Cisco Systems OL-4344-01 manual VPN Routing and Forwarding Tables VRFs

Page 16

Chapter 1 About Cisco IP Solution Center

About MPLS VPNs

VPN Routing and Forwarding Tables (VRFs)

The VPN routing and forwarding table (VRF) is a key element in the MPLS VPN technology. VRFs exist on PEs only (except in the case of a Multi-VRF CE). A VRF is a routing table instance, and more than one VRF can exist on a PE. A VPN can contain one or more VRFs on a PE. The VRF contains routes that should be available to a particular set of sites. VRFs use Cisco Express Forwarding (CEF) technology, therefore the VPN must be CEF-enabled.

A VRF is associated with the following elements:

IP routing table

Derived forwarding table, based on the Cisco Express Forwarding (CEF) technology

A set of interfaces that use the derived forwarding table

A set of routing protocols and routing peers that inject information into the VRF

Each PE maintains one or more VRFs. ISC software looks up a particular packet’s IP destination address in the appropriate VRF only if that packet arrived directly through an interface that is associated with that VRF. The so-called “color” MPLS label tells the destination PE to check the VRF for the appropriate VPN so that it can deliver the packet to the correct CE and finally to the local host machine.

A VRF is named based on the VPN or VPNs it services, and on the role of the CE in the topology. The schemes for the VRF names are as follows:

The VRF name for a hub: ip vrf Vx:[VPN_name]

The x parameter is a number assigned to make the VRF name unique.

For example, if we consider a VPN called Blue, then a VRF for a hub CE would be called:

ip vrf V1:blue

A VRF for a spoke CE in the Blue VPN would be called:

ip vrf V1:blue-s

A VRF for an extranet VPN topology in the Green VPN would be called:

ip vrf V1:green-etc

Thus, you can read the VPN name and the topology type directly from the name of the VRF.

Figure 1-9shows a network in which two of the four sites are members of two VPNs, and illustrates which routes are included in the VRFs for each site.

Cisco IP Solution Center, 3.0: MPLS VPN Management User Guide, 3.0

1-16

OL-4344-01

 

 

Image 16
Contents About Cisco IP Solution Center Overview of ISC ISC Network Management SubnetISC Features Service Provider Network for Vlan ID Management Access Domain Assigned Resource PoolsFeatures and Functions Provided in Provisioning with ISC VPN Service Profile-Based ProvisioningRole-Based Access Control Rbac CPE Customer’s and Provider’s View of the Network Customer’s View of the NetworkAbout Provider Edge Routers PEs About Multi-VRF CEsA Multi-VRF CE Providing Layer 3 Aggregation Using Templates to Customize Configuration Files Mapping IPsec Tunnels to Mpls VPNsAuditing Service Requests Uses for the Template FunctionAbout Mpls VPNs VPNs Sharing SitesCharacteristics of Mpls VPNs Intranets and ExtranetsVPN Routing and Forwarding Tables VRFs VRF Implementation Considerations Ip vrf site2 rdCreating a VRF Instance Route Distinguishers and Route TargetsRoute Target Communities CE Routing CommunitiesHub and Spoke Considerations Security Requirements for Mpls VPNs Address Space and Routing SeparationAddress Space Separation Routing SeparationHiding the Mpls Core Structure Resistance to Attacks Securing the Routing ProtocolLabel Spoofing Routing Authentication Securing the Mpls CoreTrusted Devices PE-CE InterfaceSeparation of CE-PE Links LDP AuthenticationConnectivity Between VPNs MP-BGP Security Features Security Through IP Address ResolutionEnsuring VPN Isolation North Bound Interface NBIAPI Functionality Supported NBI Benefits Distributed Load BalancingAPI Approach 11 Simple Flat-Based Server Load Balancing Configuration Four-Tier System Architecture Client tierControl tier