Brocade Multi-Service IronWare Routing Configuration Guide (Supporting R05.6.00) User Manual
Page 396
368
Multi-Service IronWare Routing Configuration Guide
53-1003033-02
Overview of Multi-VRF
Secure VPNs require traffic to be encrypted and authenticated and are most important when
communication occurs across an infrastructure that is not trusted (e.g. over the public Internet).
The most commonly deployed types of secure VPNs are IPSec VPNs and SSL (Secure Sockets
Layer) VPNs. Both offer encryption of data streams. While IPSec VPNs operate at the network layer
and require special client software, SSL VPNs are more application centric and can generally work
with any SSL-enabled browser.
Trusted VPNs ensure integrity and privacy of the data transfers but do not provide any encryption
capabilities. Trusted VPNs are most useful when the goal is to leverage a shared infrastructure to
allow virtual networks to be built. Examples of such “trusted VPN” technologies include IP or MPLS
based Layer 2 VPNs (VPLS, VLL), BGP or MPLS VPNs, ATM or Frame Relay circuits, Layer 2
Tunneling Protocol (L2TP), etc. In short, all these technologies allow a shared infrastructure to be
used without compromising the privacy needs of different users or user groups.
Central to Multi-VRF is the ability to maintain multiple “Virtual Routing and Forwarding” (VRF) tables
on the same Provider Edge (PE) Router. Multi-VRF uses multiple instances of a routing protocol
such as BGP or OSPF to exchange route information for a VPN among peer PE routers. The
Multi-VRF capable PE router maps an input customer interface to a unique VPN instance. The
router maintains a different VRF table for each VPN instance on that PE router. Multiple input
interfaces may also be associated with the same VRF on the router, if they connect to sites
belonging to the same VPN. This input interface can be a physical interface or a virtual Ethernet
interface on a port.
Multi-VRF routers communicate with one another by exchanging route information in the VRF table
with the neighboring PE router. This exchange of information among the PE routers is done using
BGP or OSPF. The PE routers that communicate with one another should be directly connected at
Layer 3. Customers connect to PE routers in the network using Customer Edge (CE) routers as
shown in
Different routing protocols may be used for exchanging information between the PE-PE routers and
between the adjacent PE-CE routers. Further, different PE-CE routing protocols may be used in a
VPN to exchange customer routes with the various customer sites in that VPN. The routes learned
from the PE-CE protocol are added to the corresponding VRF instance and redistributed through
the PE-PE protocol to the peer router in the backbone network.
depicts a network using Multi-VRF to provide connectivity among sites that belong to
multiple VPNs. To share the VPN route table information with remote PEs, each PE creates separate
virtual interfaces and run different instances of the PE-PE routing protocol for each VRF.
NOTE
Some vendors also use the terminology of “Multi-VRF CE” or “VRF-Lite” for this technology.