cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
1481
Views
0
Helpful
11
Replies

VRF Lite configuration

opers13
Level 1
Level 1

I want to use VRF lite to route "guest" traffic out a separate internet link I have. I'm currently running OSPF..now, do I have to config separate VRF OSPF instances for every router and L3 switches?

11 Replies 11

Joseph W. Doherty
Hall of Fame
Hall of Fame

Depends how much of your guest subnet is L2 vs. L3.

Mohamed Sobair
Level 7
Level 7

HI,

Your describtion is not quite clear. Could you tell us moe about your topology and what are you trying to achieve?

You could place a customer traffic in a VRF using VRF-lite , are you running OSPF with the customer?

As for Internet Access, you could use normal static routing through the global routing table.

We need more information about your setup in order to have better answer.

Mohamed

goal is to route Guest user traffic via VRF out "Guest Internet link". Guest user will have it's own VLAN.

I'm already running OSPF, all L3 links are configured with "ip ospf network point-to-point" command.

Perhaps it might assist your thinking if you consider VRF as a method to provide virtual L3 network since VLANs support only a virtual L2 network.

For your guest network, if the network was a small as this diagram (which I suspect it's not), you might only need a single L2 VLAN for your guest subnet. However, as the network grows where L2 starts to have scalability issues, VRF allows you to route within it. This doesn't mean you have to route across every device, you could just route across a few.

For example, assume you didn't want one single guest L2 VLAN to run across all your devices in your network diagram. You could define two guest only subnets on your 6500 cores, one facing (and running across) the 7600s, the other facing (and running across) the 3750s. Once you provide the VLANs, you need to route between them, but to keep them L3 isolated from the existing L3 routing domain, you could define VRF just on the 6500s to devide the routing domains.

Joseph,

this will require separate links correct?

Also, I can move the "guest internet link" down one layer to the CORE if that would make things easier.

I which the 3750s were GRE capable...

"this will require separate links correct? "

No.

"Also, I can move the "guest internet link" down one layer to the CORE if that would make things easier. "

???

"I which the 3750s were GRE capable..."

If reference to VRF; why?

PS:

On the campus, you can use VLANs to support VRF(-lite).

joseph, i just sent you an email.

Yes I received it, regarding the "easiest way".

Well, since you have a separate Internet interface, and your network diagram shows switches, and if your topology is small enough, you could extend a single "guest" VLAN across you topology making the gateway for this subnet the Internet. If the guest VLAN is not addressed on your L3 switches, traffic shouldn't be able to flow between the "guest" VLAN and you other production networks. The problem arises, though, if you feel it's undesireable to run the guest network as a single subnet. If you start to implement multiple guest VLAN subnets and route between them, you now have the risk of leaking traffic between corporate subnets and the guest subnets. One traditional solution might have been to implement ACLs to block traffic between corporate and guest subnets, although they know of each others subnets from a routing perspective (this also assumes you don't have an addressing overlap issue).

What VRF allows you to do, is define virtual routing domains (somewhat in concept as VLANs do for L2 domains).

Within the campus, on your L3 switches, that need to route for both corporate and guest subnets (again, could be none, could be some, could be all - depends how you allocate your L2 domains), you place corporate interfaces in one VRF and guest interface in another VRF and do likewise for multiple routing (in your case probably OSPF) configurations. Each routing configuration would only, by default, "know" of L3 routes within its only routing domain.

If this is all new to you, besides consulting information on VRF that can be found on Cisco's site, if you have the equipment, you might want to lab up a sample first to see it in action.

Mohamed Sobair
Level 7
Level 7

Hi,

Yes , you could achieve what you are looking for by implementing "Path Isolation using VRF with GRE" at the edge.

please have a look into the bellow document for more information:

http://www.cisco.com/en/US/docs/solutions/Enterprise/Network_Virtualization/PathIsol.html#wp80366

HTH

Mohamed

Mohamed, I can't configure GRE on 3750

Giuseppe Larosa
Hall of Fame
Hall of Fame

Hello Alex,

VRF lite has no MPLS backbone links to carry VPN traffic in MPLS frames, so the answer is that you need to build a complete topology made of interfaces in the guest VRF in all devices on the path to this secondary internet link including redundant links as well.

You need one instance of VRF and eventually an OSPF instance in each device.

Typically you can use vlan subinterfaces on routers and SVIs or routed ports on multilayer switches to build the VRF-lite dedicated topology:

physical links can be shared and can host multiple logical links each of them mapped to a different VRF topology or global routing table.

Hope to help

Giuseppe

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Innovations in Cisco Full Stack Observability - A new webinar from Cisco