new vrf with ospf as routing protocol

  • 1
  • Question
  • Updated 1 week ago
Hello,

I have four sites I will connect through an MPLS network. All the sites are using ICX 7450 routers. They don't have any vrf configured, so all the interfaces and static routing is done into the default-vrf.
I know I need at least a reboot in order to change the default values to give the space for the routing table in the new VRF. My question is:
Is service disruptive the VRF configuration (besides the reboot)?

I will configured an OSPF instance for this VRF, and I think that if I don't assign any interface L3 to the OSPF or the VRF, it shouldn't cause any troubles. Is that right?

Here's the configuration I'm planning to do (this is one of the routers)

!Configure VRF-related system-max values (default FastIron configuration does not allow space for VRF routing tables)!

system-max ip-route-vrf
reload

!Configure VRF instances

vrf new-vrf
exit-vrf

!Configure a Route Distinguisher (RD) for new VRF instance

vrf new-vrf
rd 1:91
ip router-id 172.25.131.6
exit-vrf

!Configure an IPv4 or IPv6 Address Family (AF) for new VRF instance

vrf new-vrf
address-family ipv4
exit-address-family
exit-vrf


!Configure routing protocols for new Multi-VRF instance

router ospf vrf new-vrf
area 0.0.0.0
log adjacency


!Assign VRF instances to Layer 3 interfaces
!NOTE: When a VRF instance is assigned to an interface, all IP addresses are deleted, and will trigger cache deletion, route deletion and associated cleanup. You must re-configure the IP address and interface properties after assigning a VRF instance to the L3 interface. 

interface loopback 2
vrf forwarding new-vrf
ip address 172.25.131.6/32
end

Do I missing something there?

Thanks in advance for your help!
Photo of Laura Pineiro

Laura Pineiro

  • 11 Posts
  • 0 Reply Likes
  • confused

Posted 2 weeks ago

  • 1
Photo of NETWizz

NETWizz

  • 166 Posts
  • 45 Reply Likes
Overall, it looks close to complete, but you may not have shown the entire configuration...   Did it not work?

Have you checked your neighborships etc.?

On our configurations, we had to set the memory up as follows to create VRF statements.  Not saying your above statements don't work:

system-max ip-route 15168
system-max ip6-route-default-vrf 64

The above requires a reload.

Ultimately, everything looks good with regard to your configuration, but please confirm you have an "area 0" somewhere?

***

Presumably you have another network subnet used as your uplink network, and it is a physical interface(vs that loopback).  Where is that?  You cannot uplink this based on a loopback alone.

Note:  The above is often a VRI (Virtual Routing Interface) such as interface ve xx.  These are very common on multi-layer switches and generally serve as the layer-3 interfaces.  (i.e. they get assigned an IP/mask).


ip ospf area <area> needs to be added to the Layer-3 interface, which is your uplink...  This is more commonly used on ICX than stating network statements under your router ospf process, but chances are both are supported.

Even once you get OSPF up and running, presumably, you want it to announce your loopback?  you have to put that into the routing process the same way, OR you could "redistribute connected" to take care of these.


(Edited)
Photo of Laura Pineiro

Laura Pineiro

  • 11 Posts
  • 0 Reply Likes
Hello NetWizz!

Thanks for your quick replay.

I hadn't tested the configuration yet. I'm trying to set a lab with three ICX7450 in order to test something close to what I have in production (Of course I wont have the MPLS network, they will be directly connected)

In production I have 4 routers, none of them have VRF configured and routing is static for three of them. The fourth one have already an ospf instance with the firewall for internet routing. The new VRF will be used to communicate the internal subnets of four sites.

For the one with OSPF already running I have a area 0 but not for the others, is that a problem if I use the area 0 also in the new ospf instance?

I just put the loopback interface as example of configuration, of course I need to add this same configuration in the interface that will participate in the ospf.

I have one more question, if I have a subnet (SVI interface) which I need to configure to use default VRF to go to internet and vrf-new to access the other sites, can I include the interface in both vrf? is that possible?

I always had seen the configurations separated and I never saw an interface configured to participate in both VRF.

Thanks a lot for your comments and I will keep in mind your recommendation.

Thanks agai :)


Photo of NETWizz

NETWizz

  • 166 Posts
  • 45 Reply Likes
I would test the configuration and build it in snip-its in your lab.  As for MPLS, it is probably more or less used by your WAN carrier as a transport or to prevent the need to run BGP within your core, but I am not certain of your environment.  Is MPLS something your provider handles for you, so you get the traffic without any remaining MPLS labels or are you actually running it, LDP etc.?

I am not sure what you are trying to build that you do not have VRF entries but now you are making them "to communicate the internal subsets of the four sites."  Please explain.   Generally, VRF statements are used to abstract the routing tables keeping routing tables separate.  They are particularly usefu to prevent overlapping subnets and between customers.

I cannot tell you how the areas should be laid out in your network.  That is more a network architecture and design.  Many networks use multiple areas that are ultimately connected back to Area 0, which serves as your backbone.  The big difference in OSPF (vs say IS-IS) is that different interfaces on the same router (or routing process) can be in different areas.  On OSPF, we call these Area Border Routers (ABRs).  The most common reason to create different areas is to summarize between the areas or just for logical delineation of the network.  Sure it keeps the LSAs down as well as making the Dijkstra's algorithm take less time to calculate shortest paths, but none of that matters much more than cosmetically on a small network.  None the less, no reason it should pose a problem either.

Are they different computers going to your default or Internet VRF and your vrf-new for routing to the sites?  Sorry if I do not understand your setup.  Or are you using PBR to examine the packets and change the VRF dynamically?  I am not saying anything is impossible, but a particular SVI (VRI on ICX) it is attached to a particular VRF instance in which its IP gets added as a directly-connected route.  I am not saying you cannot have a route in that VRF with a next-hop to another routing table in another VRF even on the same device.  If you wanted, you could even connect a network cable between interfaces within each VRF.

Referring to interfaces participating in multiple VRFs, not so much, but it is actually possible with "ip vrf receive" and Policy Based Routing:

https://community.cisco.com/t5/routing/vrf-forward-receive-which-one-is-best/td-p/2216740

One of my favorite blogs:
https://mellowd.co.uk/ccie/vrf-selection-using-policy-based-routing/



(Edited)
Photo of Laura Pineiro

Laura Pineiro

  • 11 Posts
  • 0 Reply Likes
Hello, we're not going to use the vrf. We had decided that we don't needed for now. So we're just configuring a dynamic routing OSPF between the four sites. I just tested in the lab (without the MPLS) so, it should work in production. 
I wanna  thank you for your comments, they help me a lot.

THANKS AGAIN! and have a nice day
Photo of NETWizz

NETWizz

  • 164 Posts
  • 45 Reply Likes
Awesome.  Yeah, that is probably for the best.  Generally speaking, I say keep it simple. Not saying saying to not use different OSPF areas, but the most common reason folks do that is to summarize.

Let's say your data-center site has 10.0.0.0/24, 10.0.1.0/24,  10.0.2.0/24, and 10.0.3.0/24.

You could summarize to /22 which would take those four /24 networks and present them as one /22.


Ordinary, it would announce itself to other areas and appear something like this:

TEST#show ip route 
<redacted>
     10.0.0.0/24 is subnetted, 4 subnets
O E2 10.0.2.0 [110/20] via 192.168.12.1, 00:00:20, GigabitEthernet0/0/0
O E2 10.0.3.0 [110/20] via 192.168.12.1, 00:00:21, GigabitEthernet0/0/0
O E2 10.0.0.0 [110/20] via 192.168.12.1, 00:00:22, GigabitEthernet0/0/0
O E2 10.0.1.0 [110/20] via 192.168.12.1, 00:00:24, GigabitEthernet0/0/0



Tell it to summarize to /22 by pasting something like this into the routing process:

summary-address 10.0.0.0 255.255.252.0

Results:


TEST#show ip route 
<redacted>
     10.0.0.0/22 is subnetted, 1 subnets
O E2 10.0.0.0 [110/20] via 192.168.12.1, 00:02:06, GigabitEthernet0/0/0


I hope that helps.  It would summarize between areas.  What is important is that you have an Area 0 as your backbone and every other area connects back to the backbone.  Hence if routing from Area 1 to Area 2, data would travel from Area 1 through Area 0 then to Area 2.  From there you would chop up "contiguous" subsets and assign them for use in each area to allow you to summarize.

In the above example, 10.0.4.0/24 would be listed as the next /22, but you would have to also add:

summary-address 10.0.4.0 255.255.252.0

Results:
TEST#show ip route 
<redacted>
     10.0.0.0/22 is subnetted, 2 subnets
O E2 10.0.0.0 [110/20] via 192.168.12.1, 00:02:06, GigabitEthernet0/0/0
O E2 10.0.4.0 [110/20] via 192.168.12.1, 00:01:01, GigabitEthernet0/0/0


However if you summarized to /21 you would be covered through 10.0.0.0 - 10.0.7.255...

Example:

summary-address 10.0.0.0 255.255.248.0


Results:
TEST#show ip route 
<redacted>
     10.0.0.0/21 is subnetted, 1 subnets
O E2 10.0.0.0 [110/20] via 192.168.12.1, 00:02:06, GigabitEthernet0/0/0



Hope this helps...  With four sites, I probably would not bother summarizing especially if the subnets are not contiguously assigned already unless you want to re-work your subnets.  IF you are assigning different areas, it is my sincere recommendation to keep contiguous subnets together for use in each area, so in the future if someone does want to summarize (i.e. as the network grows) it will be easy.  In the above example, you would not want 10.0.0.0/24 and 10.0.2.0/24 in one of your areas and 10.0.1.0/24 in another area.  Hope the above helps.
(Edited)