Lol ... was tired I did not include you all in this email. Oh boy ...
On Fri, Sep 18, 2009 at 2:13 AM, ALL From_NJ <all.from.nj_at_gmail.com> wrote:
Got started on this tonight ... and it is now 2AM ... I need to let it go
> for the night. Here is the new topology:
>
> R1 (access to the internet and the rest of enterprise)
> |
> R5 (configured for vrf lite)
> |
> R4 and R6 are each in their own VRF.
>
> I have gotten partial connectivity, but the rest of the world does not and
> cannot get to the two vrfs that I segmented off of R5. I keep thinking I am
> missing something simple ... oh well. I have tried to look over some docs
> ... but to no avail.
>
> It is very easy to create a segmented network w/ VRF lite. But how to link
> this with the rest of the world? I have yet to see a working config where
> vrf lite is linked to the regular network. Everything seems to show
> separate links throughout the network and keeping the vrfs separate. No
> magic there ... just simple segmentation.
>
> Sorry team, I do not have any configs for you all and or outputs to show.
> I will pick this up again tomorrow.
>
> I am an eager listener in case you all have some advice or have also labbed
> this up and are able to link vrf lite to the rest of the network. ;-))
>
> Have a good night,
>
> Andrew
>
>
>
> On Wed, Sep 16, 2009 at 10:25 PM, Bryan Bartik <bbartik_at_ipexpert.com>wrote:
>
>> Not sure if that's the best topology (route leaking to global table) to
>> learn it...but tell us what you find :-) Piotr had a pretty simple but good
>> explanation. VRF-lite is usually just a part of the picture in a bigger
>> topology...
>>
>>
>> On Wed, Sep 16, 2009 at 10:09 AM, ALL From_NJ <all.from.nj_at_gmail.com>wrote:
>>
>>> Ok, I think I got it, thanks everyone. I will lab this up. Here is my
>>> topology:
>>>
>>> R1 - (Internet simulated) - R5 to R4 and R8. (R2 and R3 are sitting off
>>> of the internet as well ...)
>>>
>>> R5 will have VRF lite to each R4 and R8. R4 and R8 will have unique and
>>> then overlapping addresses.
>>>
>>> Will try and route traffic from R1 to R4/R8.
>>>
>>> On R5, I need to allow routes from R4 and R8 into global routing table so
>>> I can advertise reachability to the 'internet' and ofcourse R1'. I suppose
>>> static will also work just fine ... so perhaps I will start with advertising
>>> statics into my global table and then move on to RIP and OSPF.
>>>
>>> Can I assume the absense of route targets makes this possible? Normally
>>> I would control routing updates via route targets ... here I do not have
>>> any.
>>>
>>> Can you all comment on my test topology? Think this is a good lab for me
>>> to test and learn theory / configs?
>>>
>>> Many TIA,
>>>
>>> Andrew
>>>
>>>
>>>
>>> On Wed, Sep 16, 2009 at 10:55 AM, Bryan Bartik <bbartik_at_ipexpert.com>wrote:
>>>
>>>> Al,
>>>>
>>>> In VRF-lite, links connected to the customer belong to a VRF, and then
>>>> you have an uplink (connected to PE or other device) for each customer in
>>>> the same VRF. The segmentation in VRF-lite is really locally significant.
>>>> It's the design that makes it useful to segment traffic across the network.
>>>>
>>>> Also, there is no need for a label in a VRF-lite scenario. Labeling is
>>>> needed is when you have a device that is forwarding based on something other
>>>> than destination IP address (e.g. in MPLS VPN, forwarding in a P-cloud is
>>>> based on the egress PE's address so a label is needed). In this case the CE
>>>> (or router doing VRF-lite) is still using the destination IP to make its
>>>> decision, so it does not need any label.
>>>>
>>>> -hth
>>>>
>>>>
>>>> On Tue, Sep 15, 2009 at 10:04 PM, ALL From_NJ <all.from.nj_at_gmail.com>wrote:
>>>>
>>>>> Many thanks for this. Ok, simple enough ... I appreciate you both
>>>>> writing
>>>>> such a good post.
>>>>>
>>>>> Question though related to internet access and multiple sites.
>>>>>
>>>>> Lets say we have R1 and R2, just as you have them above. How does each
>>>>> router know to keep traffic for each VRF? I do not see labels being
>>>>> used in
>>>>> the configs you provide ...
>>>>>
>>>>> It appears that VRF lite requires dedicated links for forwarding and
>>>>> keeping
>>>>> the route updates separate.
>>>>>
>>>>> I know I am mixing technologies here with this next question, but just
>>>>> curious about this ...
>>>>>
>>>>> When I have a CE and have segmented multiple customers off of this CE,
>>>>> how
>>>>> does the uplink / PE know which traffic goes to and from each customer
>>>>> VRF?
>>>>> I need to inform the PE of which routes to send to the CE and to which
>>>>> VRF
>>>>> ... perhaps this is not possible w/ VRF lite.
>>>>>
>>>>> Joe - I would imagine that VRF Lite works well with dot1x sub
>>>>> interfaces.
>>>>>
>>>>> The link I found previously, was somewhat of a mix of regular MPLS
>>>>> VPNS, and
>>>>> CSC ... where the CSC configs required the sending of labels, and
>>>>> treated
>>>>> this CE device like a customer PE
>>>>>
>>>>> Understand my confusion when I was reading this? ;-)
>>>>>
>>>>> VRF lite reminds me a little of private VLANs ... these are similar
>>>>> IMO.
>>>>> Although ... w/ VRF lite, I do not see the configuration of a
>>>>> promiscuous
>>>>> port ... how to uplink multiple customer VRFs?
>>>>>
>>>>> Also, on a side note, this would be an odd thing to add to the lab IMO
>>>>> ...
>>>>>
>>>>> Many TIA,
>>>>>
>>>>> Andrew
>>>>>
>>>>>
>>>>>
>>>>> On Tue, Sep 15, 2009 at 4:37 PM, Joe Astorino <jastorino_at_ipexpert.com
>>>>> >wrote:
>>>>>
>>>>> > The way I understand it, VRF-Lite is basically VRFs but without the
>>>>> BGP to
>>>>> > transport the routes. Also, there seems to be a stressing of using
>>>>> switches
>>>>> > to trunk to router sub-interfaces for different VRFs.
>>>>> >
>>>>> >
>>>>> > On Tue, Sep 15, 2009 at 4:28 PM, Piotr Matusiak <piotr_at_ccie1.com>
>>>>> wrote:
>>>>> >
>>>>> >> Hi,
>>>>> >>
>>>>> >> Believe me or not, but for me VRF lite is only 3-commands feature:
>>>>> >> #ip vrf <name>
>>>>> >> #rd <asn:nn>
>>>>> >> #ip vrf forwarding <name>
>>>>> >>
>>>>> >> Rest of commands only support prefixes delivery in my opinion.
>>>>> >> Take a look at the following config and decide if this is VRF Lite
>>>>> or not
>>>>> >> :)
>>>>> >>
>>>>> >> Topo: R1 ==== R2 (two links, each in separate VRF)
>>>>> >>
>>>>> >> R1 config:
>>>>> >>
>>>>> >> ip vrf CUST1
>>>>> >> rd 1:1
>>>>> >> !
>>>>> >> ip vrf CUST2
>>>>> >> rd 2:2
>>>>> >>
>>>>> >> interface Loopback0
>>>>> >> ip vrf forwarding CUST1
>>>>> >> ip address 1.1.1.1 255.255.255.0
>>>>> >> !
>>>>> >> interface Loopback1
>>>>> >> ip vrf forwarding CUST2
>>>>> >> ip address 11.11.11.11 255.255.255.0
>>>>> >> !
>>>>> >> interface FastEthernet0/0
>>>>> >> ip vrf forwarding CUST1
>>>>> >> ip address 10.1.12.1 255.255.255.0
>>>>> >> !
>>>>> >> interface FastEthernet0/1
>>>>> >> ip vrf forwarding CUST2
>>>>> >> ip address 10.1.21.1 255.255.255.0
>>>>> >> !
>>>>> >> router rip
>>>>> >> version 2
>>>>> >> no auto-summary
>>>>> >> !
>>>>> >> address-family ipv4 vrf CUST2
>>>>> >> network 10.0.0.0
>>>>> >> network 11.0.0.0
>>>>> >> no auto-summary
>>>>> >> exit-address-family
>>>>> >> !
>>>>> >> address-family ipv4 vrf CUST1
>>>>> >> network 1.0.0.0
>>>>> >> network 10.0.0.0
>>>>> >> no auto-summary
>>>>> >> exit-address-family
>>>>> >> !
>>>>> >>
>>>>> >>
>>>>> >>
>>>>> >>
>>>>> >>
>>>>> >> R2 config:
>>>>> >>
>>>>> >> ip vrf CUST1
>>>>> >> rd 1:1
>>>>> >> !
>>>>> >> ip vrf CUST2
>>>>> >> rd 2:2
>>>>> >> !
>>>>> >> interface Loopback0
>>>>> >> ip vrf forwarding CUST1
>>>>> >> ip address 2.2.2.2 255.255.255.0
>>>>> >> !
>>>>> >> interface Loopback1
>>>>> >> ip vrf forwarding CUST2
>>>>> >> ip address 22.22.22.22 255.255.255.0
>>>>> >> !
>>>>> >> interface FastEthernet0/0
>>>>> >> ip vrf forwarding CUST1
>>>>> >> ip address 10.1.12.2 255.255.255.0
>>>>> >> !
>>>>> >> interface FastEthernet0/1
>>>>> >> ip vrf forwarding CUST2
>>>>> >> ip address 10.1.21.2 255.255.255.0
>>>>> >> !
>>>>> >> router rip
>>>>> >> version 2
>>>>> >> no auto-summary
>>>>> >> !
>>>>> >> address-family ipv4 vrf CUST2
>>>>> >> network 10.0.0.0
>>>>> >> network 22.0.0.0
>>>>> >> no auto-summary
>>>>> >> exit-address-family
>>>>> >> !
>>>>> >> address-family ipv4 vrf CUST1
>>>>> >> network 2.0.0.0
>>>>> >> network 10.0.0.0
>>>>> >> no auto-summary
>>>>> >> exit-address-family
>>>>> >>
>>>>> >>
>>>>> >> TEST:
>>>>> >>
>>>>> >> R1#sh ip ro vrf CUST1 rip
>>>>> >> 2.0.0.0/24 is subnetted, 1 subnets
>>>>> >> R 2.2.2.0 [120/1] via 10.1.12.2, 00:00:09, FastEthernet0/0
>>>>> >> R1#
>>>>> >>
>>>>> >> R1#sh ip ro vrf CUST2 rip
>>>>> >> 22.0.0.0/24 is subnetted, 1 subnets
>>>>> >> R 22.22.22.0 [120/1] via 10.1.21.2, 00:00:06, FastEthernet0/1
>>>>> >>
>>>>> >> R1#ping vrf CUST2 22.22.22.22 so lo1
>>>>> >>
>>>>> >> Type escape sequence to abort.
>>>>> >> Sending 5, 100-byte ICMP Echos to 22.22.22.22, timeout is 2 seconds:
>>>>> >> Packet sent with a source address of 11.11.11.11
>>>>> >> !!!!!
>>>>> >> Success rate is 100 percent (5/5), round-trip min/avg/max = 1/20/44
>>>>> ms
>>>>> >> R1#
>>>>> >>
>>>>> >>
>>>>> >>
>>>>> >> --
>>>>> >> Piotr Matusiak
>>>>> >> CCIE #19860 (R&S, SEC)
>>>>> >>
>>>>> >>
>>>>> >>
>>>>> >>
>>>>> >>
>>>>> >> 2009/9/15 ALL From_NJ <all.from.nj_at_gmail.com>:
>>>>> >> > Hey folk,
>>>>> >> >
>>>>> >> > I have not done vrf lite before ... and I found some docs related
>>>>> to
>>>>> >> mpls
>>>>> >> > lite, but am not able to find much on the doc cd. Here is what I
>>>>> found:
>>>>> >> >
>>>>> >> >
>>>>> >>
>>>>> http://www.cisco.com/en/US/docs/ios/12_2sb/12_2sba/feature/guide/vrflite.html
>>>>> >> >
>>>>> >> > Any better links than the one above? This seems to be a bit dated
>>>>> and
>>>>> >> not
>>>>> >> > all the commands work ...
>>>>> >> >
>>>>> >> > Notes on VRF Lite:
>>>>> >> > - VRF Lite appears to be plain MPLS VPNs configured, with the
>>>>> send-label
>>>>> >> > command on the PEs, and MPLS configured between PE and CE. Any
>>>>> other
>>>>> >> > throughts?
>>>>> >> >
>>>>> >> > Also, I am looking for some additional lab ideas on MPLS VPNs ...
>>>>> >> > configuring them is not too hard, and tshooting my own screwups
>>>>> has been
>>>>> >> > entertaining. I am looking for some ideas on ways to make this
>>>>> better.
>>>>> >> >
>>>>> >> > The config examples are pretty easy to follow in case e get hung
>>>>> up on a
>>>>> >> > task ...
>>>>> >> >
>>>>> >>
>>>>> http://www.cisco.com/en/US/docs/ios/mpls/configuration/guide/mp_cfg_layer3_vpn_ps6350_TSD_Products_Configuration_Guide_Chapter.html
>>>>> >> >
>>>>> >> > Many TIA,
>>>>> >> >
>>>>> >> > --
>>>>> >> > Andrew Lee Lissitz
>>>>> >> > all.from.nj_at_gmail.com
>>>>> >> >
>>>>> >> >
>>>>> >> > Blogs and organic groups at http://www.ccie.net
>>>>> >> >
>>>>> >> >
>>>>> _______________________________________________________________________
>>>>> >> > Subscription information may be found at:
>>>>> >> > http://www.groupstudy.com/list/CCIELab.html
>>>>> >>
>>>>> >>
>>>>> >> Blogs and organic groups at http://www.ccie.net
>>>>> >>
>>>>> >>
>>>>> _______________________________________________________________________
>>>>> >> Subscription information may be found at:
>>>>> >> http://www.groupstudy.com/list/CCIELab.html
>>>>> >>
>>>>> >>
>>>>> >>
>>>>> >>
>>>>> >>
>>>>> >>
>>>>> >>
>>>>> >>
>>>>> >
>>>>> >
>>>>> > --
>>>>> > Regards,
>>>>> >
>>>>> > Joe Astorino - CCIE #24347 R&S
>>>>> > Technical Instructor - IPexpert, Inc.
>>>>> > Cell: +1.586.212.6107
>>>>> > Fax: +1.810.454.0130
>>>>> > Mailto: jastorino_at_ipexpert.com
>>>>> >
>>>>>
>>>>>
>>>>>
>>>>> --
>>>>> Andrew Lee Lissitz
>>>>> all.from.nj_at_gmail.com
>>>>>
>>>>>
>>>>> Blogs and organic groups at http://www.ccie.net
>>>>>
>>>>> _______________________________________________________________________
>>>>> Subscription information may be found at:
>>>>> http://www.groupstudy.com/list/CCIELab.html
>>>>>
>>>>>
>>>>>
>>>>>
>>>>>
>>>>>
>>>>>
>>>>>
>>>>
>>>>
>>>> --
>>>> Bryan Bartik
>>>> CCIE #23707 (R&S), CCNP
>>>> Sr. Support Engineer - IPexpert, Inc.
>>>> URL: http://www.IPexpert.com
>>>>
>>>
>>>
>>>
>>> --
>>> Andrew Lee Lissitz
>>> all.from.nj_at_gmail.com
>>>
>>
>>
>>
>> --
>> Bryan Bartik
>> CCIE #23707 (R&S), CCNP
>> Sr. Support Engineer - IPexpert, Inc.
>> URL: http://www.IPexpert.com
>>
>
>
>
> --
> Andrew Lee Lissitz
> all.from.nj_at_gmail.com
>
-- Andrew Lee Lissitz all.from.nj_at_gmail.com Blogs and organic groups at http://www.ccie.netReceived on Fri Sep 18 2009 - 09:22:11 ART
This archive was generated by hypermail 2.2.0 : Sun Oct 04 2009 - 07:42:03 ART