I have an SMB with 3 locations connected over an L3 MPLS VPN, and I’m looking into doing some basic segmentation with VRF-Lite on Cisco. Basically I’d want to run 3-4 VRF instances between these locations.
I am not sure how to accomplish this when peering with our SP at the edge. Is this simply a matter of calling them up and asking to peer OSPF on multiple sub interfaces, and then running a dedicated OSPF process per VRF-Lite instance?
Edit: Is there a specific name for what I’m trying to do?
The SP is not likely going to help with this without paying for extra circuits. They would need to setup each of the VRFs on their network, so you effectively would have 3-4 L3VPN circuits. The best way to do this is tunnel over the existing L3VPN networks. The easiest way to do this would be separate multipoint GRE tunnels per VRF, but there are other ways to do it.
There are other options too, like converting to a VPLS solution or a deploying VRF-aware SD-WAN product.
I think the term is multi-vrf. This would need to be configured by your SP.
I would end up doing GRE tunnels for this for each VRF. You will basically be using the MPLS as a secure underlay and have more control over your segmentation.
Otherwise, if your carrier lets you, (or you pay for them), your carrier can set up virtual circuits for you over your physical MPLS links and trunk them to you. Instead of having a regular interface, the carrier will set up subinterfaces and trunk them to you. Your head office would have all virtual circuits, but each remote site would be in a different VRF on the carrier side. On the head office side, You can put each subinterface in a VRF to segment them.
Your existing service has 1 VRF.
You could call the carrier and order another 3, as you say each to be handed over on a separate sub-interface.
You could also get them to give you some combination of layer 2 (ELINE / ELAN) services, and then run your own 802.1q subinterfaces across. Or run MPLS/VXLAN or whatever transport you want to do it without manual Vlan sub interfaces.
Lastly if you don’t want to talk to the ISP you could build GRE tunnels between all sites, and run each in separate VRFs. Or run MPLSoGRE or something.
tunnels are a good option as others have mentioned. Just consider the effect on MTU and if its going to be detrimental (probably not), and what device your going to built the tunnels on and their support for doing so. you dont sound like you want too many tunnels, so may not be an issue. you should be able to setup using a front door VRF, where the tunnels build over one VRF, but the tunnel interfaces them selves are part of another VRF.
not sure if running cisco or not, but they also have something called Easy virtual network that this could be a use case for if you really didnt want to do tunnels. ive never done much with it, but it was part of the CCNP route before the new certs came out.
https://www.cisco.com/c/en/us/td/docs/ios-xml/ios/evn/configuration/xe-3s/evn-xe-3s-book/evn-overview.html
Couldn’t they do CSC instead of back to back VRFs?
Thanks! I’ll look into the Multipoint GRE Tunnels for starters. Could you provide the names of the other methods so I can look them up?
We were on a VPLS but moved over to MPLS as I came on board a couple years ago, we’re locked into MPLS for at least a couple more years because we signed a contract with the SP to have fiber trenched in for one of our locations.
Perhaps when the contract is up we’ll ditch MPLS and move over to SD-WAN.
Hmm, thanks for the EVN tip. I remember this vaguely from the old CCNP but they didn’t really cover it in depth.
A quick google seems to indicate this is more on the campus side - it says “compatible with MPLS-VPN over mGRE.” Might be a good use case for that side however.
Some might, but I’ve never seen it actually implemented. That also requires OP to run MPLS, which is probably overkill for this scenario.
It’s unlikely that the provider will offer CSC.
Perhaps when the contract is up we’ll ditch MPLS and move over to SD-WAN.
These are not mutually exclusive, FYI.
Most tunnel mechanisms should work. IPSec VTI, GRE, VXLAN/EVPN, etc.
I found BRKRST-2045 Extending L3 VPN Over IP-based WAN Transport which seems to be exactly what I’m looking for. Perhaps a bit much to do dynamic tunnels for our size but it would be good future proofing and the overall config doesn’t seem to be overly complicated.
Thanks for pointing me in the right direction.