01-30-2009 03:24 AM - edited 03-06-2019 03:46 AM
can you please share some document on desugn & configuration of vrf on cisco 6509.
01-30-2009 05:55 AM
Hello Sameer,
the following chapter from 12.2SXH configuration guide provides details on MPLS and VRFs configuration on C6500
Hope to help
Giuseppe
02-01-2009 11:31 PM
Thanks.
i dont want to implement BGP MPLS vpn.The requirement is from access switchs am carrying different vlans and in aggrgation switches i want to restrict communication between these vlans.now instaed of using ACL"s someone suggested to go with different vrf for diffrent vlans and carry these vrf's to core from aggregation on dot1q link.can you please help me on the same
02-02-2009 12:56 AM
Hello Sameer,
you are interested in VRF lite alias Multi VRF CE.
You need to configure on both the aggregation switche and the core switch the same set of VRFs.
The core switch needs to have defined all the VRFs in use in the aggregation switches.
configuration of a VRF follows the template you can see in the document I've linked.
Inter-device forwarding doesn't use MPLS but it uses 802.1Q L2 trunks.
You need one vlan for each VRF just to have inter-device communication.
Scalability is the issue in comparison with a real PE:
a PE with N VRFs can use N+1 interfaces (N access links + 1 MPLS backbone link)
a multi VRF CE with N VRFs needs 2*N interfaces (for each VRF one link towards the customer and one towards the SP PE)
The same is true for the routing relationships: on each VRF a different routing relationship exist with PE (it can be eBGP in VRF or IGP OSPF or EIGRP in VRF) while a real PE has one/two BGP relationships with the RRS and this is enough for all defined VRFs.
Example configuration
In your case you need
ip vrf test1
rd 1000:1
route-target both 1000:1
int vlan 100
desc link to core in VRF test1
ip vrf forwarding test1
ip address 10.10.10.1 255.255.255.252
!
int vlan 500
ip vrf forwarding test1
desc client vlan in VRF test1
ip address 10.100.200.1 255.255.255.0
router bgp 65100
address-family ipv4 vrf test1
neighbor 10.10.10.2 remote-as 65000
neigh 10.10.10.2 activate
neigh 10.10.10.2 send-community
no sync
no auto-summary
redistribute connected
on the core switch
ip vrf test1
rd 1000:1000
int vlan 100
ip vrf forwarding test1
ip address 10.10.10.2 255.255.255.252
router bgp 65000
address-family ipv4 vrf test1
neigh 10.10.10.1 remote-as 65100
neigh 10.10.10.1 activate
neigh 10.10.10.1 send-com
no sync
no auto-sum
red conn
note:
when you assign a l3 interface to a VRF you need to reassign the IP address to it.
(this is very important the device should tell you this)
I did the case using eBGP as protocol between multi-VRF CE (aggregation switch) and core.
I suggest you to use private BGP AS numbers
range 64512-65535
if you have multiple aggregation switches that share some VRFs I suggest to use different AS numbers on each aggregation switch so that inter-communication will be possible
(a BGP router doesn't accept a route with a BGP path that contains its own AS number)
Hope to help
Giuseppe
02-02-2009 01:33 AM
Hi
Thanks for ur reply.i am putting few extra details.
i have a acess switch connected to 2 aggregation switches and each aggregation switch connected to 2 core switches.core switch finally connectes to firewall and firewall to wan router.
now vlans in access switches should have path isolation.The proposed design says use separate vrf for each vlan in aggregation.Then use dot1q between aggragation and core.The firewall is also vrf aware.
My questions is whats the meaning of dot1q connectivity between aggregation and core.
can you please explain me the same with sample scenario like
access vlan 10==192.168.10.0/24
access vlan 20==192.168.20.0/24
whats the sample config in aggregation and core switches.
if u have any sample config document pl share for better understanding.
Thanks
Sameer
02-02-2009 11:17 AM
Hello Sameer,
as you requested in another thread network virtualization is the key term.
so see
http://www.cisco.com/en/US/netsol/ns815/networking_solutions_design_guidances_list.html')">http://www.cisco.com/en/US/netsol/ns815/networking_solutions_design_guidances_list.html
About your question:
now vlans in access switches should have path isolation.The proposed design says use separate vrf for each vlan in aggregation.Then use dot1q between aggragation and core.The firewall is also vrf aware.
My questions is whats the meaning of dot1q connectivity between aggregation and core.
As you have understood with VRF lite you need to provide a dedicated path for each VRF/client Vlan.
This path has to go from access layer up to the VRF aware firewall ( a multicontext firewall like ASA or FWSM).
not having a common forwarding infrastructure like the one provided by MPLS there is no other choice possible.
if client Vlans are terminated at L3 in an aggregation/distribution switch acting as Multi-VRF CE it needs a point-to-point link in VRF with each of the core switches to propagate to the core and then to the firewall.
This path is provided with a L2 Vlan on each trunk.
So for N customers you need to use 2*N or 3*N vlan at layer 2:
one is the customer vlan
one goes on uplink to core1
one goes on uplink to core2
Each VRF has its own routing table and needs to be able to span to core/FW
So in your case if
access vlan 10==192.168.10.0/24
access vlan 20==192.168.20.0/24
are of two different customers you need
to create two VRFs
to create 4 vlans (if you want to have point-to-point links to core or only one if you you a single common vlan for each VRFs).
to allocate ip subnets for the aggregation/core subnets.
I recommend to use a dynamic routing protocol to be able to detect problems.
A possible configuration is the one I showed in my second post but you need to do two times one for each customer.
The end result of this is that the two customer vlans are isolated from each other and can even use overlappin ip addresses until they don't need to talk together
Hope to help
Giuseppe
02-02-2009 08:40 PM
to create two VRFs
to create 4 vlans (if you want to have point-to-point links to core or only one if you you a single common vlan for each VRFs).
to allocate ip subnets for the aggregation/core subnets
Didnt understand this..
so i have layer 3 aggrgation and i will create layer 3 interface on aggrgation for the particular vlan say 192.168.10.1/24=vlan 10 and 192.168.20.1/23==vlan 20...
now between my aggegation and core there will be single physical link so do u mean i will create subinterface on this link with again vlan 10 & 20.if yes these vlans will be in L2 mode or L3 mode.
the subnet between aggragtion and core will be same as 192.168.10.0/24 //20.0/24 or will be differnt..
02-03-2009 12:54 AM
Hello Sameer,
you need to add subnets and vlans to the original setup.
example:
client1
192.168.10.1/24 on aggregation switch vlan 10.
we need to reach core
link between aggregation and core becomes a L2 trunk to carry multiple vlans (all the one we need)
ip vrf client1
rd 1000:10
int vlan 10
ip vrf forwarding client1
ip address 192.168.10.1 255.255.255.0
now you have isolated client1, from othe interfaces in Global routing table you cannot ping hosts in vlan 10
int gi2/1
desc trunk to core1
switchport
switchport trunk enc dot1q
switchport mode trunk
switchport trunk allowed vlan 1,610
vlan 610 is a dedicated link in VRF to allows users of client1 VRF to reach FW services and the outer world
vlan 610
name aggreg-to-core-vrf-client1
int vlan 610
ip vrf forwarding client1
ip address 10.61.0.1 255.255.255.0
desc aggreg-to-core-vrf-client1
also the core side has similar config
ip vrf client1
rd 1000:610
int gi3/1
desc link to aggregation1
switchport
switchport trunk enc dot1q
switchport mode trunk
switchport trunk allowed vlan 1,610
int vlan 610
ip vrf forwarding client1
ip address 10.61.0.2 255.255.255.0
if we stop here core1 can ping aggreg1 on vrf client1 but doesn't know of net 192.168.10.0/24 that is behing aggreg1
ping vrf client1 10.61.0.1
this should work but
ping vrf client1 192.168.10.1
cannot work on core
here comes the BGP configuration in address family ipv4 vrf client1 for this see previuos posts.
it uses Vlan610 to make core1 and aggreg1 to communicate all IP networks in VRF client1 (this is a separate routing table on its own).
Vlan 610 goes via the L2 trunk between aggregation and core.
To complete the chain core1 will have another L2 trunk to the VRF aware FW.
Let's suppose it is an external box but it can be a FWSM blade on a C6500.
Core1#
vlan 710
name fw-to-core-vrf-client1
int gi 5/1
switchport
switchport trunk enc dot1q
switchport mode trunk
switchport trunk allowed vlan 1,710
int vlan 710
ip vrf forwarding client1
ip address 10.71.0.1 255.255.255.252
! a default static route to FW
ip route vrf client1 0.0.0.0 0.0.0.0 10.71.0.2 vlan710
In this way a complete isolated path from client vlan 10 to FW vlan 710 is built.
FW will have rules to decide who can access client vlan 10 from outside world.
A second customer in vlan 20 will have its own isolated path to FW and so on
I hope now it is more clear
Hope to help
Giuseppe
02-03-2009 02:15 AM
02-03-2009 04:42 AM
Hello Sameer,
your setup looks like good.
an alternative could that of using a single vlan between core1,2 and aggregation 1,2
I recommend to use a dynamic routing protocol over the links eBGP is only an option you can use OSPF or EIGRP if you like in VRF.
Hope to help
Giuseppe
02-03-2009 08:50 PM
Hi
I have done some changes in the setup with complete L3 link between Aggregation and core to avoid HSRP in core and can make all links active at same time.
with this i can create dot1q subinterafce on the links between aggregation and core for individual customers.
so for carrying vlan 10 for customer 1 to wan firewall and internbet firewall i will require totatlly 8 dot1q interfaces.
schematic has all the details.
please check if anything is missing or else i can map the same for other vlans also.
02-03-2009 11:36 PM
Hello Sameer,
your design is fine.
However, using point-to-point vlans in this way requires 8 additional vlans for each customer /VRF.
This means you can accomodate 400 customers with the 802.1Q vlan range 1-4094.
Vlans between core nodes and aggregation can be shared if you use a dynamic routing protocol like eBGP.
To be able to create a shared vlan between core1,2 aggreg1,2 you may want to provide also a L2 trunk between core1 and core2.
Hope to help
Giuseppe
02-03-2009 11:47 PM
Hi
i am also finding this difficult to have 8 more vlans between Agg-core core-f/w but how can i use single vlan among thm.what ip addressing i will use here or how the routing decision will be taken among multiple links.
i have link between 2 aggregation switchs and also between 2 core switches.will all the customer vrf's will be passed over this link.
assiging 8 more vlans for 1 cusotomer i am finding difficult so is there any way i can use single vlan for 1 customer looking at my setup.
if yes how the routing decisons will be done over l2 links.
what should be the ideal configuration for teh link between 2 aggregation switches or 2 core switches.will it be L2 links carrying all customer vrf's.will it be L3 link carrying all customer vrf or any other configuration.
in the current setup where u said it will work for 400 custoemr max, how the routing will be decided.if i use ospf as routing protocol, will i need to create separate ospf instance per vrf or any other alternative topology
02-04-2009 12:55 AM
Hello Sameer,
if you deploy OSPF on the VRFs you can use two Vlans for each customer
one vlan that spans over core1,2 and aggreg1,2.
one vlan between core1,2 and the firewalls / internet routers
you need to provide a L2 path using trunk ports
you can use for connection an H schema
core1 --- core2
|| ||
aggreg1----aggreg2
STP will build a loop free topology
the same you can on the border vlan
core1 --- core2
|| ||
FW----INter.Router
addressing needs to provide 4 addresses so use
a /29 that allows 6 hosts
OSPF will require an instance for each VRF but recent feature has removed the old limit of 25 instances so you should be fine.
OSPF works well in a lan environment and you don't need to use point-to-point links.
Hope to help
Giuseppe
02-04-2009 01:14 AM
Hi
Have u considered the cross links between aggregation and core or only vertical links between aggregation and core considered???
so for each customer totally 3 vlans i will have 1 (Server vlan)+2 (agg-core & core-firewall)but with this i am not using optimal use of my links.(say i have totally 4 links between Agg-core and i will use only 1 at a time)?
one more doubt is links between 2 aggregation switch will be L2 link /L3 link.will it carry all the vrf's for all customers.will that link will be take part in routing decision.
Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: