Table Of Contents
Configuring MPLS Multi-VRF
(VRF-lite)Prerequisites for MPLS Multi-VRF
Restrictions with MPLS Multi-VRF
Overview of MPLS Multi-VRF Configuration
How to Configure MPLS Multi-VRF
Configuring a VPN Routing Session
Configuring PE-to-CE MPLS Forwarding and Signalling (when BGP is not the routing protocol)
Configuring BGP PE-to-CE Routing Sessions
Configuring PE-to-CE MPLS Forwarding and Signalling (when BGP is the routing protocol)
Displaying MPLS Multi-VRF Status
Configuration Example of MPLS Multi-VRF
Configuring MPLS Multi-VRF
(VRF-lite)
MPLS Multi-VRF provides the ability to configure and maintain more than one instance of a routing and forwarding table within the same CE router.
History of the MPLS Multi-VRF feature
Finding Support Information for Platforms and Cisco IOS Software Images
Use Cisco Feature Navigator to find information about platform support and Cisco IOS software image support. Access Cisco Feature Navigator at http://www.cisco.com/go/fn. You must have an account on Cisco.com. If you do not have an account or have forgotten your username or password, click Cancel at the login dialog box and follow the instructions that appear.
Contents
•Prerequisites for MPLS Multi-VRF
•Restrictions with MPLS Multi-VRF
•How to Configure MPLS Multi-VRF
•Displaying MPLS Multi-VRF Status
•Configuration Example of MPLS Multi-VRF
Prerequisites for MPLS Multi-VRF
The network's core and provider edge routers must be properly configured for MPLS VPN operation.
Restrictions with MPLS Multi-VRF
MPLS Multi-VRF can be configured only on Layer 3 interfaces.
MPLS Multi-VRF is not supported by IGRP nor ISIS.
Label distribution for a given VRF on a given router can be handled by either BGP or LDP, but not by both protocols.
Multicast cannot operate on a Layer 3 interface already configured with MPLS Multi-VRF.
Understanding MPLS Multi-VRF
Multi-VRF is a feature that enables a service provider to support two or more VPNs, where IP addresses can be overlapped among the VPNs. Multi-VRF uses input interfaces to distinguish routes for different VPNs, and forms virtual packet-forwarding tables by associating one or more Layer 3 interfaces with each VRF. Interfaces in a VRF can be either physical, such as Ethernet ports, or logical, such as VLAN SVIs (Switched Virtual Interfaces), but a Layer 3 interface cannot belong to more than one VRF at any one time. The Multi-VRF feature thus allows an operator to support two or more routing domains on a CE router, with each routing domain having its own set of interfaces and its own set of routing and forwarding tables. MPLS Multi-VRF makes it possible to extend the Label Switched Paths (LSPs) to the CE and into each routing domain that the CE supports.
MPLS Multi-VRF occurs through the activity of routers fulfilling the following roles:
•Each customer edge (CE) router advertises its site's local routes to a provider edge (PE) router, and learns the remote VPN routes from that PE router.
•PE routers exchange routing information with CE routers by using static routing or a routing protocol such as BGP, RIPv1, or RIPv2.
•PE routers exchange MPLS label information with CE routers through LDP or BGP.
•The PE needs to maintain VPN routes only for those VPNs to which it is directly attached, eliminating the requirement that the PE maintain all of the service provider's VPN routes. Each PE router maintains a VRF for each of its directly-connected sites. Two or more interfaces on a PE router can be associated with a single VRF if all the sites participate in the same VPN. Each VPN is mapped to a specified VRF. After learning local VPN routes from CEs, the PE router exchanges VPN routing information with other PE routers through internal BGP (IBPG).
With Multi-VRF, two or more customers can share one CE, and only one physical link is used between the CE and the PE. The shared CE maintains separate VRF tables for each customer, and routes packets for each customer based on that customer's own routing table. Multi-VRF thereby extends limited PE functionality to a CE device, giving it the ability, through the maintenance of separate VRF tables, to extend the privacy and security of a VPN to the branch office.
Figure 1 shows a configuration where each CE acts virtually as if it were two CEs. Because MPLS Multi-VRF is a Layer 3 feature, each interface associated with a VRF must be a Layer 3 interface.
Figure 1 Each CE router acting as several virtual CEs
Following is the packet-forwarding process in an MPLS Multi-VRF CE-enabled network, as illustrated in Figure 1:
•When the CE receives a packet from a VPN, it looks up the routing table based on the input interface. When a route is found, the CE imposes the MPLS label it received from the PE for that route and forwards the packet to the PE.
•When the ingress PE receives a packet from the CE, it swaps the incoming label with the corresponding label stack and sends it to the MPLS network.
•When an egress PE receives a packet from the network, it swaps the VPN label with the label it earlier had received for the route from the CE, and forwards it to the CE.
•When a CE receives a packet from an egress PE, it uses the incoming label on the packet to forward the packet to the correct VPN.
Overview of MPLS Multi-VRF Configuration
To configure Multi-VRF, you create a VRF table and then specify the Layer 3 interface associated with that VRF. Next, you configure the routing protocols within the VPN, and between the CE and the PE. BGP is the preferred routing protocol for distributing VPN routing information across the provider's backbone, for reasons that will be detailed in the section, How to Configure MPLS Multi-VRF.
The Multi-VRF network has three major components:
•VPN route target communities: These are lists of all other members of a VPN community. You need to configure VPN route targets for each VPN community member.
•Multiprotocol BGP peering of VPN community PE routers: This propagates VRF reachability information to all members of a VPN community. You need to configure BGP peering in all PE routers within a VPN community.
•VPN forwarding: This transports all traffic between VPN community members across a VPN service-provider network.
How to Configure MPLS Multi-VRF
Consider these points when configuring MPLS Multi-VRF in your network:
•A router with Multi-VRF is shared by several customers, and each customer has their own routing table(s).
•Because each customer uses a different VRF table, the same IP addresses can be reused. Overlapped IP addresses are allowed in different VPNs.
•MPLS Multi-VRF lets several customers share the same physical link between the PE and the CE. Trunk ports with several VLANs separate packets among the customers. Each customer has their own VLAN.
•For the PE router, there is no difference between using MPLS Multi-VRF or using several CEs. In Figure 2 for example, four virtual Layer 3 interfaces are connected to the MPLS Multi-VRF CE.
•MPLS Multi-VRF does not affect the packet switching rate.
•Most routing protocols can be used between the CE and the PE: BGP, OSPF, EIGRP, RIP, and static routing. However, we recommend using external BGP (eBGP) because:
–BGP does not require more than one algorithm to communicate with a multitude of CEs.
–BGP is designed to pass routing information between systems run by different administrations.
–BGP makes it easy to pass attributes of the routes to the CE.
•Furthermore, when BGP is used as the routing protocol, it can also be used to handle the MPLS label exchange between the PE and CE. By contrast, if OSPF, EIGRP, RIP or static routing is used, LDP must be used to signal labels.
•If you choose to use OSPF as the routing protocol between the PE and the CE, you should employ the capability vrf-lite subcommand under router ospf. How to do so is explained further in OSPF Support for Multi-VRF in CE Routers, Release 12.2(14)S.
The following sections present the sequence of commands required to configure Multi-VRF:
•First, set up each customer's VRFs on the CE and on the PE, as explained in the "Configuring VRFs" section.
•Then configure the routing protocol within the VPNs on the CE: Configuring a VPN Routing Session.
•Next, configure the routing protocol between the CE and PE. BGP is recommended, so its case is given in the "Configuring BGP PE-to-CE Routing Sessions" section. But other protocols, such as OSPF, RIP or EIGRP, and static routing could be used.
•Finally, establish the correct MPLS label exchange, (which differs according to the routing protocol you used in the previous sections); either:
–Configuring PE-to-CE MPLS Forwarding and Signalling (when BGP is the routing protocol)
or
–Configuring PE-to-CE MPLS Forwarding and Signalling (when BGP is not the routing protocol)
Configuring VRFs
VRFs must be configured on both the PE and the CE routers.
Default VRF Configuration
If no commands have yet been entered to specify a VRF, the system's default configuration is as detailed in Table 1.
Table 1 Default VRF Configuration
Restrictions
Multicast cannot be configured at the same time on the same Layer 3 interface as MPLS Multi-VRF.
SUMMARY STEPS
1. enable
2. configure terminal
3. ip routing
4. ip vrf vrf-name
5. rd route-distinguisher
6. route-target {export | import | both} route-target-ext-community
7. import map route-map
8. exit
9. interface interface-id
10. ip vrf forwarding vrf-name
DETAILED STEPS
What to Do Next
To confirm that the VRF has been configured correctly, use the EXEC mode show ip vrf [brief | detail | interfaces] [vrf-name] command.
If the output display of that show command reveals everything to be alright, you can then choose to save the configuration by entering the copy running-config startup-config command.
Configuring a VPN Routing Session
Routing within the VPN can be configured on the CE router with any supported routing protocol (RIP, OSPF, or BGP), or with static routing. The configuration shown here is for OSPF, but the process is the same with other protocols.
Prerequisites
The VRF referred to in Step 3 of this section must have been configured correctly, as shown in the previous section, Configuring VRFs.
Restrictions
MPLS Multi-VRF is not supported by IGRP nor ISIS.
Multicast cannot be configured on the same Layer 3 interface as MPLS Multi-VRF.
SUMMARY STEPS
1. enable
2. configure terminal
3. router ospf process-id [vrf vrf-name]
4. log-adjacency-changes
5. redistribute bgp autonomous-system-number subnets
6. network network-number area area-id
DETAILED STEPS
What to Do Next
To confirm that the VPN routing has been configured correctly, use the EXEC mode show ip ospf process-id command.
If the output display of that show command reveals everything to be alright, you can then choose to save the configuration by entering the copy running-config startup-config command.
If you need to disassociate the VPN forwarding table from the OSPF routing process, use the no router ospf process-id vrf vpn-name global configuration command.
To complete your configuration of MPLS Multi-VRF in situations where you are not using BGP, continue on to the next section, Configuring PE-to-CE MPLS Forwarding and Signalling (when BGP is not the routing protocol). If, however, you will be using BGP, skip to the section called Configuring BGP PE-to-CE Routing Sessions.
Configuring PE-to-CE MPLS Forwarding and Signalling (when BGP is not the routing protocol)
If any protocol other than BGP is used for routing between the PE and the CE, LDP should be used to signal the labels on the PE and CE VRF interfaces, as shown here next.
SUMMARY STEPS
1. enable
2. configure terminal
3. interface interface-id
4. mpls ip
DETAILED STEPS
What to Do Next
If you are not using BGP, you have completed your MPLS Multi-VRF configuration. To see all the steps in context, go to the "Configuration Example of MPLS Multi-VRF" section.
Configuring BGP PE-to-CE Routing Sessions
To configure a BGP PE-to-CE routing session, perform the task presented next on the CE and on the PE.
PSUMMARY STEPS
1. enable
2. configure terminal
3. router bgp autonomous-system-number
4. network network-number mask network-mask
5. redistribute ospf process-id match internal
6. network network-number area area-id
7. address-family ipv4 vrf vrf-name
8. neighbor {ip-address | peer-group-name} remote-as as-number
9. neighbor address activate
DETAILED STEPS
What to Do Next
To confirm that BGP has been correctly configured, use the EXEC mode show ip bgp vpnv4 vrf-name neighbors command.
If the output display of that show command reveals everything to be alright, you can then choose to save the configuration by entering the copy running-config startup-config command.
Because you are using BGP, continue on with the next section's procedure. (Had you used another routing protocol, you would not need to implement the next section— nor of course the current section either.)
Configuring PE-to-CE MPLS Forwarding and Signalling (when BGP is the routing protocol)
If BGP is used for routing anywhere between the PE and the CE, BGP should also be used to signal the labels on the VRF interfaces of both the CE and the PE routers. Doing so consists of two operations:
•At the router-configuration level: enabling MPLS label signalling via BGP (which is accomplished with the neighbor address send-label command);
•At the interface level: enabling MPLS forwarding on the interface used for the PE-CE eBGP session (which is done with the mpls bgp forwarding command).
Prerequisites
The PE-CE BGP neighbor must be correctly configured for IP.
The PE-CE interface must be correctly configured for IP forwarding.
SUMMARY STEPS
1. enable
2. configure terminal
3. router bgp autonomous-system-number
4. address-family ipv4 vrf vrf-name
5. neighbor address send-label
6. end
7. configure terminal
8. interface interface-id
9. mpls bgp forwarding
DETAILED STEPS
What to Do Next
You can save the configuration by entering the copy running-config startup-config command.
If you need to delete the BGP routing process, use the no router bgp autonomous-system-number global configuration command. However, if you want to delete only particular routing characteristics, enter the router bgp global configuration command, followed by the no form of the particular router configuration command which governs that characteristic.
Displaying MPLS Multi-VRF Status
To display information about MPLS Multi-VRF configuration and status, use any of the following commands:
•show ip bgp vpnv4 vrf labels, to display the BGP labels for the specified VRF.
•show ip protocols vrf, to display routing protocol information associated with the specified VRF.
•show ip route vrf, to display the IP routing table information associated with the specified VRF.
•show ip vrf, to display the set of VRFs and their associated interfaces.
•show mpls forwarding-table vrf, to display the MPLS forwarding entries associated with the specified VRF.
•show mpls ldp bindings vrf, to display LDP's label information base for the specified VRF.
Detailed information about each of these commands is given in the Cisco IOS MultiProtocol Label Switching Command Reference.
Configuration Example of MPLS Multi-VRF
The following example details the configuration on the CE, and on the PE-to-CE connections only, not on the PE-to-core connections because these latter are no different in Multi-VRF cases than in other cases.
Figure 2
MPLS Multi-VRF Configuration Example
On the PE Router
VRF Configuration
Router# configure terminalEnter configuration commands, one per line. End with CNTL/Z.Router(config)# ip vrf v1Router(config-vrf)# rd 100:1Router(config-vrf)# route-target export 100:1Router(config-vrf)# route-target import 100:1Router(config-vrf)# exitRouter(config)# ip vrf v2Router(config-vrf)# rd 100:2Router(config-vrf)# route-target export 100:2Router(config-vrf)# route-target import 100:2Router(config-vrf)# exitConfiguring PE-CE connections using BGP for both routing and label exchange
Router(config)# router bgp 100Router(config-router)# address-family ipv4 vrf v2Router(config-router-af)# neighbor 83.0.0.8 remote-as 800Router(config-router-af)# neighbor 83.0.0.8 activateRouter(config-router-af)# neighbor 83.0.0.8 send-labelRouter(config-router-af)# exitRouter(config-router)# address-family ipv4 vrf vlRouter(config-router-af)# neighbor 38.0.0.8 remote-as 800Router(config-router-af)# neighbor 38.0.0.8 activateRouter(config-router-af)# neighbor 38.0.0.8 send-labelRouter(config-router-af)# endRouter# configure terminalEnter configuration commands, one per line. End with CNTL/Z.Router(config)# interface fastethernet3/0.10Router(config-if)# ip vrf forwarding v1Router(config-if)# ip address 38.0.0.3 255.255.255.0Router(config-if)# mpls bgp forwardingRouter(config-if)# exitRouter(config)# interface fastethernet3/0.20Router(config-if)# ip vrf forwarding v2Router(config-if)# ip address 83.0.0.3 255.255.255.0Router(config-if)# mpls bgp forwardingRouter(config-if)# exitConfiguring PE-CE connections using OSPF for routing, and LDP for label exchange
Router(config)# router ospf 100 vrf v1Router(config-router)# network 38.0.0.0 255.255.255.0 area 0Router(config-router)# exitRouter(config)# router ospf 101 vrf v2Router(config-router)# network 83.0.0.0 255.255.255.0 area 0Router(config-router)# exitRouter(config)# interface fastethernet3/0.10Router(config-if)# ip vrf forwarding v1Router(config-if)# ip address 38.0.0.3 255.255.255.0Router(config-if)# mpls ipRouter(config-if)# exitRouter(config)# interface fastethernet3/0.20Router(config-if)# ip vrf forwarding v2Router(config-if)# ip address 83.0.0.3 255.255.255.0Router(config-if)# mpls ipRouter(config-if)# exitOn the CE Router
VRF Configuration
Router# configure terminalEnter configuration commands, one per line. End with CNTL/Z.Router(config)# ip routingRouter(config)# ip vrf v11Router(config-vrf)# rd 800:1Router(config-vrf)# route-target export 800:1Router(config-vrf)# route-target import 800:1Router(config-vrf)# exitRouter(config)# ip vrf v12Router(config-vrf)# rd 800:2Router(config-vrf)# route-target export 800:2Router(config-vrf)# route-target import 800:2Router(config-vrf)# exitConfiguring CE VPN connections
Router(config)# interface fastethernet3/8Router(config-if)# ip vrf forwarding v11Router(config-if)# ip address 208.0.0.8 255.255.255.0Router(config-if)# exitRouter(config)# interface fastethernet3/7Router(config-if)# ip vrf forwarding v11Router(config-if)# ip address 108.0.0.8 255.255.255.0Router(config-if)# exitRouter(config)# interface fastethernet3/11Router(config-if)# ip vrf forwarding v12Router(config-if)# ip address 118.0.0.8 255.255.255.0Router(config-if)# exitRouter(config)# interface fastethernet3/3Router(config-if)# ip vrf forwarding v12Router(config-if)# ip address 168.0.0.8 255.255.255.0Router(config-if)# exitRouter(config)# router ospf 1 vrf v11Router(config-router)# network 208.0.0.0 255.255.255.0 area 0Router(config-router)# network 108.0.0.0 255.255.255.0 area 0Router(config-router)# exitRouter(config)# router ospf 2 vrf v12Router(config-router)# network 118.0.0.0 255.255.255.0 area 0Router(config-router)# network 1688.0.0.0 255.255.255.0 area 0Router(config-router)# exitNote: If BGP is being used for routing between the PE and CE, the BGP-learned routes from the PE can be redistributed into OSPF using the following commands:
Router(config)# router ospf 1 vrf v11Router(config-router)# redistribute bgp 800 subnetsRouter(config-router)# exitRouter(config)# router ospf 2 vrf v12Router(config-router)# redistribute bgp 800 subnetsRouter(config-router)# exitConfiguring PE-CE connections using BGP for both routing and label exchange
Router(config)# router bgp 800Router(config-router)# address-family ipv4 vrf v12Router(config-router-af)# neighbor 83.0.0.3 remote-as 100Router(config-router-af)# neighbor 83.0.0.3 activateRouter(config-router-af)# neighbor 83.0.0.3 send-labelRouter(config-router-af)# redistribute ospf 2 match internalRouter(config-router-af)# exitRouter(config-router)# address-family ipv4 vrf vl1Router(config-router-af)# neighbor 38.0.0.3 remote-as 100Router(config-router-af)# neighbor 38.0.0.3 activateRouter(config-router-af)# neighbor 38.0.0.3 send-labelRouter(config-router-af)# redistribute ospf 1 match internalRouter(config-router-af)# endRouter(config)# interface fastethernet3/0.10Router(config-if)# ip vrf forwarding v11Router(config-if)# ip address 38.0.0.8 255.255.255.0Router(config-if)# mpls bgp forwardingRouter(config-if)# exitRouter(config)# interface fastethernet3/0.20Router(config-if)# ip vrf forwarding v12Router(config-if)# ip address 83.0.0.8 255.255.255.0Router(config-if)# mpls bgp forwardingRouter(config-if)# exitConfiguring PE-CE connections using OSPF for routing, and LDP for label exchange
Router(config)# router ospf 1 vrf v11Router(config-router)# network 38.0.0.0 255.255.255.0 area 0Router(config-router)# exitRouter(config)# router ospf 2 vrf v12Router(config-router)# network 83.0.0.0 255.255.255.0 area 0Router(config-router)# exitRouter(config)# interface fastethernet3/0.10Router(config-if)# ip vrf forwarding v11Router(config-if)# ip address 38.0.0.3 255.255.255.0Router(config-if)# mpls ipRouter(config-if)# exitRouter(config)# interface fastethernet3/0.20Router(config-if)# ip vrf forwarding v12Router(config-if)# ip address 83.0.0.3 255.255.255.0Router(config-if)# mpls ipRouter(config-if)# exitAdditional References
The following sections provide references related to MPLS Multi-VRF.
Related Documents
Related Topic Document TitleOSPF with Multi-VRF
OSPF Support for Unlimited Software VRFs per Provider Edge Router, Release 12.3(4)T
MPLS
Cisco IOS Multiprotocol Label Switching Command Reference
Cisco IOS Switching Services Command Reference, Release 12.3
BGP
Cisco IOS IP Command Reference, Volume 2: Routing Protocols, Release 12.3T
Cisco IOS IP Command Reference, Volume 2: Routing Protocols, Release 12.2
Technical Assistance
Command Reference
This feature uses no new or modified commands.
Any Internet Protocol (IP) addresses used in this document are not intended to be actual addresses. Any examples, command display output, and figures included in the document are shown for illustrative purposes only. Any use of actual IP addresses in illustrative content is unintentional and coincidental
.
© 2006 Cisco Systems, Inc. All rights reserved.