cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
792
Views
14
Helpful
12
Replies

VRF usage & possibility question

tdistlists
Level 1
Level 1

Hey,

I'm new to VRF, and was wondering if its possible to do the following on 6509 Sup720s.

1. Setup a VRF for the same vlan interface # across a pair of 720s running HSRP for that vlan. (Dont know if this can be done with one EIGRP instance, or if Id need two)

2. Have two layer-2 interfaces (one on each 720) connect to two layer-3 interfaces on two 4506's that are not running any VRF (just using regular EIGRP routing).

3. And then setup a static route for that VRF to a FWSM on the 720.

After any traffic from the 4506s reaches the VRF, it could forward it to the FWSM, which in turn has its own routes to route out of a virtual interface and use the global routing table on the 720, yes?

Is this possible?

Also, if you can provide any docs on VRF (preferably with no MPLS or GRE tunnels -- unless thats its only usage, because thats all I can find) that would be great.

Thanks so much!

1 Accepted Solution

Accepted Solutions

Hi,

Is the IP 192.168.50.50 the ip address of the VLAN 100 interface, if yes then you should add "ip vrf forwarding NetPro" under interface VLAN 100, which will attach it to the VRF and so any packet in the same VRF can reach it and can resolve its MAC.

Can you attach a network topology if you still have any problems.

HTH,

Mohammed Mahmoud.

View solution in original post

12 Replies 12

mohammedmahmoud
Level 11
Level 11

Hi there,

First of all, a VRF table consists of:

* an IP routing table

* a derived Cisco Express Forwarding (CEF) table

* a set of interfaces that use the forwarding table

* a set of rules and routing protocol variables that determine what goes into the forwarding table

Accordingly:

You'll need an EIGRP instance for each VRF using address-families, and configure "ip vrf forwarding x" per each layer3 interface under the same VRF.

VRF-Lite was designed to work without MPLS - to only provide security separation and address overlapping, there is no Label Switching, no LDP or TDP running and no MP-BGP. VRF-lite is effectively a lightweight version of MPLS.:

http://www.cisco.com/en/US/products/hw/switches/ps4324/products_configuration_guide_chapter09186a00801cddd9.htmlhttp://www.cisco.com/en/US/products/hw/switches/ps4324/products_configuration_guide_chapter09186a00801cddd9.html

HTH, please rate if it does help,

Mohammed Mahmoud.

Hello, and thanks for the help!

What confuses me is that, to me, VRF is VRF and MPLS is MPLS... I dont see their relation. MPLS is a forwarding protocol based on labels, and VRF allows for multiple virtual routing tables instead of one routing table. MPLS just uses VRF to virtualize the need for more hardware. Is this correct, or am I missing something?

In my situation, there is no Service Provider network, and no MPLS backbone. I just want to use VRF to virtualize and separate the routing internally on my network.

I simply have a 6509 connected to many devices, and also connected to two 4506s. I want these 4506s to route to the 6509 via EIGRP, but have a separate routing table within the 6509, in order to force their traffic into a FWSM (without using L2).

I think VRF would work, because it keeps a separate routing table.

Thanks for the help so much!

P.S. The documentation you provided is for a 4500. Does it work the same on a 6500?

Hi there,

MPLS uses VRF to separate and secure customers traffic on PE routers, and also to allow address space overlap.

In your case it is called VRF-Lite, which is VRF without MPLS, and thats why VRF-Lite was introduced.

And the document linked is conceptual and shall work with any platform.

HTH, please rate if it does help,

Mohammed Mahmoud.

Thanks again, I rated earlier posts.

So in order to add a FWSM virtual interface to a VRF routing table ... I would have to add a VRF to L-3 interfaces connected to the 4506's and to the vlan interface in order to point to the FWSM.

Can I use the same VRF group across the two different 6509s?

Thanks!

Hi there,

Yes u can as long as you insure that the VRF routing table can route packets between them, which can be done via VRF static routes, or using address-families like in the case of RIP, EIGRP and even using different OSPF processes.

HTH,

Mohammed Mahmoud.

Thanks.

I cant get past how to get the VRF to be part of the FWSM vlan interface.

If I add a static route to the VRF group that points to the FWSM IP, is that enough?

Hi,

Yes it is enough, plus of course configuring the "ip vrf forwarding" command under the desired interface, all the routing from now on should be related to a VRF name.

Please don't hesitate for further enquiries.

HTH,

Mohammed Mahmoud.

Great, and thanks!

If I add a static route to, say, vlan 100 interface on the FWSM:

ip route vrf NetPro 0.0.0.0 0.0.0.0 192.168.50.50

My L3 interfaces that are part of VRF NetPro will naturally not be in the same segment as 192.168.50.50... They will be in different segments.

After I add that static route, I dont see how the 192.168.50.50 IP will be in vrf NetPro's ARP table? How will the NetPro VRF utilize this static route?

Thanks!

Hi,

Is the IP 192.168.50.50 the ip address of the VLAN 100 interface, if yes then you should add "ip vrf forwarding NetPro" under interface VLAN 100, which will attach it to the VRF and so any packet in the same VRF can reach it and can resolve its MAC.

Can you attach a network topology if you still have any problems.

HTH,

Mohammed Mahmoud.

I forgot you can add an SVI to the same segment as a FWSM virtual vlan interface!

Thats great. Now its like this:

FWSM --> MSFC SVI --> VRF --> SVI --> L2 links --> 4506's

EIGRP will run between the right side SVI and the 4506s, and redistribute the static route of the MSFC SVI for the FWSM (which will be in the same VRF group).

Should work great, thanks for the help!

If I come up with further questions in the near future, is it best to start a new thread, or just add to this one?

hi,

I am so glade that you've built up your thoughts and design.

If the further issues are related to this topology, please do continue using this thread to have a nice history of all what we've discussed.

BR, wish you luck,

Mohammed Mahmoud.

Do you think is better to use the LDP instead of tdp (default) for labeling in a University campus enterprised MPLS network?

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Innovations in Cisco Full Stack Observability - A new webinar from Cisco