Route VRF Lite traffic through FWSM

Unanswered Question
Mar 21st, 2009

We have Configured VRF Lite with tunnel at Cat 6500.

We want to route VRF traffic through FWSM context.

How can we achieve it?

I have this problem too.
0 votes
  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Loading.
Giuseppe Larosa Sun, 03/22/2009 - 00:11

Hello Zubair,

you need a common broadcast domain:

a L2 Vlan for example 711

msfc/sup side

vlan 711

name vrf-test-to-fwsm-outside

int vlan 711

ip vrf forwarding test

ip address 192.168.10.1 255.255.255.240

no shut

ip route vrf test 0.0.0.0 0.0.0.0 192.168.10.4 vlan711

FWSM:

you create a context for VRF-test

inside the context you create interface vlan 711

with the ip address 192.168.10.4 /28

you need then the static routes for return traffic to send it back.

Hope to help

Giuseppe

Muhammad Zubair Sun, 03/22/2009 - 04:30

We configured VRF with GRE tunnel with route leak. Does it works with following config. Secondly, are you working with transparent context.

ip vrf DMZ

rd 100:1

interface Tunnel0

description DMZ

ip address 192.168.10.1 255.255.255.252

tunnel source GigabitEthernet3/40

tunnel destination 172.25.29.2

end

ip route 192.168.10.0 255.255.255.252 Tunnel0

ip route 10.128.4.128 255.255.255.240 Tunnel0 192.168.10.2

ip route vrf DMZ 0.0.0.0 0.0.0.0 192.168.15.1 global

ip route vrf DMZ 10.128.4.128 255.255.255.240 192.168.10.2

Giuseppe Larosa Sun, 03/22/2009 - 06:41

Hello Zubair,

in my previous example I was speaking of a routed FWSM context.

We are using also some transparent contexts for the following applications:

-controlled access from a VRF to Global routing table enterprise wide services (like DNS and others)

-to support multicast routing between GRT and VRF.

- to make two different VRFs on the same C6500 to build routing relationships by bridging two vlans using a transparent FWSM context (this is handy)

Coming back to your case I see you have a GRE point-to-point tunnel in GRT (I don't see ip vrf forwading in the tunnel config) then I see you have static routes some in GRT some in VRF.

But it is still unclear to me where a transparent FWSM context (or routed) is involved.

Where is the destination of the GRE tunnel ? it is another C6500 box ?

Being not a simple question I would suggest you to create a network diagram with some representations of involved devices and of what you want to achieve and to attach the files to a post in this thread.

In this way you will be able to get better help

Edit:

a transparent context can only have two interfaces (two SVIs) and can only bridge between them so it may be enough to configure correctly the two interfaces to achieve what you want.

Hope to help

Giuseppe

Muhammad Zubair Sun, 03/22/2009 - 22:38

If I put vrf forwarding in tunnel interface, then route leak will not work.

The destination of GRE tunnel is Cat3560 and currently it is working without FWSM.

I think you are proposing configuration below for routed context.

I have attached DMZ diagram for raference.

[Core]

ip vrf DMZ

rd 100:1

interface Tunnel0

description DMZ

ip vrf forwarding DMZ

ip address 192.168.10.1 255.255.255.252

tunnel source GigabitEthernet3/40

tunnel destination 172.25.29.2

end

interface Vlan212

ip vrf forwarding DMZ

ip address 192.168.15.1 255.255.255.252

interface Vlan312

ip address 192.168.15.5 255.255.255.252

ip route 10.128.4.128 255.255.255.240 vlan312 192.168.10.6

ip route vrf DMZ 0.0.0.0 0.0.0.0 192.168.15.2 global

ip route vrf DMZ 10.128.4.128 255.255.255.240 192.168.10.2

ip route 192.168.10.0 255.255.255.252 Tunnel0

[FWSM]

route outside 0.0.0.0 0.0.0.0 192.168.15.5

route inside 10.128.4.128 255.255.255.240 192.168.15.1

route inside 192.168.10.0 255.255.255.252 192.168.15.1

Attachment: 
Giuseppe Larosa Mon, 03/23/2009 - 12:17

Hello Zubair,

now that I see your network diagram I think that your idea is to extend the VRF over the GRE tunnel to another building keeping it segregated from the global routing table.

However, if this is your objective I think you should consider the following:

change all links of interest in L2 trunks: have one Vlan dedicated to Global routing table and one Vlan dedicated to VRF.

Unfortunately C3560 doesn't support multi-VRF CE feature but you can approximate it using different vlans for the DMZ and for the global routing table.

Actually also tunnel interfaces cannot be defined on the C3560

see

Unsupported Global Configuration Commands

interface tunnel

http://www.cisco.com/en/US/docs/switches/lan/catalyst3560/software/release/12.2_50_se/configuration/guide/swuncli.html

Using GRE tunnels with multilayer switches is not recommended only C6500 with powerful sup720 3B can do it efficiently.

So your proposed solution can work only if there is a router behind/after the C3560 because you shouldn't be able to define a tunnel interface on it.

Hope to help

Giuseppe

Muhammad Zubair Mon, 03/23/2009 - 17:45

Dear quislar,

As I mentioned in my previous conversation, currently VRF is working in my scenario with 3560.

It is supported in IPSERVICES image.

We have following config on 3560

ip vrf DMZ

rd 100:1

interface Tunnel0

description DMZ

ip vrf forwarding DMZ

ip address 192.168.10.2 255.255.255.252

tunnel source GigabitEthernet0/24

tunnel destination 172.25.29.1

interface Vlan112

ip vrf forwarding DMZ

ip address 10.128.4.129 255.255.255.240

ip helper-address 10.28.100.116

ip route vrf DMZ 0.0.0.0 0.0.0.0 192.168.10.1

I have the only issue that I want to pass VRF traffic coming from routed interface through FWSM.

hopefully my scenario will be clear to you now.

Actions

This Discussion