Re: MPLS VRF - Lite and Ideas

Al,

In VRF-lite, links connected to the customer belong to a VRF, and then you
have an uplink (connected to PE or other device) for each customer in the
same VRF. The segmentation in VRF-lite is really locally significant. It's
the design that makes it useful to segment traffic across the network.

Also, there is no need for a label in a VRF-lite scenario. Labeling is
needed is when you have a device that is forwarding based on something other
than destination IP address (e.g. in MPLS VPN, forwarding in a P-cloud is
based on the egress PE's address so a label is needed). In this case the CE
(or router doing VRF-lite) is still using the destination IP to make its
decision, so it does not need any label.

-hth

On Tue, Sep 15, 2009 at 10:04 PM, ALL From_NJ <all.from.nj_at_gmail.com> wrote:

> Many thanks for this. Ok, simple enough ... I appreciate you both writing
> such a good post.
>
> Question though related to internet access and multiple sites.
>
> Lets say we have R1 and R2, just as you have them above. How does each
> router know to keep traffic for each VRF? I do not see labels being used
> in
> the configs you provide ...
>
> It appears that VRF lite requires dedicated links for forwarding and
> keeping
> the route updates separate.
>
> I know I am mixing technologies here with this next question, but just
> curious about this ...
>
> When I have a CE and have segmented multiple customers off of this CE, how
> does the uplink / PE know which traffic goes to and from each customer VRF?
> I need to inform the PE of which routes to send to the CE and to which VRF
> ... perhaps this is not possible w/ VRF lite.
>
> Joe - I would imagine that VRF Lite works well with dot1x sub interfaces.
>
> The link I found previously, was somewhat of a mix of regular MPLS VPNS,
> and
> CSC ... where the CSC configs required the sending of labels, and treated
> this CE device like a customer PE
>
> Understand my confusion when I was reading this? ;-)
>
> VRF lite reminds me a little of private VLANs ... these are similar IMO.
> Although ... w/ VRF lite, I do not see the configuration of a promiscuous
> port ... how to uplink multiple customer VRFs?
>
> Also, on a side note, this would be an odd thing to add to the lab IMO
> ...
>
> Many TIA,
>
> Andrew
>
>
>
> On Tue, Sep 15, 2009 at 4:37 PM, Joe Astorino <jastorino_at_ipexpert.com
> >wrote:
>
> > The way I understand it, VRF-Lite is basically VRFs but without the BGP
> to
> > transport the routes. Also, there seems to be a stressing of using
> switches
> > to trunk to router sub-interfaces for different VRFs.
> >
> >
> > On Tue, Sep 15, 2009 at 4:28 PM, Piotr Matusiak <piotr_at_ccie1.com> wrote:
> >
> >> Hi,
> >>
> >> Believe me or not, but for me VRF lite is only 3-commands feature:
> >> #ip vrf <name>
> >> #rd <asn:nn>
> >> #ip vrf forwarding <name>
> >>
> >> Rest of commands only support prefixes delivery in my opinion.
> >> Take a look at the following config and decide if this is VRF Lite or
> not
> >> :)
> >>
> >> Topo: R1 ==== R2 (two links, each in separate VRF)
> >>
> >> R1 config:
> >>
> >> ip vrf CUST1
> >> rd 1:1
> >> !
> >> ip vrf CUST2
> >> rd 2:2
> >>
> >> interface Loopback0
> >> ip vrf forwarding CUST1
> >> ip address 1.1.1.1 255.255.255.0
> >> !
> >> interface Loopback1
> >> ip vrf forwarding CUST2
> >> ip address 11.11.11.11 255.255.255.0
> >> !
> >> interface FastEthernet0/0
> >> ip vrf forwarding CUST1
> >> ip address 10.1.12.1 255.255.255.0
> >> !
> >> interface FastEthernet0/1
> >> ip vrf forwarding CUST2
> >> ip address 10.1.21.1 255.255.255.0
> >> !
> >> router rip
> >> version 2
> >> no auto-summary
> >> !
> >> address-family ipv4 vrf CUST2
> >> network 10.0.0.0
> >> network 11.0.0.0
> >> no auto-summary
> >> exit-address-family
> >> !
> >> address-family ipv4 vrf CUST1
> >> network 1.0.0.0
> >> network 10.0.0.0
> >> no auto-summary
> >> exit-address-family
> >> !
> >>
> >>
> >>
> >>
> >>
> >> R2 config:
> >>
> >> ip vrf CUST1
> >> rd 1:1
> >> !
> >> ip vrf CUST2
> >> rd 2:2
> >> !
> >> interface Loopback0
> >> ip vrf forwarding CUST1
> >> ip address 2.2.2.2 255.255.255.0
> >> !
> >> interface Loopback1
> >> ip vrf forwarding CUST2
> >> ip address 22.22.22.22 255.255.255.0
> >> !
> >> interface FastEthernet0/0
> >> ip vrf forwarding CUST1
> >> ip address 10.1.12.2 255.255.255.0
> >> !
> >> interface FastEthernet0/1
> >> ip vrf forwarding CUST2
> >> ip address 10.1.21.2 255.255.255.0
> >> !
> >> router rip
> >> version 2
> >> no auto-summary
> >> !
> >> address-family ipv4 vrf CUST2
> >> network 10.0.0.0
> >> network 22.0.0.0
> >> no auto-summary
> >> exit-address-family
> >> !
> >> address-family ipv4 vrf CUST1
> >> network 2.0.0.0
> >> network 10.0.0.0
> >> no auto-summary
> >> exit-address-family
> >>
> >>
> >> TEST:
> >>
> >> R1#sh ip ro vrf CUST1 rip
> >> 2.0.0.0/24 is subnetted, 1 subnets
> >> R 2.2.2.0 [120/1] via 10.1.12.2, 00:00:09, FastEthernet0/0
> >> R1#
> >>
> >> R1#sh ip ro vrf CUST2 rip
> >> 22.0.0.0/24 is subnetted, 1 subnets
> >> R 22.22.22.0 [120/1] via 10.1.21.2, 00:00:06, FastEthernet0/1
> >>
> >> R1#ping vrf CUST2 22.22.22.22 so lo1
> >>
> >> Type escape sequence to abort.
> >> Sending 5, 100-byte ICMP Echos to 22.22.22.22, timeout is 2 seconds:
> >> Packet sent with a source address of 11.11.11.11
> >> !!!!!
> >> Success rate is 100 percent (5/5), round-trip min/avg/max = 1/20/44 ms
> >> R1#
> >>
> >>
> >>
> >> --
> >> Piotr Matusiak
> >> CCIE #19860 (R&S, SEC)
> >>
> >>
> >>
> >>
> >>
> >> 2009/9/15 ALL From_NJ <all.from.nj_at_gmail.com>:
> >> > Hey folk,
> >> >
> >> > I have not done vrf lite before ... and I found some docs related to
> >> mpls
> >> > lite, but am not able to find much on the doc cd. Here is what I
> found:
> >> >
> >> >
> >>
> http://www.cisco.com/en/US/docs/ios/12_2sb/12_2sba/feature/guide/vrflite.html
> >> >
> >> > Any better links than the one above? This seems to be a bit dated and
> >> not
> >> > all the commands work ...
> >> >
> >> > Notes on VRF Lite:
> >> > - VRF Lite appears to be plain MPLS VPNs configured, with the
> send-label
> >> > command on the PEs, and MPLS configured between PE and CE. Any other
> >> > throughts?
> >> >
> >> > Also, I am looking for some additional lab ideas on MPLS VPNs ...
> >> > configuring them is not too hard, and tshooting my own screwups has
> been
> >> > entertaining. I am looking for some ideas on ways to make this
> better.
> >> >
> >> > The config examples are pretty easy to follow in case e get hung up on
> a
> >> > task ...
> >> >
> >>
> http://www.cisco.com/en/US/docs/ios/mpls/configuration/guide/mp_cfg_layer3_vpn_ps6350_TSD_Products_Configuration_Guide_Chapter.html
> >> >
> >> > Many TIA,
> >> >
> >> > --
> >> > Andrew Lee Lissitz
> >> > all.from.nj_at_gmail.com
> >> >
> >> >
> >> > Blogs and organic groups at http://www.ccie.net
> >> >
> >> >
> _______________________________________________________________________
> >> > Subscription information may be found at:
> >> > http://www.groupstudy.com/list/CCIELab.html
> >>
> >>
> >> Blogs and organic groups at http://www.ccie.net
> >>
> >> _______________________________________________________________________
> >> Subscription information may be found at:
> >> http://www.groupstudy.com/list/CCIELab.html
> >>
> >>
> >>
> >>
> >>
> >>
> >>
> >>
> >
> >
> > --
> > Regards,
> >
> > Joe Astorino - CCIE #24347 R&S
> > Technical Instructor - IPexpert, Inc.
> > Cell: +1.586.212.6107
> > Fax: +1.810.454.0130
> > Mailto: jastorino_at_ipexpert.com
> >
>
>
>
> --
> Andrew Lee Lissitz
> all.from.nj_at_gmail.com
>
>
> Blogs and organic groups at http://www.ccie.net
>
> _______________________________________________________________________
> Subscription information may be found at:
> http://www.groupstudy.com/list/CCIELab.html
>
>
>
>
>
>
>
>

-- 
Bryan Bartik
CCIE #23707 (R&S), CCNP
Sr. Support Engineer - IPexpert, Inc.
URL: http://www.IPexpert.com
Blogs and organic groups at http://www.ccie.net