VRF Implementation on Catalyst 6509

Unanswered Question
Jan 30th, 2009

can you please share some document on desugn & configuration of vrf on cisco 6509.

I have this problem too.
0 votes
  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 4.5 (2 ratings)
Loading.
sameermunj Sun, 02/01/2009 - 23:31

Thanks.

i dont want to implement BGP MPLS vpn.The requirement is from access switchs am carrying different vlans and in aggrgation switches i want to restrict communication between these vlans.now instaed of using ACL"s someone suggested to go with different vrf for diffrent vlans and carry these vrf's to core from aggregation on dot1q link.can you please help me on the same

Giuseppe Larosa Mon, 02/02/2009 - 00:56

Hello Sameer,

you are interested in VRF lite alias Multi VRF CE.

You need to configure on both the aggregation switche and the core switch the same set of VRFs.

The core switch needs to have defined all the VRFs in use in the aggregation switches.

configuration of a VRF follows the template you can see in the document I've linked.

Inter-device forwarding doesn't use MPLS but it uses 802.1Q L2 trunks.

You need one vlan for each VRF just to have inter-device communication.

Scalability is the issue in comparison with a real PE:

a PE with N VRFs can use N+1 interfaces (N access links + 1 MPLS backbone link)

a multi VRF CE with N VRFs needs 2*N interfaces (for each VRF one link towards the customer and one towards the SP PE)

The same is true for the routing relationships: on each VRF a different routing relationship exist with PE (it can be eBGP in VRF or IGP OSPF or EIGRP in VRF) while a real PE has one/two BGP relationships with the RRS and this is enough for all defined VRFs.

Example configuration

In your case you need

ip vrf test1

rd 1000:1

route-target both 1000:1

int vlan 100

desc link to core in VRF test1

ip vrf forwarding test1

ip address 10.10.10.1 255.255.255.252

!

int vlan 500

ip vrf forwarding test1

desc client vlan in VRF test1

ip address 10.100.200.1 255.255.255.0

router bgp 65100

address-family ipv4 vrf test1

neighbor 10.10.10.2 remote-as 65000

neigh 10.10.10.2 activate

neigh 10.10.10.2 send-community

no sync

no auto-summary

redistribute connected

on the core switch

ip vrf test1

rd 1000:1000

int vlan 100

ip vrf forwarding test1

ip address 10.10.10.2 255.255.255.252

router bgp 65000

address-family ipv4 vrf test1

neigh 10.10.10.1 remote-as 65100

neigh 10.10.10.1 activate

neigh 10.10.10.1 send-com

no sync

no auto-sum

red conn

note:

when you assign a l3 interface to a VRF you need to reassign the IP address to it.

(this is very important the device should tell you this)

I did the case using eBGP as protocol between multi-VRF CE (aggregation switch) and core.

I suggest you to use private BGP AS numbers

range 64512-65535

if you have multiple aggregation switches that share some VRFs I suggest to use different AS numbers on each aggregation switch so that inter-communication will be possible

(a BGP router doesn't accept a route with a BGP path that contains its own AS number)

Hope to help

Giuseppe

sameermunj Mon, 02/02/2009 - 01:33

Hi

Thanks for ur reply.i am putting few extra details.

i have a acess switch connected to 2 aggregation switches and each aggregation switch connected to 2 core switches.core switch finally connectes to firewall and firewall to wan router.

now vlans in access switches should have path isolation.The proposed design says use separate vrf for each vlan in aggregation.Then use dot1q between aggragation and core.The firewall is also vrf aware.

My questions is whats the meaning of dot1q connectivity between aggregation and core.

can you please explain me the same with sample scenario like

access vlan 10==192.168.10.0/24

access vlan 20==192.168.20.0/24

whats the sample config in aggregation and core switches.

if u have any sample config document pl share for better understanding.

Thanks

Sameer

Giuseppe Larosa Mon, 02/02/2009 - 11:17

Hello Sameer,

as you requested in another thread network virtualization is the key term.

so see

http://www.cisco.com/en/US/netsol/ns815/networking_solutions_design_guidances_list.html')">http://www.cisco.com/en/US/netsol/ns815/networking_solutions_design_guidances_list.html

About your question:

now vlans in access switches should have path isolation.The proposed design says use separate vrf for each vlan in aggregation.Then use dot1q between aggragation and core.The firewall is also vrf aware.

My questions is whats the meaning of dot1q connectivity between aggregation and core.

As you have understood with VRF lite you need to provide a dedicated path for each VRF/client Vlan.

This path has to go from access layer up to the VRF aware firewall ( a multicontext firewall like ASA or FWSM).

not having a common forwarding infrastructure like the one provided by MPLS there is no other choice possible.

if client Vlans are terminated at L3 in an aggregation/distribution switch acting as Multi-VRF CE it needs a point-to-point link in VRF with each of the core switches to propagate to the core and then to the firewall.

This path is provided with a L2 Vlan on each trunk.

So for N customers you need to use 2*N or 3*N vlan at layer 2:

one is the customer vlan

one goes on uplink to core1

one goes on uplink to core2

Each VRF has its own routing table and needs to be able to span to core/FW

So in your case if

access vlan 10==192.168.10.0/24

access vlan 20==192.168.20.0/24

are of two different customers you need

to create two VRFs

to create 4 vlans (if you want to have point-to-point links to core or only one if you you a single common vlan for each VRFs).

to allocate ip subnets for the aggregation/core subnets.

I recommend to use a dynamic routing protocol to be able to detect problems.

A possible configuration is the one I showed in my second post but you need to do two times one for each customer.

The end result of this is that the two customer vlans are isolated from each other and can even use overlappin ip addresses until they don't need to talk together

Hope to help

Giuseppe

sameermunj Mon, 02/02/2009 - 20:40

to create two VRFs

to create 4 vlans (if you want to have point-to-point links to core or only one if you you a single common vlan for each VRFs).

to allocate ip subnets for the aggregation/core subnets

Didnt understand this..

so i have layer 3 aggrgation and i will create layer 3 interface on aggrgation for the particular vlan say 192.168.10.1/24=vlan 10 and 192.168.20.1/23==vlan 20...

now between my aggegation and core there will be single physical link so do u mean i will create subinterface on this link with again vlan 10 & 20.if yes these vlans will be in L2 mode or L3 mode.

the subnet between aggragtion and core will be same as 192.168.10.0/24 //20.0/24 or will be differnt..

Giuseppe Larosa Tue, 02/03/2009 - 00:54

Hello Sameer,

you need to add subnets and vlans to the original setup.

example:

client1

192.168.10.1/24 on aggregation switch vlan 10.

we need to reach core

link between aggregation and core becomes a L2 trunk to carry multiple vlans (all the one we need)

ip vrf client1

rd 1000:10

int vlan 10

ip vrf forwarding client1

ip address 192.168.10.1 255.255.255.0

now you have isolated client1, from othe interfaces in Global routing table you cannot ping hosts in vlan 10

int gi2/1

desc trunk to core1

switchport

switchport trunk enc dot1q

switchport mode trunk

switchport trunk allowed vlan 1,610

vlan 610 is a dedicated link in VRF to allows users of client1 VRF to reach FW services and the outer world

vlan 610

name aggreg-to-core-vrf-client1

int vlan 610

ip vrf forwarding client1

ip address 10.61.0.1 255.255.255.0

desc aggreg-to-core-vrf-client1

also the core side has similar config

ip vrf client1

rd 1000:610

int gi3/1

desc link to aggregation1

switchport

switchport trunk enc dot1q

switchport mode trunk

switchport trunk allowed vlan 1,610

int vlan 610

ip vrf forwarding client1

ip address 10.61.0.2 255.255.255.0

if we stop here core1 can ping aggreg1 on vrf client1 but doesn't know of net 192.168.10.0/24 that is behing aggreg1

ping vrf client1 10.61.0.1

this should work but

ping vrf client1 192.168.10.1

cannot work on core

here comes the BGP configuration in address family ipv4 vrf client1 for this see previuos posts.

it uses Vlan610 to make core1 and aggreg1 to communicate all IP networks in VRF client1 (this is a separate routing table on its own).

Vlan 610 goes via the L2 trunk between aggregation and core.

To complete the chain core1 will have another L2 trunk to the VRF aware FW.

Let's suppose it is an external box but it can be a FWSM blade on a C6500.

Core1#

vlan 710

name fw-to-core-vrf-client1

int gi 5/1

switchport

switchport trunk enc dot1q

switchport mode trunk

switchport trunk allowed vlan 1,710

int vlan 710

ip vrf forwarding client1

ip address 10.71.0.1 255.255.255.252

! a default static route to FW

ip route vrf client1 0.0.0.0 0.0.0.0 10.71.0.2 vlan710

In this way a complete isolated path from client vlan 10 to FW vlan 710 is built.

FW will have rules to decide who can access client vlan 10 from outside world.

A second customer in vlan 20 will have its own isolated path to FW and so on

I hope now it is more clear

Hope to help

Giuseppe

sameermunj Tue, 02/03/2009 - 02:15

Hello

Thanks for these details.i have better understood now.

i have mapped the same to my actual setup and need your confirmation on the same and corection if any.

atachement has all the details

Giuseppe Larosa Tue, 02/03/2009 - 04:42

Hello Sameer,

your setup looks like good.

an alternative could that of using a single vlan between core1,2 and aggregation 1,2

I recommend to use a dynamic routing protocol over the links eBGP is only an option you can use OSPF or EIGRP if you like in VRF.

Hope to help

Giuseppe

sameermunj Tue, 02/03/2009 - 20:50

Hi

I have done some changes in the setup with complete L3 link between Aggregation and core to avoid HSRP in core and can make all links active at same time.

with this i can create dot1q subinterafce on the links between aggregation and core for individual customers.

so for carrying vlan 10 for customer 1 to wan firewall and internbet firewall i will require totatlly 8 dot1q interfaces.

schematic has all the details.

please check if anything is missing or else i can map the same for other vlans also.

Giuseppe Larosa Tue, 02/03/2009 - 23:36

Hello Sameer,

your design is fine.

However, using point-to-point vlans in this way requires 8 additional vlans for each customer /VRF.

This means you can accomodate 400 customers with the 802.1Q vlan range 1-4094.

Vlans between core nodes and aggregation can be shared if you use a dynamic routing protocol like eBGP.

To be able to create a shared vlan between core1,2 aggreg1,2 you may want to provide also a L2 trunk between core1 and core2.

Hope to help

Giuseppe

sameermunj Tue, 02/03/2009 - 23:47

Hi

i am also finding this difficult to have 8 more vlans between Agg-core core-f/w but how can i use single vlan among thm.what ip addressing i will use here or how the routing decision will be taken among multiple links.

i have link between 2 aggregation switchs and also between 2 core switches.will all the customer vrf's will be passed over this link.

assiging 8 more vlans for 1 cusotomer i am finding difficult so is there any way i can use single vlan for 1 customer looking at my setup.

if yes how the routing decisons will be done over l2 links.

what should be the ideal configuration for teh link between 2 aggregation switches or 2 core switches.will it be L2 links carrying all customer vrf's.will it be L3 link carrying all customer vrf or any other configuration.

in the current setup where u said it will work for 400 custoemr max, how the routing will be decided.if i use ospf as routing protocol, will i need to create separate ospf instance per vrf or any other alternative topology

Giuseppe Larosa Wed, 02/04/2009 - 00:55

Hello Sameer,

if you deploy OSPF on the VRFs you can use two Vlans for each customer

one vlan that spans over core1,2 and aggreg1,2.

one vlan between core1,2 and the firewalls / internet routers

you need to provide a L2 path using trunk ports

you can use for connection an H schema

core1 --- core2

|| ||

aggreg1----aggreg2

STP will build a loop free topology

the same you can on the border vlan

core1 --- core2

|| ||

FW----INter.Router

addressing needs to provide 4 addresses so use

a /29 that allows 6 hosts

OSPF will require an instance for each VRF but recent feature has removed the old limit of 25 instances so you should be fine.

OSPF works well in a lan environment and you don't need to use point-to-point links.

Hope to help

Giuseppe

sameermunj Wed, 02/04/2009 - 01:14

Hi

Have u considered the cross links between aggregation and core or only vertical links between aggregation and core considered???

so for each customer totally 3 vlans i will have 1 (Server vlan)+2 (agg-core & core-firewall)but with this i am not using optimal use of my links.(say i have totally 4 links between Agg-core and i will use only 1 at a time)?

one more doubt is links between 2 aggregation switch will be L2 link /L3 link.will it carry all the vrf's for all customers.will that link will be take part in routing decision.

Giuseppe Larosa Wed, 02/04/2009 - 01:54

Hello Sameer,

>> so for each customer totally 3 vlans i will have 1 (Server vlan)+2 (agg-core & core-firewall)but with this i am not using optimal use of my links.(say i have totally 4 links between Agg-core and i will use only 1 at a time)?

OSPF supports multiple parallel links naturally. STP will block only one link to break the loop in each vlan

all proposed links are L2 trunks.

Of course you can choice to skip the horizontal link and to have two uplinks on each aggreg to core.

However, at L3 you can use a single subnet for agg-core and one for core-firewall.

Consider that when you will need to add a new customer you just need to create two new vlans, a VRF, the required SVI and to add the vlan on the L2 trunks with

spanning-tree trunk vlan add Y

So it looks like complex, but later it provides benefits

Hope to help

Giuseppe

sameermunj Wed, 02/04/2009 - 03:37

Hello

i cant remove any of the links from the attached schematic as its customer's requirement so considering all the vertical and cross links will it be possible to use single vlan between core-wan firewall/core-internet firewall/core-aggregation 1 /core-aggregation 2 or else i have to go with 1+ 8 new vlans??

in this case i need to run ospf per vrf as putting & managing static routes in all boxes would be tough

the link between 2 core switches will be L3 link (/30) and will carry all customer vrf's right ???

Giuseppe Larosa Wed, 02/04/2009 - 05:39

Hello Sameer,

all links have to be L2 trunks carrying one vlan for each VRF to build the necessary per VRF topology, unless you move to MPLS forwarding this should be clear now.

How you want to map vlans on physical links is your choice: you can have a full mesh, a square schema or other interface tracking gives you a chance to condition HSRP active role on Client Vlans.

I strongly recommend to use a routing protocol and not static routes on aggreg-core and core-fw per VRF vlans

Hope to help

Giuseppe

Actions

This Discussion