Archive

Posts Tagged ‘multiple-vrf’

Multiple VRF on One Customer Site

February 10, 2009 Leave a comment

In MPLS VPN implementation, every interface have just one VRF. Maybe for some reason, our customer named XYZ, need to have more than one VPN for their networks. For example they want to separate the Accounting and Manufacture Department networks in the different VPN.

To accomplish this requirement, we can apply a few solutions below:

  • Using Subinterface
  • Using VRF-Select
  • Using interface Tunnel and VRF-Lite

In this article, we will use the third solution, that is using interface tunnel and VRF Lite. Notes that we already using one VRF for the customer XYZ , applied to the interface Fastethernet1/0 at PE Router. This existing VRF converted to the VRF XYZ-ACCT for Accounting Department VPN.

For the Manufacture Department VPN, we use an interface tunnel that originated from the loopback0 interface at CE-XYZ Router and terminated at the loopback127 interface at PE-Router. The loopback interfaces above is belong to the existing VRF (XYZ-ACCT), but the tunnel interface itself belong to the new VRF, that is VRF XYZ-MANF (for Manufacture Department).

multiple-vrf

1. Existing Configuration with VRF XYZ-ACCT

Below is the existing configuration on C-XYZ-ACCT, CE-XYZ and PE Router:

hostname C-XYZ-MANF
!
interface FastEthernet0/0
ip address 192.168.11.2 255.255.255.0
!
ip route 0.0.0.0 0.0.0.0 192.168.11.1

hostname C-XYZ-ACCT
!
interface FastEthernet0/0
ip address 192.168.10.2 255.255.255.0
!
ip route 0.0.0.0 0.0.0.0 192.168.10.1

hostname CE-XYZ
!
interface FastEthernet1/0
ip address 192.168.10.1 255.255.255.0
!
ip route 0.0.0.0 0.0.0.0 192.168.1.2

hostname PE
!
ip cef
ip vrf XYZ-ACCT
rd 100:101
route-target export 100:101
route-target import 100:101
!
interface FastEthernet1/0
ip vrf forwarding XYZ-ACCT
ip address 192.168.1.2 255.255.255.0
!
ip classless
ip route vrf XYZ-ACCT 192.168.10.0 255.255.255.0 192.168.1.1

2. Create VRF-Lite on CE-XYZ Router:

Create VRF XYZ-ACCT and apply to the interface that connected to the PE and the C-XYZ-ACCT router. Create the default static ip route for VRF XYZ-ACCT.

ip vrf XYZ-ACCT
!
interface FastEthernet1/0
ip vrf forwarding XYZ-ACCT
ip address 192.168.10.1 255.255.255.0
duplex auto
speed auto
!
interface FastEthernet2/0
ip vrf forwarding XYZ-ACCT
ip address 192.168.1.1 255.255.255.0
duplex auto
speed auto
!
ip route vrf XYZ-ACCT 0.0.0.0 0.0.0.0 192.168.1.2

Verify the connection:

CE-XYZ#ping v XYZ-ACCT 192.168.1.2
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 192.168.1.2, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 12/36/48 ms

C-XYZ-ACCT#ping 192.168.1.2
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 192.168.1.2, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 16/46/72 ms

3. Create Tunnel interface at CE-XYZ and PE for new VRF

Add a new VRF for XYZ Manufacture Department at PE router. Use loopback interface that belong to the VRF XYZ-ACCT for the Tunnel-Source. Apply the new VRF (XYZ-MANF) to the tunnel interface.

ip vrf XYZ-MANF
rd 100:100
route-target export 100:100
route-target import 100:100
!
interface Loopback127
ip vrf forwarding XYZ-ACCT
ip address 192.168.127.2 255.255.255.255
no ip directed-broadcast
!
interface Tunnel1
ip vrf forwarding XYZ-MANF
ip address 192.168.2.2 255.255.255.0
no ip directed-broadcast
tunnel source Loopback127
tunnel destination 192.168.127.1
tunnel vrf XYZ-ACCT

At the CE-XYZ router, add a new VRF, then apply it to the Tunnel interface. The tunnel interface using loopback interface that belong to the VRF XYZ-ACCT for the Tunnel-Source interface:

ip vrf XYZ-MANF
!
interface Loopback0
ip vrf forwarding XYZ-ACCT
ip address 192.168.127.1 255.255.255.255
!
interface Tunnel1
ip vrf forwarding XYZ-MANF
ip address 192.168.2.1 255.255.255.0
tunnel source Loopback0
tunnel destination 192.168.127.2
tunnel vrf XYZ-ACCT
!
interface Loopback0
ip vrf forwarding XYZ-ACCT
ip address 192.168.127.1 255.255.255.255

Verify the Tunnel interfaces:

PE#sh ip int br | i Tun
Tunnel1 192.168.2.2 YES manual up up
PE#sh ip vrf int | i Tu
Tu1 192.168.2.2 XYZ-MANF up
PE#ping vrf XYZ-MANF 192.168.2.1
Sending 5, 100-byte ICMP Echos to 192.168.2.1, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 4/43/92 ms

CE-XYZ#sh ip int br | i Tun
Tunnel1 192.168.2.1 YES manual up up
CE-XYZ#sh ip vrf int | i Tu
Tu1 192.168.2.1 XYZ-MANF up
CE-XYZ#ping vrf XYZ-MANF 192.168.2.2
Sending 5, 100-byte ICMP Echos to 192.168.2.2, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 16/32/48 ms

Add a default static route for VRF XYZ-MNF at CE-XYZ router. Use the PE Tunnel interface IP Address as the next-hop.

ip route vrf XYZ-MANF 0.0.0.0 0.0.0.0 192.168.2.2

4. Apply VRF-Lite for the Manufacture VPN to the interface

hostname CE-XYZ
!
interface FastEthernet0/0
ip vrf forwarding XYZ-MANF
ip address 192.168.11.1 255.255.255.0
duplex auto
speed auto

CE-XYZ#sh ip vrf XYZ-MANF
Name Default RD Interfaces
XYZ-MANF <not set> Tu1
Fa0/0
CE-XYZ#

For verification purpose, create new loopback interface at PE-Router and Apply VRF XYZ-MANF to it.

PE#sh run int lo 11
!
interface Loopback11
ip vrf forwarding XYZ-MANF
ip address 192.168.111.11 255.255.255.255
no ip directed-broadcast
end

Add static IP route to C-XYZ-MANF — CE-XYZ back-to-back network at PE router:

ip route vrf XYZ-MANF 192.168.11.0 255.255.255.0 192.168.2.1

Verify connection from C-XYZ-MANF router:

C-XYZ-MANF#ping 192.168.2.2
Sending 5, 100-byte ICMP Echos to 192.168.2.2, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 32/59/128 ms
C-XYZ-MANF#ping 192.168.111.11
Sending 5, 100-byte ICMP Echos to 192.168.111.11, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 44/74/108 ms
C-XYZ-MANF#traceroute 192.168.111.11
Tracing the route to 192.168.111.11
1 192.168.11.1 76 msec 40 msec 24 msec
2 192.168.2.2 12 msec * 176 msec
C-XYZ-MANF#