120newft/120t/120t5/vpn.htm
Cisco IOS MPLS
http://www.cisco.com/go/mpls
MPLS Virtual Private Networks
http://www.cisco.com/univercd/cc/td/doc/product/software/ios120/120newft/120t/120t5/vpn.htm
Cisco IOS MPLS
http://www.cisco.com/go/mpls
