[c-nsp] VRF-lite question on RD's
I have 3 VRF's on a CE router: ip vrf xxx-General rd 1:10 route-target export 1:10 route-target import 1:10 ! ip vrf xxx-Guest rd 1:30 route-target export 1:30 route-target import 1:30 ! ip vrf xxx-Voice rd 1:20 route-target export 1:20 route-target import 1:20 I just got 3 new VRF's from the ISP confgured, and I'm wondering what numbers I need to have for the 'rd' and 'route-target xxport' commands...? Are these arbitrary, come from the ISP, or can I just use 40, 50, and 60? Thanks, chris ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] VRF-lite question on RD's
My guess is they are doing vrf-lite and using frame-relay or dot1q to bring these 3 VRFs to you. Which means the RD (used for MPLS L3VPNs) are only locally significant in the case of vrf-lite and are arbitrary numbers. It would be nice if Cisco didn't require RD's for vrf-lite cause they service no purpose. Now the import and export statements in vrf-lite also serve no purpose, but also not required. Interesting that they exist in the config. As long as no interfaces are configured with 'mpls ip' and you don't have a 'address-family vpnv4' configured under BGP those values are meaningless outside of the local router. HTH, Brandon On Thu, Apr 2, 2009 at 9:59 AM, ChrisSerafin ch...@chrisserafin.com wrote: I have 3 VRF's on a CE router: ip vrf xxx-General rd 1:10 route-target export 1:10 route-target import 1:10 ! ip vrf xxx-Guest rd 1:30 route-target export 1:30 route-target import 1:30 ! ip vrf xxx-Voice rd 1:20 route-target export 1:20 route-target import 1:20 I just got 3 new VRF's from the ISP confgured, and I'm wondering what numbers I need to have for the 'rd' and 'route-target xxport' commands...? Are these arbitrary, come from the ISP, or can I just use 40, 50, and 60? Thanks, chris ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/ ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] VRF-lite question on RD's
I just got 3 new VRF's from the ISP confgured, and I'm wondering what numbers I need to have for the 'rd' and 'route-target xxport' commands...? Are these arbitrary, come from the ISP, or can I just use 40, 50, and 60? As long as you're using VRF-lite and not full MPLS, they are arbitrary in the sense that they're not part of any protocol between you and the ISP. Steinar Haug, Nethelp consulting, sth...@nethelp.no ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] VRF-lite question on RD's
ChrisSerafin wrote on Thursday, April 02, 2009 17:59: I have 3 VRF's on a CE router: ip vrf xxx-General rd 1:10 route-target export 1:10 route-target import 1:10 ! ip vrf xxx-Guest rd 1:30 route-target export 1:30 route-target import 1:30 ! ip vrf xxx-Voice rd 1:20 route-target export 1:20 route-target import 1:20 I just got 3 new VRF's from the ISP confgured, and I'm wondering what numbers I need to have for the 'rd' and 'route-target xxport' commands...? Are these arbitrary, come from the ISP, or can I just use 40, 50, and 60? In a vrf-lite environment, RDs are local to the router, so you can pick any (as long as it's unique on the router). you only need route-target if you're running BGP on the node to leak routes from one VRF to another.. doesn't look like you're doing any leaking, so I don't think you need any route-targets oli ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] VRF-lite question on RD's
I spoke too soon. I found this right after posting http://www.cisco.com/en/US/docs/switches/lan/catalyst4500/12.1/20ew/configuration/guide/vrf.pdf Switch(config-vrf)# rd route-distinguisher Creates a VRF table by specifying a route distinguisher. Enter either an AS number and an arbitrary number (xxx:y) or an IP address and arbitrary number (A.B.C.D:y). Step 5 Switch(config-vrf)# route-target {export | import | both} route-target-ext-community Creates a list of import, export, or import and export route target communities for the specified VRF. Enter either an AS system number and an arbitrary number (xxx:y) or an IP address and an arbitrary number (A.B.C.D:y). Note This command is effective only if BGP is running. Step 6 Switch(config-vrf)# import map route-map (Optional) Associates a route map with the VRF. I just added different numbers and they came right up. THANKS! Brandon Bennett wrote: My guess is they are doing vrf-lite and using frame-relay or dot1q to bring these 3 VRFs to you. Which means the RD (used for MPLS L3VPNs) are only locally significant in the case of vrf-lite and are arbitrary numbers. It would be nice if Cisco didn't require RD's for vrf-lite cause they service no purpose. Now the import and export statements in vrf-lite also serve no purpose, but also not required. Interesting that they exist in the config. As long as no interfaces are configured with 'mpls ip' and you don't have a 'address-family vpnv4' configured under BGP those values are meaningless outside of the local router. HTH, Brandon On Thu, Apr 2, 2009 at 9:59 AM, ChrisSerafin ch...@chrisserafin.com mailto:ch...@chrisserafin.com wrote: I have 3 VRF's on a CE router: ip vrf xxx-General rd 1:10 route-target export 1:10 route-target import 1:10 ! ip vrf xxx-Guest rd 1:30 route-target export 1:30 route-target import 1:30 ! ip vrf xxx-Voice rd 1:20 route-target export 1:20 route-target import 1:20 I just got 3 new VRF's from the ISP confgured, and I'm wondering what numbers I need to have for the 'rd' and 'route-target xxport' commands...? Are these arbitrary, come from the ISP, or can I just use 40, 50, and 60? Thanks, chris ___ cisco-nsp mailing list cisco-nsp@puck.nether.net mailto:cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/ No virus found in this incoming message. Checked by AVG - www.avg.com Version: 8.0.238 / Virus Database: 270.11.38/2037 - Release Date: 04/02/09 06:09:00 ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] VRF-lite question on RD's
Oliver Boehmer (oboehmer) wrote: ChrisSerafin wrote on Thursday, April 02, 2009 17:59: I have 3 VRF's on a CE router: ip vrf xxx-General rd 1:10 route-target export 1:10 route-target import 1:10 ! ip vrf xxx-Guest rd 1:30 route-target export 1:30 route-target import 1:30 ! ip vrf xxx-Voice rd 1:20 route-target export 1:20 route-target import 1:20 I just got 3 new VRF's from the ISP confgured, and I'm wondering what numbers I need to have for the 'rd' and 'route-target xxport' commands...? Are these arbitrary, come from the ISP, or can I just use 40, 50, and 60? In a vrf-lite environment, RDs are local to the router, so you can pick any (as long as it's unique on the router). you only need route-target if you're running BGP on the node to leak routes from one VRF to another.. doesn't look like you're doing any leaking, so I don't think you need any route-targets oli Excellent explanation, thank you! No virus found in this incoming message. Checked by AVG - www.avg.com Version: 8.0.238 / Virus Database: 270.11.38/2037 - Release Date: 04/02/09 06:09:00 ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
[c-nsp] vrf-lite question
Hello I've been playing with vrf-lite in dynamips and I've hit a problem. I have 4 routers and 3 vrf's (cust1, cust 2 and GW) configured on R0 R1---R0---R2 | | | R4 cust1 and cust2 import from GW and GW imports from cust1 and cust2. The problem I'm having is that cust1 can reach cust2 via GW and vice-versa. I'm using OSPF and BGP to redistribute but I do not know how to stop the customer VRF's from seeing each other, they do need internet access via GW which will be performing NAT and allow inbound ipsec connections to the different VRF's (R4 will be a Netscreen firewall in the data-centre) ip vrf cust1 rd 172.16.1.1:100 route-target export 172.16.1.1:100 route-target import 172.16.1.1:100 route-target import 10.254.254.254:300 ! ip vrf cust2 rd 172.16.2.1:200 route-target export 172.16.2.1:200 route-target import 172.16.2.1:200 route-target import 10.254.254.254:300 ! ip vrf juniperGW rd 10.254.254.254:300 route-target export 10.254.254.254:300 route-target import 10.254.254.254:300 route-target import 172.16.1.1:100 route-target import 172.16.2.1:200 interface FastEthernet1/0 description link to R1 ip vrf forwarding cust1 ip address 172.16.1.254 255.255.255.0 duplex half ! interface FastEthernet2/0 description link to R2 ip vrf forwarding cust2 ip address 172.16.2.254 255.255.255.0 duplex half ! interface FastEthernet3/0 description link to R3 ip address 172.16.254.1 255.255.255.252 duplex half ! interface FastEthernet4/0 description juniper gateway to internet ip vrf forwarding juniperGW ip address 10.254.254.254 255.255.255.0 duplex half ! router ospf 11 vrf cust1 log-adjacency-changes capability vrf-lite network 172.16.1.0 0.0.0.255 area 11 ! router ospf 12 vrf cust2 log-adjacency-changes capability vrf-lite network 172.16.2.0 0.0.0.255 area 12 ! router ospf 1 log-adjacency-changes redistribute connected subnets redistribute static subnets passive-interface default no passive-interface FastEthernet3/0 network 172.16.254.0 0.0.0.255 area 0 ! router ospf 10 vrf juniperGW log-adjacency-changes capability vrf-lite network 10.254.254.0 0.0.0.255 area 10 ! router bgp 65400 no synchronization bgp router-id 10.10.254.254 bgp log-neighbor-changes no auto-summary ! address-family ipv4 vrf juniperGW redistribute ospf 10 no auto-summary no synchronization exit-address-family ! address-family ipv4 vrf cust2 redistribute ospf 12 no auto-summary no synchronization exit-address-family ! address-family ipv4 vrf cust1 redistribute ospf 11 no auto-summary no synchronization exit-address-family ! ip route vrf cust1 0.0.0.0 0.0.0.0 10.254.254.253 ip route vrf cust2 0.0.0.0 0.0.0.0 10.254.254.253 The end result I'm working towards will have ADSL PPPoA interfaces in each VRF and the Netscreen will provide internet access and VPN to other sites where we do not terminate the ADSL Thanks for your time Wayne ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] vrf-lite question
Use an export map on the GW to only export the routes for GW and not the other custs. Ben -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Wayne Lee Sent: Tuesday, 11 November 2008 10:11 AM To: cisco-nsp@puck.nether.net Subject: [c-nsp] vrf-lite question Hello I've been playing with vrf-lite in dynamips and I've hit a problem. I have 4 routers and 3 vrf's (cust1, cust 2 and GW) configured on R0 R1---R0---R2 | | | R4 cust1 and cust2 import from GW and GW imports from cust1 and cust2. The problem I'm having is that cust1 can reach cust2 via GW and vice-versa. I'm using OSPF and BGP to redistribute but I do not know how to stop the customer VRF's from seeing each other, they do need internet access via GW which will be performing NAT and allow inbound ipsec connections to the different VRF's (R4 will be a Netscreen firewall in the data-centre) ip vrf cust1 rd 172.16.1.1:100 route-target export 172.16.1.1:100 route-target import 172.16.1.1:100 route-target import 10.254.254.254:300 ! ip vrf cust2 rd 172.16.2.1:200 route-target export 172.16.2.1:200 route-target import 172.16.2.1:200 route-target import 10.254.254.254:300 ! ip vrf juniperGW rd 10.254.254.254:300 route-target export 10.254.254.254:300 route-target import 10.254.254.254:300 route-target import 172.16.1.1:100 route-target import 172.16.2.1:200 interface FastEthernet1/0 description link to R1 ip vrf forwarding cust1 ip address 172.16.1.254 255.255.255.0 duplex half ! interface FastEthernet2/0 description link to R2 ip vrf forwarding cust2 ip address 172.16.2.254 255.255.255.0 duplex half ! interface FastEthernet3/0 description link to R3 ip address 172.16.254.1 255.255.255.252 duplex half ! interface FastEthernet4/0 description juniper gateway to internet ip vrf forwarding juniperGW ip address 10.254.254.254 255.255.255.0 duplex half ! router ospf 11 vrf cust1 log-adjacency-changes capability vrf-lite network 172.16.1.0 0.0.0.255 area 11 ! router ospf 12 vrf cust2 log-adjacency-changes capability vrf-lite network 172.16.2.0 0.0.0.255 area 12 ! router ospf 1 log-adjacency-changes redistribute connected subnets redistribute static subnets passive-interface default no passive-interface FastEthernet3/0 network 172.16.254.0 0.0.0.255 area 0 ! router ospf 10 vrf juniperGW log-adjacency-changes capability vrf-lite network 10.254.254.0 0.0.0.255 area 10 ! router bgp 65400 no synchronization bgp router-id 10.10.254.254 bgp log-neighbor-changes no auto-summary ! address-family ipv4 vrf juniperGW redistribute ospf 10 no auto-summary no synchronization exit-address-family ! address-family ipv4 vrf cust2 redistribute ospf 12 no auto-summary no synchronization exit-address-family ! address-family ipv4 vrf cust1 redistribute ospf 11 no auto-summary no synchronization exit-address-family ! ip route vrf cust1 0.0.0.0 0.0.0.0 10.254.254.253 ip route vrf cust2 0.0.0.0 0.0.0.0 10.254.254.253 The end result I'm working towards will have ADSL PPPoA interfaces in each VRF and the Netscreen will provide internet access and VPN to other sites where we do not terminate the ADSL Thanks for your time Wayne ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/ ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/