Multi-VRF or VRF-Lite
Multi-VRF or VRF-Lite
CE1 router-
ip vrf FINANCE
rd 1:10
route-target both 1:10
!
ip vrf MGMT
rd 1:20
route-target both 1:20
!
interface fastethernet 0/0
no ip address
!
interface fastethernet 0/0.10
encapsulation dot1q 10
ip vrf forwarding FINANCE
ip address 10.1.1.2 255.255.255.252
!
interface fastethernet 0/0.20
encapsulation dot1q 20
ip vrf forwarding MGMT
ip address 10.2.2.2 255.255.255.252
!
router ospf 10 vrf FINANCE
network 10.1.1.0 0.0.0.3 area 0
capability vrf-lite
!
router ospf 20 vrf MGMT
network 10.2.2.0 0.0.0.3 area 0
capability vrf-lite
!
PE1 router-
ip vrf FINANCE
rd 1:10
route-target both 1:10
!
ip vrf MGMT
rd 1:20
route-target both 1:20
!
interface Loopback 0
ip address 1.1.1.1 255.255.255.255
ip ospf 1 area 0
!
interface fastethernet 0/0
no ip address
!
interface fastethernet 0/0.10
encapsulation dot1q 10
ip vrf forwarding FINANCE
ip address 10.1.1.1 255.255.255.252
!
interface fastethernet 0/0.20
encapsulation dot1q 20
ip vrf forwarding MGMT
ip address 10.2.2.1 255.255.255.252
!
router ospf 10 vrf FINANCE
network 10.1.1.0 0.0.0.3 area 0
redistribute bgp 100 subnets metric 10
!
router ospf 20 vrf MGMT
network 10.2.2.0 0.0.0.3 area 0
redistribute bgp 100 subnets metric 10
!
router bgp 100
neighbor 2.2.2.2 remote-as 100
neighbor 2.2.2.2 update-source Loopback 0
!
address-family vpnv4
neighbor 2.2.2.2 activate
neighbor 2.2.2.2 send-community both
exit-address-family
!
address-family ipv4 vrf FINANCE
redistribute ospf 10 metric 20 match internal external
exit-address-family
!
address-family ipv4 vrf MGMT
redistribute ospf 20 metric 20 match internal external
exit-address-family
!
The capability vrf-lite command disables the DN-bit (down bit) and domain-tag checks in OSPF. Since the CE router acts as the PE router in VRF-lite, these checks should be disabled, because the PE routers advertise VPN routes with DN-bit set to the CE routers. If the CE routers receive routes with DN-bit set, it will discard them. Hence, the checks should be disabled.
At CE2 router, it learns about the CE1 FINANCE route 10.1.1.0/30 as an inter-area OSPF route.Similarly, CE2 learns about CE1 MGMT route 10.2.2.0/30 as an inter-area OSPF route.
CE2# sh ip route vrf FINANCE | begin Gateway
Gateway of last resort is not set
10.0.0.0/30 is subnetted, 2 subnets
O IA 10.1.1.0 [110/20] via 10.1.1.5, 00:00:23, FastEthernet0/0.10
C 10.1.1.4 is directly connected, FastEthernet0/0.10
CE2# sh ip route vrf MGMT | begin Gateway
Gateway of last resort is not set
10.0.0.0/30 is subnetted, 2 subnets
O IA 10.2.2.0 [110/20] via 10.2.2.5, 00:00:28, FastEthernet0/0.20
C 10.2.2.4 is directly connected, FastEthernet0/0.20
Now, we configure OSPF sham-link between PE1 and PE2 routers so that OSPF routes are carried as intra-area routes across VPN sites.
PE1(config)# interface Loopback 12
PE1(config-if)# ip vrf forwarding FINANCE
PE1(config-if)# ip address 3.3.3.3 255.255.255.255
!
PE1(config)# interface Loopback 22
PE1(config-if)# ip vrf forwarding MGMT
PE1(config-if)# ip address 4.4.4.4 255.255.255.255
!
PE1(config)# router bgp 100
PE1(config-router)# address-family ipv4 vrf FINANCE
PE1(config-router-af)# network 3.3.3.3 mask 255.255.255.255
PE1(config-router-af)# exit-address-family
PE1(config-router)# address-family ipv4 vrf MGMT
PE1(config-router-af)# network 4.4.4.4 mask 255.255.255.255
!
PE1(config)# router ospf 10 vrf FINANCE
PE1(config-router)# router-id 3.3.3.3 <---- This is mandatory since it requires a unique router-id per-VRF.
PE1(config-router)# area 0 sham-link 3.3.3.3 5.5.5.5 cost 2
PE1(config-router)# exit
PE1(config)# router ospf 20 vrf MGMT
PE1(config-router)# router-id 4.4.4.4
PE1(config-router)# area 0 sham-link 4.4.4.4 6.6.6.6 cost 2
!
A similar configuration should follow on PE2 router. Once OSPF sham-links are operational, CE2 router learns about 10.1.1.0/30 network as intra-area route. Hence, capability vrf-lite command can be removed from CE routers.
CE2# sh ip route vrf FINANCE | begin Gateway
Gateway of last resort is not set
3.0.0.0/32 is subnetted, 1 subnets
O E2 3.3.3.3 [110/20] via 10.1.1.5, 00:00:06, FastEthernet0/0.10
5.0.0.0/32 is subnetted, 1 subnets
O E2 5.5.5.5 [110/10] via 10.1.1.5, 00:00:08, FastEthernet0/0.10
10.0.0.0/30 is subnetted, 2 subnets
O 10.1.1.0 [110/22] via 10.1.1.5, 00:00:08, FastEthernet0/0.10
C 10.1.1.4 is directly connected, FastEthernet0/0.10