1. Home
  2. Cisco Systems
  3. Cisco 6500/Sup720-3B and VRF MPLS VPN

Cisco 6500/Sup720-3B and VRF MPLS VPN

Hi

Anyone know if it's possible, on a Sup720-3B, use two VRF and create a MPLS VPN ?

I have tested but the route into the vrf are not distribued ..

My configuration:

1 Cisco 6500 with Sup720-3B 1 Cisco 2611 1 Cisco 3745

Cisco 2611 are connected to 6500 Cisco 3745 are connected to the same 6500

My problems:

The cisco 6500 don't diffuse the route:

C3745-1#sh ip bgp sum BGP router identifier BB.BB.BB.198, local AS number 8487 BGP table version is 4, main routing table version 4

2 network entries using 234 bytes of memory 2 path entries using 104 bytes of memory 3/1 BGP path/bestpath attribute entries using 372 bytes of memory 0 BGP route-map cache entries using 0 bytes of memory 0 BGP filter-list cache entries using 0 bytes of memory BGP using 710 total bytes of memory BGP activity 3/0 prefixes, 6/4 paths, scan interval 60 secs

Neighbor V AS MsgRcvd MsgSent TblVer InQ OutQ Up/Down State/PfxRcd BB.BB.BB.233 4 8487 8 8 4 0 0 00:00:07 2

C3745-1#sh ip bgp neighbors BB.BB.BB.233 advertised-routes BGP table version is 6, local router ID is BB.BB.BB.198 Status codes: s suppressed, d damped, h history, * valid, > best, i - internal, r RIB-failure, S Stale Origin codes: i - IGP, e - EGP, ? - incomplete

Network Next Hop Metric LocPrf Weight Path

*> BB.BB.BB.198/32 0.0.0.0 0 32768 ? *> BB.BB.BB.232/30 0.0.0.0 0 32768 ?

Total number of prefixes 2

C3745-1#sh ip bgp neighbors BB.BB.BB.233 routes BGP table version is 6, local router ID is BB.BB.BB.198 Status codes: s suppressed, d damped, h history, * valid, > best, i - internal, r RIB-failure, S Stale Origin codes: i - IGP, e - EGP, ? - incomplete

Network Next Hop Metric LocPrf Weight Path

  • iBB.BB.BB.232/30 BB.BB.BB.233 0 100 0 ?
*>iBB.BB.BB.236/30 BB.BB.BB.233 0 100 0 ?

Total number of prefixes 2 C3745-1.VEN01#

and same on 2611, hi don't see the route of the 3745

Where is my error ?

;; ;; Cisco 6500 Config ;; Current configuration : 10873 bytes ! upgrade fpd auto version 12.2 service timestamps debug uptime service timestamps log uptime no service password-encryption service counters max age 5 ! hostname c6506-1 ! boot-start-marker boot system flash disk1:s72033-adventerprisek9_wan-mz.122-33.SXH3.bin boot-end-marker ! enable secret 5 XXX ! no aaa new-model call-home alert-group configuration alert-group diagnostic alert-group environment alert-group inventory alert-group syslog profile "CiscoTAC-1" no active no destination transport-method http destination transport-method email destination address email snipped-for-privacy@cisco.com destination address http

formatting link
subscribe-to-alert-group diagnostic severity minor subscribe-to-alert-group environment severity minor subscribe-to-alert-group syslog severity major pattern ".*" subscribe-to-alert-group configuration periodic monthly 16 16:46 subscribe-to-alert-group inventory periodic monthly 16 16:31 ip subnet-zero ! ! ! ip vrf BI_C2621-1 rd 8487:30 route-target export 8487:100 route-target import 8487:100 ! ip vrf BI_C3745-1 rd 8487:31 route-target export 8487:100 route-target import 8487:100 ! mls netflow interface no mls flow ip no mls flow ipv6 mls cef error action reset ! ! ! ! redundancy keepalive-enable mode sso main-cpu auto-sync running-config spanning-tree mode pvst spanning-tree extend system-id diagnostic cns publish cisco.cns.device.diag_results diagnostic cns subscribe cisco.cns.device.diag_commands fabric timer 15 ! vlan internal allocation policy ascending vlan access-log ratelimit 2000 ! interface FastEthernet2/3 description c3745-1 Interface Internet ip vrf forwarding BI_C3745-1 ip address BB.BB.BB.233 255.255.255.252 speed 100 duplex full ! interface FastEthernet2/6 description C2621-1 - Internet Interface ip vrf forwarding BI_C2621-1 ip address BB.BB.BB.237 255.255.255.252 ! router bgp 8487 no synchronization bgp log-neighbor-changes neighbor MPBGP peer-group neighbor MPBGP remote-as 8487 neighbor MPBGP update-source Loopback0 neighbor MPBGP next-hop-self neighbor MPBGP send-community both neighbor AA.BB.CC.4 peer-group MPBGP-MPBGP no auto-summary ! address-family vpnv4 neighbor MPBGP send-community extended neighbor AA.BB.CC.4 activate exit-address-family ! address-family ipv4 vrf BI_C3745-1 redistribute connected neighbor BB.BB.BB.234 remote-as 8487 neighbor BB.BB.BB.234 update-source FastEthernet2/3 neighbor BB.BB.BB.234 activate no synchronization exit-address-family ! address-family ipv4 vrf BI_C2621-1 redistribute connected neighbor BB.BB.BB.238 remote-as 8487 neighbor BB.BB.BB.238 update-source FastEthernet2/6 neighbor BB.BB.BB.238 activate no synchronization exit-address-family ! ip classless ! ! control-plane

;; ;; Cisco 2611 Config ;; Current configuration: ! version 12.0 service timestamps debug uptime service timestamps log uptime no service password-encryption ! hostname C2621-1 ! enable secret 5 XXX ! ! ! ! ! ip subnet-zero ip cef ! ! ! ! ! ! interface FastEthernet0/0 ip address 192.168.50.1 255.255.255.0 no ip directed-broadcast speed auto full-duplex ! interface FastEthernet0/1 ip address BB.BB.BB.238 255.255.255.252 no ip directed-broadcast duplex auto speed auto ! router bgp 8487 redistribute connected neighbor BB.BB.BB.237 remote-as 8487 neighbor BB.BB.BB.237 update-source FastEthernet0/1 no auto-summary ! no ip classless no ip http server ! ! line con 0 transport input none line aux 0 line vty 0 4 password XXXX login ! end

;; ;; Cisco 3745 Config ;;

Current configuration : 1668 bytes ! ! Last configuration change at 12:16:10 CEST Wed Feb 4 2009 ! NVRAM config last updated at 08:39:58 CEST Wed Feb 4 2009 ! version 12.4 service timestamps debug datetime msec service timestamps log datetime msec no service password-encryption ! hostname C3745-1 ! boot-start-marker boot system flash flash:c3745-adventerprisek9-mz.124-10.bin boot-end-marker ! enable secret 5 CCC ! no aaa new-model clock timezone CEST 2 ip cef ! ! ! ! interface Loopback0 ip address BB.BB.BB.198 255.255.255.255 ! interface FastEthernet0/0 ip address BB.BB.BB.234 255.255.255.252 speed 100 full-duplex ! interface FastEthernet0/1 ip address 192.168.51.1 255.255.255.0 full-duplex

router bgp 8487 no synchronization bgp log-neighbor-changes redistribute connected neighbor BB.BB.BB.233 remote-as 8487 no auto-summary ! ! ! control-plane ! ! ! ! ! ! ! ! ! ! line con 0 line aux 0 line vty 0 4 password XXX login ! end

Reply to
Mag
Loading thread data ...

The reason they don't see each other is because they are in different VRF's!!!! The entire point of a VRF is to create separte layer 3 routing instances. So you have the 6500 and the 3750 in one VRF, and the 6500 and the 2611 in another. The 6500 has three completely separate routing instances, the native one, VRF BI_C2621-1, VRF ip vrf BI_C3745-1. Imagine you have three 6500's, that are not interconnected in any way, now can you see why the 2611 can't see the 3750 and vice versa?

Reply to
Thrill5

Thrill5 a écrit :

Hi

Thanks for your answer, but no i don't understand why that's don't work.

Yes, each VRF have a separate routing table, but into the 6500 i have:

ip vrf BI_C2621-1 rd 8487:30 route-target export 8487:100 route-target import 8487:100 ! ip vrf BI_C3745-1 rd 8487:31 route-target export 8487:100 route-target import 8487:100

You see that the route-target export/import are same into all vrf !

And the same config work perfectly with a Cisco 3640 :

ip vrf DGS001 rd 65500:1 route-target export 65500:34 route-target import 65500:34 route-target import 65500:35 ! ip vrf DGS004 rd 65500:4 route-target export 65500:34 route-target import 65500:34 route-target import 65500:35

interface Serial0/1:0 ip vrf forwarding DGS001 ip address 172.20.2.249 255.255.255.252

interface Serial1/3:0 ip vrf forwarding DGS004 ip address 172.20.2.241 255.255.255.252 !

address-family ipv4 vrf DGS004 redistribute connected neighbor 172.20.2.242 remote-as 65500 neighbor 172.20.2.242 activate neighbor 172.20.2.242 as-override no synchronization exit-address-family ! address-family ipv4 vrf DGS001 redistribute connected neighbor 172.20.2.250 remote-as 65500 neighbor 172.20.2.250 activate neighbor 172.20.2.250 as-override no synchronization exit-address-family

This config work ... VRF DGS004 see DGS001

Reply to
Mag

My guess is that the reason it works on the 3640 is because of a very serious bug with severe security implications. The entire reason for using VRF's is to keep routing instances completely separate.

Reply to
Thrill5

Regarding "completely separate":-

I have been reading about MPLS VPNs recently and am far from clueful however -

I got the idea, that while different vrfs were seperate by default (let's say), that it was posible to configure leakage. This could be useful for example for a network service provider who also wanted to provide say email or file store or other centralised services to a number of customers.

Reply to
bod43

Cabling-Design.com Forums website is not affiliated with any of the manufacturers or service providers discussed here. All logos and trade names are the property of their respective owners.