«

Hi

Anyone know if it's possible, on a Sup720-3B, use two VRF
and create a MPLS VPN ?

I have tested but the route into the vrf are not distribued ..

My configuration:

1 Cisco 6500 with Sup720-3B
1 Cisco 2611
1 Cisco 3745

Cisco 2611 are connected to 6500
Cisco 3745 are connected to the same 6500

My problems:

The cisco 6500 don't diffuse the route:


C3745-1#sh ip bgp sum
BGP router identifier BB.BB.BB.198, local AS number 8487
BGP table version is 4, main routing table version 4
2 network entries using 234 bytes of memory
2 path entries using 104 bytes of memory
3/1 BGP path/bestpath attribute entries using 372 bytes of memory
0 BGP route-map cache entries using 0 bytes of memory
0 BGP filter-list cache entries using 0 bytes of memory
BGP using 710 total bytes of memory
BGP activity 3/0 prefixes, 6/4 paths, scan interval 60 secs

Neighbor V AS MsgRcvd MsgSent TblVer InQ OutQ Up/Down
State/PfxRcd
BB.BB.BB.233 4 8487 8 8 4 0 0 00:00:07 2



C3745-1#sh ip bgp neighbors BB.BB.BB.233 advertised-routes
BGP table version is 6, local router ID is BB.BB.BB.198
Status codes: s suppressed, d damped, h history, * valid, > best, i -
internal,
r RIB-failure, S Stale
Origin codes: i - IGP, e - EGP, ? - incomplete

Network Next Hop Metric LocPrf Weight Path
*> BB.BB.BB.198/32 0.0.0.0 0 32768 ?
*> BB.BB.BB.232/30 0.0.0.0 0 32768 ?

Total number of prefixes 2


C3745-1#sh ip bgp neighbors BB.BB.BB.233 routes
BGP table version is 6, local router ID is BB.BB.BB.198
Status codes: s suppressed, d damped, h history, * valid, > best, i -
internal,
r RIB-failure, S Stale
Origin codes: i - IGP, e - EGP, ? - incomplete

Network Next Hop Metric LocPrf Weight Path
* iBB.BB.BB.232/30 BB.BB.BB.233 0 100 0 ?
*>iBB.BB.BB.236/30 BB.BB.BB.233 0 100 0 ?

Total number of prefixes 2
C3745-1.VEN01#




and same on 2611, hi don't see the route of the 3745



Where is my error ?
















;;
;; Cisco 6500 Config
;;
Current configuration : 10873 bytes
!
upgrade fpd auto
version 12.2
service timestamps debug uptime
service timestamps log uptime
no service password-encryption
service counters max age 5
!
hostname c6506-1
!
boot-start-marker
boot system flash disk1:s72033-adventerprisek9_wan-mz.122-33.SXH3.bin
boot-end-marker
!
enable secret 5 XXX
!
no aaa new-model
call-home
alert-group configuration
alert-group diagnostic
alert-group environment
alert-group inventory
alert-group syslog
profile "CiscoTAC-1"
no active
no destination transport-method http
destination transport-method email
destination address email
destination address http
https://tools.cisco.com/its/service/...es/DDCEService
subscribe-to-alert-group diagnostic severity minor
subscribe-to-alert-group environment severity minor
subscribe-to-alert-group syslog severity major pattern ".*"
subscribe-to-alert-group configuration periodic monthly 16 16:46
subscribe-to-alert-group inventory periodic monthly 16 16:31
ip subnet-zero
!
!
!
ip vrf BI_C2621-1
rd 8487:30
route-target export 8487:100
route-target import 8487:100
!
ip vrf BI_C3745-1
rd 8487:31
route-target export 8487:100
route-target import 8487:100
!
mls netflow interface
no mls flow ip
no mls flow ipv6
mls cef error action reset
!
!
!
!
redundancy
keepalive-enable
mode sso
main-cpu
auto-sync running-config
spanning-tree mode pvst
spanning-tree extend system-id
diagnostic cns publish cisco.cns.device.diag_results
diagnostic cns subscribe cisco.cns.device.diag_commands
fabric timer 15
!
vlan internal allocation policy ascending
vlan access-log ratelimit 2000
!
interface FastEthernet2/3
description c3745-1 Interface Internet
ip vrf forwarding BI_C3745-1
ip address BB.BB.BB.233 255.255.255.252
speed 100
duplex full
!
interface FastEthernet2/6
description C2621-1 - Internet Interface
ip vrf forwarding BI_C2621-1
ip address BB.BB.BB.237 255.255.255.252
!
router bgp 8487
no synchronization
bgp log-neighbor-changes
neighbor MPBGP peer-group
neighbor MPBGP remote-as 8487
neighbor MPBGP update-source Loopback0
neighbor MPBGP next-hop-self
neighbor MPBGP send-community both
neighbor AA.BB.CC.4 peer-group MPBGP-MPBGP
no auto-summary
!
address-family vpnv4
neighbor MPBGP send-community extended
neighbor AA.BB.CC.4 activate
exit-address-family
!
address-family ipv4 vrf BI_C3745-1
redistribute connected
neighbor BB.BB.BB.234 remote-as 8487
neighbor BB.BB.BB.234 update-source FastEthernet2/3
neighbor BB.BB.BB.234 activate
no synchronization
exit-address-family
!
address-family ipv4 vrf BI_C2621-1
redistribute connected
neighbor BB.BB.BB.238 remote-as 8487
neighbor BB.BB.BB.238 update-source FastEthernet2/6
neighbor BB.BB.BB.238 activate
no synchronization
exit-address-family
!
ip classless
!
!
control-plane



;;
;; Cisco 2611 Config
;;
Current configuration:
!
version 12.0
service timestamps debug uptime
service timestamps log uptime
no service password-encryption
!
hostname C2621-1
!
enable secret 5 XXX
!
!
!
!
!
ip subnet-zero
ip cef
!
!
!
!
!
!
interface FastEthernet0/0
ip address 192.168.50.1 255.255.255.0
no ip directed-broadcast
speed auto
full-duplex
!
interface FastEthernet0/1
ip address BB.BB.BB.238 255.255.255.252
no ip directed-broadcast
duplex auto
speed auto
!
router bgp 8487
redistribute connected
neighbor BB.BB.BB.237 remote-as 8487
neighbor BB.BB.BB.237 update-source FastEthernet0/1
no auto-summary
!
no ip classless
no ip http server
!
!
line con 0
transport input none
line aux 0
line vty 0 4
password XXXX
login
!
end




;;
;; Cisco 3745 Config
;;

Current configuration : 1668 bytes
!
! Last configuration change at 12:16:10 CEST Wed Feb 4 2009
! NVRAM config last updated at 08:39:58 CEST Wed Feb 4 2009
!
version 12.4
service timestamps debug datetime msec
service timestamps log datetime msec
no service password-encryption
!
hostname C3745-1
!
boot-start-marker
boot system flash flash:c3745-adventerprisek9-mz.124-10.bin
boot-end-marker
!
enable secret 5 CCC
!
no aaa new-model
clock timezone CEST 2
ip cef
!
!
!
!
interface Loopback0
ip address BB.BB.BB.198 255.255.255.255
!
interface FastEthernet0/0
ip address BB.BB.BB.234 255.255.255.252
speed 100
full-duplex
!
interface FastEthernet0/1
ip address 192.168.51.1 255.255.255.0
full-duplex

router bgp 8487
no synchronization
bgp log-neighbor-changes
redistribute connected
neighbor BB.BB.BB.233 remote-as 8487
no auto-summary
!
!
!
control-plane
!
!
!
!
!
!
!
!
!
!
line con 0
line aux 0
line vty 0 4
password XXX
login
!
end

Thrill5 a écrit :
> "Mag" <> wrote in message
> news:4989e61a$0$12410$...
>> Hi
>>
>> Anyone know if it's possible, on a Sup720-3B, use two VRF
>> and create a MPLS VPN ?
>>
>> I have tested but the route into the vrf are not distribued ..
>>
>> My configuration:
>>
>> 1 Cisco 6500 with Sup720-3B
>> 1 Cisco 2611
>> 1 Cisco 3745
>>
<....>
>>
>>
>>
>> and same on 2611, hi don't see the route of the 3745
>>
>>
>>
>> Where is my error ?
>>
>
> The reason they don't see each other is because they are in different
> VRF's!!!! The entire point of a VRF is to create separte layer 3 routing
> instances. So you have the 6500 and the 3750 in one VRF, and the 6500 and
> the 2611 in another. The 6500 has three completely separate routing
> instances, the native one, VRF BI_C2621-1, VRF ip vrf BI_C3745-1. Imagine
> you have three 6500's, that are not interconnected in any way, now can you
> see why the 2611 can't see the 3750 and vice versa?

Hi

Thanks for your answer, but no i don't understand why that's don't work.

Yes, each VRF have a separate routing table, but into the 6500 i have:

ip vrf BI_C2621-1
rd 8487:30
route-target export 8487:100
route-target import 8487:100
!
ip vrf BI_C3745-1
rd 8487:31
route-target export 8487:100
route-target import 8487:100


You see that the route-target export/import are same into all vrf !

And the same config work perfectly with a Cisco 3640 :


ip vrf DGS001
rd 65500:1
route-target export 65500:34
route-target import 65500:34
route-target import 65500:35
!
ip vrf DGS004
rd 65500:4
route-target export 65500:34
route-target import 65500:34
route-target import 65500:35

interface Serial0/1:0
ip vrf forwarding DGS001
ip address 172.20.2.249 255.255.255.252

interface Serial1/3:0
ip vrf forwarding DGS004
ip address 172.20.2.241 255.255.255.252
!

address-family ipv4 vrf DGS004
redistribute connected
neighbor 172.20.2.242 remote-as 65500
neighbor 172.20.2.242 activate
neighbor 172.20.2.242 as-override
no synchronization
exit-address-family
!
address-family ipv4 vrf DGS001
redistribute connected
neighbor 172.20.2.250 remote-as 65500
neighbor 172.20.2.250 activate
neighbor 172.20.2.250 as-override
no synchronization
exit-address-family


This config work ... VRF DGS004 see DGS001

"Mag" <> wrote in message
news:498a632c$0$4988$...
> Thrill5 a écrit :
>> "Mag" <> wrote in message
>> news:4989e61a$0$12410$...
>>> Hi
>>>
>>> Anyone know if it's possible, on a Sup720-3B, use two VRF
>>> and create a MPLS VPN ?
>>>
>>> I have tested but the route into the vrf are not distribued ..
>>>
>>> My configuration:
>>>
>>> 1 Cisco 6500 with Sup720-3B
>>> 1 Cisco 2611
>>> 1 Cisco 3745
>>>
> <....>
>>>
>>>
>>>
>>> and same on 2611, hi don't see the route of the 3745
>>>
>>>
>>>
>>> Where is my error ?
>>>
>>
>> The reason they don't see each other is because they are in different
>> VRF's!!!! The entire point of a VRF is to create separte layer 3 routing
>> instances. So you have the 6500 and the 3750 in one VRF, and the 6500
>> and the 2611 in another. The 6500 has three completely separate routing
>> instances, the native one, VRF BI_C2621-1, VRF ip vrf BI_C3745-1.
>> Imagine you have three 6500's, that are not interconnected in any way,
>> now can you see why the 2611 can't see the 3750 and vice versa?
>
> Hi
>
> Thanks for your answer, but no i don't understand why that's don't work.
>
> Yes, each VRF have a separate routing table, but into the 6500 i have:
>
> ip vrf BI_C2621-1
> rd 8487:30
> route-target export 8487:100
> route-target import 8487:100
> !
> ip vrf BI_C3745-1
> rd 8487:31
> route-target export 8487:100
> route-target import 8487:100
>
>
> You see that the route-target export/import are same into all vrf !
>
> And the same config work perfectly with a Cisco 3640 :
>

My guess is that the reason it works on the 3640 is because of a very
serious bug with severe security implications. The entire reason for using
VRF's is to keep routing instances completely separate.

On 5 Feb, 20:57, "Thrill5" <nos...@somewhere.com> wrote:

> My guess is that the reason it works on the 3640 is because of a very
> serious bug with severe security implications. *The entire reason for using
> VRF's is to keep routing instances completely separate.

Regarding "completely separate":-

I have been reading about MPLS VPNs recently and
am far from clueful however -

I got the idea, that while different vrfs were seperate
by default (let's say), that it was posible to configure
leakage. This could be useful for example for
a network service provider who also wanted to
provide say email or file store or other centralised
services to a number of customers.