Cart
MPLS VPN – VRF Selection based on source IP address
In this post, we will look at pretty cool feature that allows PE routers to separate a VRF from the interface. In other words, multiple VRFs can exist on an interface, segmented based on source IP address, without using subinterfaces. This example uses 7200 routers running 12.2S code. At the time of this writing, only the S train supported this feature (according to the Cisco Feature Navigator).
Here is the topology
On PE2 we simulate two customers’ networks as follows:
interface Loopback100 ip vrf forwarding VPNA ip address 192.168.1.2 255.255.255.255 ! interface Loopback101 ip vrf forwarding VPNB ip address 172.16.1.2 255.255.255.255 The VPNv4 session is configured as normal, so that the following appear on PE1: PE1#sho ip bgp vpnv4 all | beg Network Network Next Hop Metric LocPrf Weight Path Route Distinguisher: 100:1 (default for vrf VPNA) *>i192.168.1.2/32 10.1.1.3 0 100 0 i Route Distinguisher: 100:2 (default for vrf VPNB) *>i172.16.1.2/32 10.1.1.3 0 100 0 i
The first thing we do is define the source selection criteria on PE1:
PE1(config)#vrf selection source 192.168.1.1 255.255.255.255 vrf VPNA PE1(config)#vrf selection source 172.16.1.1 255.255.255.255 vrf VPNB
Next we configure the PE interface to use source selection. There is no need for the “ip vrf forwarding” command on the interface.
PE1(config)#int s1/1 PE1(config-if)#ip vrf ? forwarding Configure forwarding table receive Add Interface Address into VRF Table select Enable VRF selection sitemap Configure route-map for routes received from this site PE1(config-if)#ip vrf select source PE1(config-if)#ip vrf receive VPNA PE1(config-if)#ip vrf receive VPNB
The last things we need to configure are static routes on PE1 that tell the router where to send packets for the CE networks. Then we must redistribute the static routes into BGP so PE2 learns them:
PE1(config)#ip route vrf VPNA 192.168.1.1 255.255.255.255 192.168.0.1 PE1(config)#ip route vrf VPNB 172.16.1.1 255.255.255.255 192.168.0.1 PE1(config)#router bgp 100 PE1(config-router)#address-family ipv4 vrf VPNA PE1(config-router-af)#redistribute static PE1(config-router-af)#address-family ipv4 vrf VPNB PE1(config-router-af)#redistribute static
Let’s have a look at PE2 before we test:
PE2#sho ip bgp vpnv4 all | begin Net Network Next Hop Metric LocPrf Weight Path Route Distinguisher: 100:1 (default for vrf VPNA) *>i192.168.1.1/32 10.1.1.1 0 100 0 ? *> 192.168.1.2/32 0.0.0.0 0 32768 i Route Distinguisher: 100:2 (default for vrf VPNB) *>i172.16.1.1/32 10.1.1.1 0 100 0 ? *> 172.16.1.2/32 0.0.0.0 0 32768 i PE2#
Looks good. Now let’s ping from CE1 while specifying a source address:
CE1#ping 192.168.1.2 sou lo 100 Type escape sequence to abort. Sending 5, 100-byte ICMP Echos to 192.168.1.2, timeout is 2 seconds: Packet sent with a source address of 192.168.1.1 !!!!! Success rate is 100 percent (5/5), round-trip min/avg/max = 16/40/60 ms CE1#ping 172.16.1.2 source lo 101 Type escape sequence to abort. Sending 5, 100-byte ICMP Echos to 172.16.1.2, timeout is 2 seconds: Packet sent with a source address of 172.16.1.1 !!!!! Success rate is 100 percent (5/5), round-trip min/avg/max = 24/48/92 ms
Regards, Bryan (Post Written by Bryan Bartik)
Very nicely explain….
Thank you for this article