cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
1166
Views
13
Helpful
17
Replies

network virtualization-path isolation

sameermunj
Level 1
Level 1

Hello

i have 3 tire n/w architecture for the datacenter with access=distribution-core.In the aggegation i want to separate the diffrent vlan traffic with VRF for path isolation purpose.same i want to extend to core and then to wan firewall (firewall is vrf aware)..can you share the sample scenario/configuration for the same.

17 Replies 17

ltd
Level 1
Level 1

hi Sameer,

exactly how you go about doing this does depend on exactly what equipment you have that makes up the access/agg/core layers of your datacenter.

making the assumption here that your split between L2/L3 is in the aggregation layer, then you'd associated a VLAN to a VRF at that layer.

at the most basic level, a VLAN would probably have a 'switched virtual interface' (SVI) for the VLAN, e.g. "VLAN 100". you would put that SVI into a VRF, e.g.

interface vlan 100

ip address (whatever)

vrf member protected

assuming your connectivity from agg to core is L3, then you'd need to transport that VRF between agg/code.

you could either have a L3 portchannel (i.e. a portchannel with subinterfaces in different VRFs, e.g

interface PortChanell 2.100

vrf member protected

or just subinterfaces on a routed interface, e.g.

interface Ethernet 2/10.100

vrf member protected

then again the same on the core (towards agg), then again on 'core' towards your WAN/vrf-aware firewall

as far as how your firewall is connected in, likely that its ethernet attached, so there is a mapping of VRF to dot1Q tag.

Hope that makes sense to you. I'm sure there will be some material in Cisco's validated designs that cover this in more detail, but thats the basic aspects of how you can tie L2 VLAN to a VRF and L3 subinterface.

cheers.

hi

i understood the same and accordingly i have mapped my design.

canu pl check the same and let me know the corrections.

In your diagram you're not making a distinction between what is a switchport (L2) and what is a routed interface (L3).

If you can point out the interfaces northbound on the 'agg' switches (they won't be "VLAN" interfaces (aka SVIs) as those are L2), and both north & southbound interfaces on the 'core', I can probably give you an idea of what the configuration would look like.

Looks a bit odd as normally L2/L3 split would be on the Agg switches (but not always - no two networks are the same..) - but if you have HSRP configured on the 'core', that implies you have L2 all the way to the core.

Is that the case??

Hi

I am attaching the updated diagram here.

let me explain you the setup.

In the aggrgation layer i am doing L3 for the access vlan 10.I am also running HSRP between 2 aggregation switches so default gateway of my server is 192.168.10.3.(l2-l3 split at aggregation)

now link between aggrgation and core is L2 trunk to carry the multiple vlan.in my case vlan 610 between agg1&agg2-core1 or vlan 620 between agg1 & agg2 -core 2 etc..i will create interface vlan 610 /620 and assign ip.

In the core also i am running hsrp for all links considering the redundant links.

All those vlans defined in the schematic will be part of same VRF and those will be for end to end isolation for vlan 10 on way to internet & wan.

i am planning to run ospf over the links between aggrgation-core for routing purpose.

Hi,

Again, it would seem you are running L2 between Agg and Core (thereby necessitating running a FHRP like HSRP on the core), ALSO meaning that only one path from Agg to Core is active at any given time.

I'd say this is somewhat unusual, as your intent is to run Agg/Core in different VLANs to that of Agg/Access, so why not instead run Agg/Core as L3 links completely?

By way of example, see Figure 8-1 in http://www.cisco.com/en/US/docs/solutions/Enterprise/Data_Center/DC_Infra2_5/DCInfra_8.html#wp1137769 and note how the links between Core & Agg are using physical interfaces.

In your design, I'd suggest you do something similar - but augment it with using VRFs between Agg and Core - and transporting individual VRFs over subinterfaces.

In this manner, the 'link' is layer-3 - so you can use "all paths active" (equal cost multipathing), i.e. agg1-core1 + agg1-core2 + agg2-core1 + agg2-core2

on the 'wire' you are using dot1Q encapsulation to encapsulate a VRF (L3) into a dot1Q tag with subinterfaces.

e.g. on your Agg1 switch, assuming its Ethernet10/1 that connects to the Core, you would have something like:

interface Ethernet10/1

description link from Agg1 to Core1

no shutdown

!

interface Ethernet10/1.100

vrf member vrf100

ip address 100.1.1.1/24

encapsulation dot1Q 100

!

interface Ethernet10/1.200

vrf member vrf200

ip address 200.1.1.1/24

encapsulation dot1Q 200

!

Note: while dot1Q encap is used on these interfaces, it is important to note that its NOT a VLAN or L2 - the significance of the subinterface (on physical interface) is that its L3, and whatever VLAN tag is chosen is used purely on the wire.

I think that may be the concept that isn't clear to you here.

From a design perspective, Cisco has lots of designs and rationale behind them posted at www.cisco.com/go/srnd

The link above to a DC Infrastructure 2.5 is also a good one to have a read of.

cheers.

Hello

understood your point and accordingly i have done the changes in my ppt with complete L3 link between Aggregation -core removing HSRP in core and all active-active links.

so for carrying single vlan 10 for customer 1 to WAN & Internet side i need totally 8 dot1 q interafces .please confirm the same.if this design is ok then i can map the same for other customers.

I think we are on the verge of closing this discussion.

Attachment has all details mentioned.

what you have there should work fine - and of course, you'd have each L3 subinterface in the appropriate 'vrf' (and default-route pointing towards it, subnet for the hosts route pointing back towards the VLAN10 SVI).

but, i think it can be simplified a fair bit.

where you have different subinterface dot1q's used northbound of Agg you really don't need to. e.g. where you specify 610, 611, 612, 613, 614, 615, 616, 617, you don't need to. you could have ALL of those as the same number if you want.

the key is that those L3 interfaces are NOT switchports anymore - they are not L2. so the "dot1q encapsulation" used on a L3 link is only locally significant "on the wire". if you want, you could use the same number (as an example, lets make it 666), and use that across ALL of the L3 subinterfaces (VRFs) associated with the "to_firewall" traffic.

also, just to be sure: the connection between core1 and core2 would be L3 too - and ALSO transporting that VRF as a sub-interface.

so u mean i will put all those uplink ports in same vlan but what about the ip addressing..Am i not giving any ip address to these sub interfaces ???

u mean link between core1 & core 2 is routed link and will carry the subinterface for the customer vrf.will that subinterface will carry ip address ??

if i am not giving any ip to links from Aggregation to core1 & core2 how the routing decison will be taken among teh 4 links.(I have links from Aggregation 1 to core 1 & core 2 .also from aggregation 2 to core 1& core 2.if i keep all this links in same vlan as u say 666 how the routing decision will be taken about which link to use to forward traffic.wetaher on the L3 link between core1 & core 2 i am giving ip to customer subinterafce and running any ip routing over it.)

> so u mean i will put all those uplink

> ports in same vlan but what about the

> ip addressing..Am i not giving any ip

> address to these sub interfaces ???

you will NEED to give IP addresses to the subinterfaces on 'northbound' interfaces on Agg1 & Agg2 as well as both 'north' and 'south' (as well as 'east' and 'west') interfaces on both Core1 & Core2.

i guess that is key - these are NOT L2 (switchport) interfaces. they are L3. L3 == IP.

Once you are in "layer 3", its no longer VLANs.

> u mean link between core1 & core 2 is

> routed link and will carry the

> subinterface for the customer vrf.will

> that subinterface will carry ip address ??

Correct.

Taking your network diagram, this is what I mean. NOTE: I have deliberately simplified this, but you get the idea. I'll also only include the configuration of Agg1 and Core1, you can figure out Agg2/Core2 from this. I'll also leave out the HSRP/VRRP part, you can add that into Agg1/Agg2:

----

Agg1:

interface ethernet10/3

description agg1_to_access1

switchport mode trunk

switchport trunk allowed vlan 10

!

interface ethernet10/4

description agg1_to_access2

switchport mode trunk

switchport trunk allowed vlan 10

!

interfaces ethernet10/5

description agg1_to_agg2 portchannel member 1

channel-group 1 mode on

!

interfaces ethernet10/6

description agg1_to_agg2 portchannel member 2

channel-group 1 mode on

!

interface portchannel 1

description agg1_to_agg2 L2 portchannel

switchport mode trunk

switchport trunk allowed vlan 10

!

interface vlan 10

description SVI for VLAN 10

ip address 192.168.10.2/24

(vrrp/hsrp configuration here)

!

interface ethernet10/1

description L3 uplink to core 1

no switchport

!

interface ethernet10/1.666

description VRF to_firewall

vrf member to_firewall

ip address 10.61.0.1/30

encapsulation dot1Q 666

!

interface ethernet10/1.200

(some other VRF for internet traffic)

!

interface ethernet10/2

description L3 uplink to core 2

no switchport

!

interface ethernet10/2.666

description VRF to_firewall

vrf member to_firewall

ip address 10.61.0.5/30

encapsulation dot1Q 666

!

interface ethernet10/2.200

(some other VRF for internet traffic)

!

ip route 0.0.0.0/0 10.61.0.2 vrf to_firewall

ip route 0.0.0.0/0 10.61.0.6 vrf to_firewall

---

Core1:

interface ethernet10/1

description L3 to agg 1

no switchport

!

interface ethernet10/1.666

description VRF for firewall traffic

vrf member to_firewall

ip address 10.61.0.2/30

encapsulation dot1Q 666

!

interface ethernet10/1.200

(some other VRF for internet traffic)

!

interface ethernet10/2

description L3 to agg 2

no switchport

!

interface ethernet10/2.666

description VRF for firewall traffic

vrf member to_firewall

ip address 10.61.0.10/30

encapsulation dot1Q 666

!

interface ethernet10/2.200

(some other VRF for internet traffic)

!

interface ethernet10/3

no switchport

!

interface ethernet10/3.666

description L3 link to firewall

vrf member to_firewall

ip address 10.61.0.17/30

encapsulation dot1Q 666

!

ip route 0.0.0.0/0 10.61.0.18 vrf to_firewall

(need either static routes for access VLAN 10 subnet towards agg1/agg2 or routing protocol to advertise subnet from agg1/agg2 to core1/core2)

----

sameermunj
Level 1
Level 1

As you suggested if i go with subinterface without any ip how the routing decison will be taken among multiple links.from each aggragtion switch i have 1 link to each core so totally 4 links.how the routing decison will take place about which link to use for forwarding traffic from aggregation to core and vice versa.

*** Also no need to give encapsulation on the subinterface created ????

> As you suggested if i go with subinterface without any ip how the

> routing decison will be taken among multiple links.from each aggragtion

> switch i have 1 link to each core so totally 4 links.how the routing decison

> will take place about which link to use for forwarding traffic from aggregation

> to core and vice versa.

In the example I gave, the Agg switches have a static route for the to_firewall VRF pointing towards both core switches.

Both core switches have a static route in the to_firewall VRF pointing towards the firewall.

the only thing NOT shown is how you map VLAN 10 traffic into VRF to_firewall, see the VRF documentation for how to accomplish that. (there are multiple ways).

at the most basic level, you could put VLAN 10 into that VRF.

> *** Also no need to give encapsulation on the subinterface created ????

all subinterfaces i listed had encap configured. yes, you need to.

This is clear.

so instaed of taking different vlans as i had taken into my schematic u ahve taken single vlan 666 but used same ip addressing..

link between 2 aggregation switrches will carry the customer vlan because i am running hsrp between the switches which is clear

i will map vlan 1o traffic by putting vlan 10 into vrf to_firewall..

open questions are

1=when i plan to run ospf in core-aggregation i need separate ospf instance for each vrf==pl confirm

2=u have mentioned some diffrent vrf for internet traffic on ethernet 10/1 in aggregation switch.now same vlan 10 traffic will go either to wan or to internet and it will be separated at core switch as either to wan or default to internet.i am planning to put static route for the wan connectivity towards wan firewall and default route towards internet firewall for internet so if i create separte vrf for wan & internet then it would be difficullt for me to map vlan 10 with 2 diffrent vrf.(wan & internet)==pl confirm

3==what about the links between 2 core switches.would they also be a routed links and take another /30 and carry dot1q 666

> so instaed of taking different vlans as i had taken into my schematic u ahve

> taken single vlan 666 but used same ip addressing..

Pretty much - although lets be clear here - NONE of those L3 links are VLANs.

they make use of a 802.1q tag 'on the wire' to represent the VRF - but there is no "VLAN 666" in the system.

nor is the fact that dot1q tag 666 is used on one link have any meaning outside of that link.

i.e. that the same tag number (666) was re-used across multiple interfaces is immaterial - it could have used different numbers.

> 1=when i plan to run ospf in core-aggregation i need separate ospf

> instance for each vrf==pl confirm

It depends on what your routers/switches are. Some platforms can support multi-vrf in a single OSPF instance.

You'd need to look at the documentation for whatever products you are using.

> 2=u have mentioned some diffrent vrf for internet traffic on ethernet 10/1 in

> aggregation switch.now same vlan 10 traffic will go either to wan or to

> internet and it will be separated at core switch as either to wan or default

> to internet.i am planning to put static route for the wan connectivity

> towards wan firewall and default route towards internet firewall for internet so

> if i create separte vrf for wan & internet then it would be difficullt for

> me to map vlan 10 with 2 diffrent vrf.(wan & internet)==pl confirm

You can map VLAN 10 to one VRF or another. Or you could use Policy-Based-Routing to selectively 'route' some hosts in VLAN 10 to one vrf or another by using 'set vrf' in a PBR (again - assuming that is a capability offered by the router/switch you are using).

There are a few other options when it comes to VRFs. Suggest you look at the documentation related to import/export of routes within VRFs and what options are available there.

If you are looking for ALL traffic from your hosts to go via the 'inside' firewall interface and all traffic from the 'outside' firewall interface to go out to the internet/WAN, you said your firewall was VRF aware, you could just use static routes in each of the VRFs accordingly.

> 3==what about the links between 2 core switches.would they also be a routed

> links and take another /30 and carry dot1q 666

Ideally, yes. Core should always be L3.

Hello

i am using cat 6509 in aggregation as well as in core so hopefully it will support multi-vrf in single instance.if its the case still the routes of different vrf's remain separate or else they cans ee each other ??? ideally they should not

now only worry is separation of user vlan traffic (vlan 10) in core for wan towards wan firewall and for internet towards internet firewall.can i use something like this.i will use same vrf for wan firewall as well as internet firewall and i will map my user vlan with same vrf..

now when the traffic reach core,can i do something link PBR where if the destination is fixed (wan network) core will forward to wan firewall and if the destination is unknown (internet traffic) core will forward it to internet firewall.if this works problem will get resolved.

then i can use same dot1.q between core-wan firwall /core-internet firewall /core-aggragation for single vlan 10 and will run ospf as IGP..

pl confirm

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: